ISO #####-#:####(X)

Internal Investigations of Organizations - Guidance

Draft Contents
i Introduction

1 Scope (mandatory)

2 Normative references (mandatory)

3 Terms and definitions (mandatory)

4 Support for internal investigation

4.1 Resources
4.2 Action from the top

5 Establishment of Investigation policy and procedure

6 Basic principles

7 Investigative process
7.1 Initial steps
7.2 Determining the scope of the investigation
7.3 Conducting preliminary investigation
7.4 Investigation plan as a “living document”
7.5 Supervising the investigation
7.6 Document management
7.7 Reviewing contents of collected records
7.8 Interviewing witnesses
7.8.1 Before interviews
7.8.2 Conducting interviews
7.8.3 Documenting interviews
7.9 Finalization Process
7.10 Investigation report and recommendations

8 Remedial actions post-reporting

© ISO #### – All rights reserved i

 ISO #####-#:####(X)

Introduction

This proposal is for an ISO technical standard providing guidance on internal

investigations.

Internal investigation is part of organizational management. An organization would

normally conduct internal investigations when there is a suspected or actual instance of
risk management failure, non-compliance or infringement (e.g. exposure to workplace
safety and health hazards, irregularity, malpractices, misconduct, fraudulent activities,
abuse of power, harassment or discrimination) to find out what happened, what risks that
the organization might face, and what can be done to treat the risks.

An internal investigation could result from external factors such as governmental law
enforcement actions. For example, government law enforcement actions often bring about
the needs to investigate as a part of the fact-finding effort and then decide which remedial
measures should be taken. These enforcement actions can relate to violation of laws,
standards and internal code of conducts under various subject matters such as export
controls, sanction compliance, money laundering, anti-trust and anti-corruption issues.

Civil actions and whistle-blower incidents could be reasons for internal investigations as
well so that the concerned organizations could find out what triggered the actions and
incidents and then take appropriate measures to reduce risk.

Internal investigation is an indispensable part of a robust risk management system and

effective internal investigation can help organizations to identify risks, analyse root causes
of non-compliance and design measures to control risks. Regulatory authorities worldwide
tend to consider an effective investigation process as a key factor of a compliance
management program. Failure to conduct an effective investigation could cause adverse
effects on an organization, therefore, it is essential to make a guidance for internal
investigations.

© ISO #### – All rights reserved ii

 ISO #####-#:####(X)

1 Scope

This document provides guidance to the internal investigation of organization, including

the establishment of the policy and procedure, implementation of the investigation, the
reporting of the investigation result and the taking of remedial measures.

© ISO #### – All rights reserved 3