Professional Documents
Culture Documents
Investigations
ANSI/ASIS INV.1-2015
S TA N D A R D
The worldwide leader in security standards
and guidelines development
ANSI/ASIS INV.1-2015
INVESTIGATIONS
ASIS International
Abstract
This Standard provides guidance for conducting investigations. It provides guidance on establishing investigative programs as
well as the conduct of individual investigations, including the competence and evaluation of investigators.
ANSI/ASIS INV.1-2015
ASIS International standards and guideline publications, of which the document contained herein is one, are developed through
a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of
persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and
establishes rules to promote fairness in the development of consensus, it does not write the document and it does not
independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments
contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or
anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce
compliance with its standards or guidelines. It assumes no duty of care to the general public because its works are not obligatory
and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect,
consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this
document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any
information published herein, and disclaims and makes no warranty that the information in this document will fulfill any
person’s or entity’s particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual
manufacturer or seller’s products or services by virtue of this Standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on
behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else.
Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a
competent professional in determining the exercise of reasonable care in any given circumstances. Information and other
standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for
additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no
control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct
that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials,
designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third
parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any
information in this document should not be attributable to ASIS and is solely the responsibility of the certifier or maker of the
statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright
owner.
ISBN: 978-1-934904-76-3
ii
ANSI/ASIS INV.1-2015
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed
in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected
to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are
designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a
recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having
distinct compatibility or performance advantages.
About ASIS
ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry
sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is
dedicated to increasing the effectiveness of security professionals at all levels.
With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts
networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs,
including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought
leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government,
or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence,
resources, and technology needed within the business enterprise. www.asisonline.org
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines
Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development
Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards
and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience,
and expertise of ASIS membership, security professionals, and the global security industry.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street,
Alexandria, VA 22314-2818.
Commission Members
Charles Baley, Farmers Insurance Group, Inc.
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance LLC
Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Bernard Greenawalt, CPP, Securitas Security Services USA, Inc.
Robert Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Michael Knoke, CPP, Express Scripts, Inc., Vice Chair
Bryan Leadbetter, CPP, Alcoa Inc.
Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Jose Miguel Sobron, United Nations
Roger Warwick, CPP, Pyramid International Temi Group
Allison Wylde, Consultant
iii
ANSI/ASIS INV.1-2015
At the time it approved this document, the INV Standards Committee, which is responsible for the development of this Standard,
had the following members:
Committee Members
Committee Chairman: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Commission Liaison: Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
Committee Secretariat: Sue Carioti, ASIS Secretariat
iv
ANSI/ASIS INV.1-2015
v
ANSI/ASIS INV.1-2015
vi
ANSI/ASIS INV.1-2015
vii
ANSI/ASIS INV.1-2015
viii
ANSI/ASIS INV.1-2015
ix
ANSI/ASIS INV.1-2015
x
ANSI/ASIS INV.1-2015
TABLE OF CONTENTS
xi
ANSI/ASIS INV.1-2015
TABLE OF FIGURES
FIGURE 1: PLAN-DO-CHECK-ACT MODEL ........................................................................................................................................... XV
FIGURE 2: INVESTIGATION PDCA FLOW DIAGRAM ............................................................................................................................... 11
FIGURE 3: REPORTING LINES DURING THE INVESTIGATION PROCESS .......................................................................................................... 15
FIGURE 4: DEFINING INVESTIGATION PROGRAM OBJECTIVES .................................................................................................................. 20
xii
ANSI/ASIS INV.1-2015
0. INTRODUCTION
0.1 General
This Standard provides guidance for individuals and organizations conducting investigations. The
Standard uses a systems approach for developing an investigation program consistent with the business
management principles related to the Plan-Do-Check-Act (PDCA) Model.
The Standard provides insight and guidance for generally accepted practices including the processes and
considerations one should contemplate when undertaking an investigation. As guidance, it does not
contain requirements, nor is it intended for third-party certification. If implemented, the framework
offered should provide users a high degree of assurance that the investigations conducted will be:
a) Effective;
b) Ethical;
c) Lawful;
d) Useful in meeting the intended objective(s);
e) Minimally disruptive to the organization and its operations;
f) Able to provide feedback on procedure/policy deviations; and
g) Value added, providing the highest return on investment without compromising the
investigation.
The guidance in this Standard provides a framework for establishing an investigation program and
conducting individual investigations within the overall program. It uses the PDCA Model approach to
facilitate integration of an investigation program into any risk and resilience based management system.
It describes establishing and managing an investigation program as well as conducting individual
investigations. The competence of investigators is the foundation for conducting reliable investigations.
This Standard provides competence criteria for investigators conducting investigations.
Investigators understand their activities involve interacting with people; therefore, there is a need to
build rapport, trust, and confidence while avoiding the creation of an adversarial atmosphere. Good
investigative techniques project a sense of fairness based on an impartial approach. An investigation
supports the achievement of the objectives of the organization; therefore, it adds value and may lead to
opportunities for improvement. Good investigative techniques help identify and understand root causes
of any problems, thereby supporting proactive improvements to avoid a recurrence.
Organizations should adapt this guidance to fit the specific needs, size, nature and level of maturity of
their risk management system. This Standard can be used by anybody involved in the investigative
process supporting the achievement of the organization’s objectives.
xiii
ANSI/ASIS INV.1-2015
xiv
ANSI/ASIS INV.1-2015
Plan
Define & Analyze an
Issue and the Context
Do
Act
Devise a Solution
Standardize Solution
Develop Detailed Action
Review and Define
Plan & Implement it
Next Issues
Systematically
Check
Confirm Outcomes
Against Plan
Identify Deviations
and Issues
xv
ANSI/ASIS INV.1-2015
investigation, and individual investigations, it is important to recognize that often the output from one
process directly forms the input of another process.
Though the objectives, and certainly the scope of investigations vary widely, their principal purpose is always objective
fact-finding. Thus the investigator must be fair, impartial, thorough and certainly purposeful. Lacking an effective
process, investigators often spend more time and resources than necessary, produce inconsistent results, and create
unnecessary liabilities for those they serve. No investigation, regardless of its objectives or scope, can be successful if
not properly planned, lawfully executed, and within a prescribed process.
xvi
AN AMERICAN NATIONAL STANDARD ANSI/ASIS INV.1-2015
Investigations
1 SCOPE
This Standard provides guidance for individuals and organizations intending to undertake the collection
and examination of information pursuant to an investigation. It should be noted that although this
Standard is intended for use in the private sector, this document may also be applicable to the processes
and methods used in the public sector.
This Standard:
a) Provides a framework for investigative processes that is intended to enable an organization to
identify, develop and implement policies, objectives, protocols and programs;
b) Identifies some of the jurisdictional laws and regulations or other obligations that may impact
or govern the investigative process and the various ways investigations are used;
c) Describes the process for conducting investigations consistent with the PDCA Model;
d) Provides confidence that the information was gathered and assessed in a fair, objective,
thorough, and purposeful fashion; and
e) Provides insight and guidance regarding generally accepted practices relative to the processes
and considerations for an investigation.
This Standard is applicable to all organizations that conduct investigations whether using persons who
are internal or external to the organization. Annex E provides information for organizations considering
the use of external investigators.
Furthermore, the guidance offered is sufficiently generic to be applicable to all organizations, regardless
of type, size, geographic footprint or nature of their activities, products or services.
This Standard is a guidance document and not intended as a specification for third-party certification.
2 NORMATIVE REFERENCES
This Standard does not make reference to any normative documents which constitute foundational
knowledge for the use of this American National Standard.
1
ANSI/ASIS INV.1-2015
Term Definition
3.1 action A lawsuit brought in court.
3.2 actionable A matter which may be subject to legal or administrative action or
intervention.
3.3 admissibility The legal authority permitting the entry of evidence into a legal proceeding.
3.4 admissible Evidence which may be formally considered in a legal proceeding.
3.5 admission The simple admission to the commission of an offense, work rule or policy
violation, or violation of the law. Differs from a confession in that it may or
may not contain all of the elements of the offense or crime in question.
3.6 agency Fiduciary relationship between two parties in which one (Agent) is under
the control of (is obligated to) the other (Principal).
NOTE 1: The agent is authorized by the principal to perform certain acts, for
and on behalf of the principal.
NOTE 2: The Principal is the person from whom an agent's authority derives.
3.7 appeal An application to a higher court to correct or modify a judgment rendered
by a lower court.
3.8 arrest The taking of a person into custody in a manner provided by law for the
purpose of detention in order to answer a criminal charge or civil demand.
3.9 attorney work product Evidence which a party to a lawsuit does not have to reveal during the
discovery process because it represents the thought process and strategy of
the opposing attorney giving legal advice.
3.10 case file The tool used by investigators to organize and maintain their records,
documents and reports during an investigation.
3.11 chain of custody A record detailing those who handled or possessed a piece of evidence.
Synonymous with chain of evidence.
3.12 chain of evidence See Chain of Custody.
3.13 circumstantial evidence Indirect evidence which in and of itself does not prove a material fact. Often
gathered and used cumulatively to prove a fact.
3.14 confession A comprehensive admission to the commission of an offense or violation of
the law that contains all of the elements of the offense or crime in question.
Not to be confused with admission.
3.15 credibility The reliability or trustworthiness of an individual.
3.16 custodian of record The person or entity responsible for record possession, retention, and/or
preservation.
3.17 client The individual or entity for which an investigation is performed.
NOTE: A customer is a more general term used to indicate the recipient of a
tangible or intangible service or product.
3.18 decision-maker A person who decides things, especially at a high level in an organization.
NOTE: The decision-maker rather than a member of the investigative team
is responsible for making decisions regarding discipline and corrective
action.
3.19 direct evidence Evidence which proves a material fact.
2
ANSI/ASIS INV.1-2015
Term Definition
3.20 discovery The legal process of obtaining information and/or evidence from a legal
opponent.
3.21 due process A fundamental guarantee that all legal proceedings will be fair and that one
will be given notice of the proceedings and an opportunity to be heard before
the government acts to take away one's life, liberty, or property.
3.22 electronic surveillance Any form of surveillance which uses electronic technology.
3.23 embezzlement The unlawful appropriation of property or assets of another of which one
has been entrusted.
3.24 entrapment Actions which might induce an otherwise honest citizen to commit a crime
that without the inducement would not have committed. Entrapment is a
criminal defense and is not a crime. In order to use entrapment as a defense,
the accused must first admit they committed the offense.
NOTE: Legality is based on jurisdictional laws.
3
ANSI/ASIS INV.1-2015
Term Definition
NOTE: The investigator may be a member of an investigative team working
under the direction of an investigation team leader and/or investigation unit
manager.
3.40 investigative unit (IU) The entity within the organization tasked with conducting or overseeing
investigations.
3.41 investigation unit manager The person responsible for managing the investigation program and
(IUM) assuring the necessary financial, human, physical, and time resources are
committed to conduct an effective investigation.
3.42 judgment A legal finding of responsibility.
3.43 jurisdiction An area or subject over which a party has authority.
3.44 management system standard A framework of processes and procedures used to ensure that an
organization perform activities needed to achieve its objectives.
3.45 organizational investigations Investigations performed at the direction of the organization, for the
organization. Usually involves the investigation of crimes and offences
committed against the organization and/or as a method of establishing the
facts and organizational due diligence relating to potential regulatory action.
NOTE: Differs from workplace investigations in that the subject of the
investigation may not be an employee or former employee of the
organization.
3.46 physical surveillance A form of monitoring where the subject is kept under physical observation.
NOTE: May be augmented with technology but requires constant human
monitoring.
3.47 preemployment screening A form of investigation used to verify the identity, personal history and
credentials of an employment applicant.
3.48 preponderance of the evidence The amount of evidence needed to prevail in most civil matters, which is
based on a finding that it is more likely than not that an alleged event
occurred.
3.49 privacy, the right to privacy A human right and an element of various legal traditions which may restrain
both government and private party action that threatens an individual to be
free from being observed or disturbed by other people, or having their affairs
made public.
3.50 private investigations Investigations performed for and by the private sector.
3.51 private sector The part of the economy that is not under direct government control.
NOTE 1: Run by private individuals or groups either for profit or not for profit.
NOTE 2: Those suspected of a workplace offence may be the subject of a
private sector investigation conducted by their employer or agents, and if
determined responsible, disciplined by their employer.
3.52 privilege A legal protection which permits the lawful withholding of information or
evidence from an opponent during the course of litigation. May be used in
both criminal and civil cases.
3.53 public sector The part of an economy that is controlled by the government.
NOTE: Composition of the public sector varies by country, but in most
countries the public sector provides services which benefit all of society
rather than just the individual who uses the service.
3.54 restitution Returning to the proper owner property or the monetary value of loss.
3.55 return on investment (ROI) The return enjoyed on any particular investment. The return may be
monetary or otherwise.
3.56 spoliation The intentional or negligent destruction, alteration, or mutilation of
evidence, and may constitute an obstruction of justice.
4
ANSI/ASIS INV.1-2015
Term Definition
3.57 standard of proof The quality and quantity of proof necessary to make a finding.
3.58 subject The individual who is under investigation or the matter in question. Not to
be confused with suspect as used in the public sector. The individual may or
may not be a suspect.
NOTE: Sometimes referred to as “respondent”.
3.59 surveillance The direct and deliberate observation or monitoring of people, places or
things.
3.60 workplace investigations Any investigation taking place in or involving the workplace.
NOTE 1: May be conducted by those either in the private or public sector.
NOTE 2: Typically involving the investigation of employee misconduct,
workplace policy violations or work rule violations. The matter under
investigation may or may not be a violation of the law.
NOTE: Some legal definitions may vary by jurisdiction, therefore, some of the terms in this glossary may have specific legal
definitions in certain jurisdictions. The definitions provided are based on common usage.
4 PRINCIPLES
4.1 General
The principles in this Standard give guidance necessary to provide consistency, accuracy, credibility,
fairness and scalability in the fact-finding, documentation, information rendering, and reporting
processes as they relate to investigations. Examples of stakeholders in these processes include, but are
not limited to:
a) Customers, clients, shareholders, directors, employers, employees, vendors, or anyone engaged
in commerce or other lawful activities in the private sector;
b) Government and regulatory authorities including elements of both the criminal justice system
and all of its counterparts in the civil justice system;
c) Civil society groups, non-governmental organizations, and non-profit entities;
d) Organizations that provide and/or support investigative services whether for profit or not; and
e) Members of the public (including the media).
The principles below apply to the activities involved in most routine investigative activities, as well as
those conducted for special or specific purposes. Use of these principles helps ensure those conducting
investigations independently yet in similar circumstances will likely produce similar findings based on
similar circumstances.
4.2 Impartiality
Impartiality is the ability to separate one’s self and self-interests from the investigation and its outcome.
Confidence in the investigation process is dependent on an independent and impartial fact-finding
process and a complete separation of self-interests from the investigation’s ultimate outcome.
Impartiality requires both the actual and perceived presence of objectivity. Investigation programs
5
ANSI/ASIS INV.1-2015
should implement measures to ensure and monitor impartiality. These measures should demonstrate to
stakeholders that a credible investigation process is in place.
Investigators should be objective, impartial, unbiased, have no vested interest in the outcome, and avoid
any conflict of interest. Any possible conflicts of interest should be identified, disclosed, resolved, and
documented before an investigation begins. Threats to impartiality include:
a) Self-interest threats: arise from having a vested or financial self-interest;
b) Self-review threats: arise from reviewing advice or the work done by oneself on behalf of the
organization;
c) Familiarity threats: arise from being too familiar with processes and persons being investigated
to obtain unbiased evidence and conclusions;
d) Cognitive bias threats: arise from individuals creating their own subjective reality from their
preconceived perception of the input; and
e) Intimidation threats: arise from having a perception of being coerced or pressured.
a) Not deciding the investigation’s objectives and not having a vested interest in the outcome.
b) Excluding themselves from any decision-making process at the conclusion of the investigation. By not being
party to the decisions regarding discipline or corrective action, the investigator has no say in the outcome.
c) Demonstrating their impartiality by their work. The analysis in the investigative report should fairly show
how the investigator weighed all the evidence, both for and against the ultimate findings.
6
ANSI/ASIS INV.1-2015
objectives, unresolved issues, and divergent opinions should be reported. Communications should be
timely, accurate, unambiguous, unbiased, and complete. Evidence should be clearly documented.
To aid in maintaining objectivity, every investigator should consciously recognize their personal prejudices and
neutralize the effects of those prejudices on investigative activities, including the formation of the hypothesis. In other
words, the professional investigator must ensure that the investigative findings form the basis for their impressions,
not the reverse.
In addition, the investigator’s approach and demeanor is of critical importance to the successful outcome of a case.
First and foremost, the investigator should project an air of objectivity. This is accomplished by choosing words and
phrases carefully during the investigative process and by avoiding facial expressions and body language that might
project an inappropriate attitude or prejudgment.
7
ANSI/ASIS INV.1-2015
4.7 Relevance
Investigations should be focused on the information that pertains to the purpose of the investigation and
is at the appropriate level of detail. The spectrum of details pertains to how wide a net the investigator
needs to cast in order to gather all relevant information.
Cause and effect relationships may be relevant to an investigation. For example, the subject of a personnel background
investigation may have a poor credit rating. Rather than simply reporting a potential weakness in the applicant, the
investigator should attempt to determine and verify the cause of the credit rating, as well as possible mitigating
information. The subject may have been a victim of identity theft or may have suffered the loss of a close relative and
been saddled with large secondary financial debts until the estate could be settled. In either case, the concerns may be
addressed through the investigative process and may provide the appropriate information to decision-makers..
4.8 Thoroughness
Based on the investigative scope, activities should follow relevant leads to their conclusion. A thorough
investigation involves making efforts to corroborate allegations and facts, doing follow-up enquiries to
clarify and confirm testimony and evidence. Corroborating important aspects through different sources
is a helpful means of achieving thoroughness along with using different types of sources.
Various types of sources for a particular piece of information might be interviewees or witnesses, subject matter
experts, physical evidence, electronic evidence, public records, surveillance results, open sources, databases, etc.
4.9 Timeliness
Investigators should conduct the investigation in a timely manner, achieving the investigative objectives
while ensuring the quality and integrity of the investigation. Investigations should be conducted as soon
as possible, consistent with jurisdictional requirements, and to avoid degradation of human, physical, or
electronic evidence. Once an investigation is under way, it should be completed in an expedient manner
to conserve resources, allow operations to return to normal as soon as possible, and implement corrective
actions. However, care should be taken not to rush an investigation at the expense of quality,
thoroughness, or accuracy.
8
ANSI/ASIS INV.1-2015
4.11 Confidentiality
Persons involved in the investigative process should maintain confidentiality. Investigators should strive
to minimize the possibility of inadvertent disclosure which may result in reputational, psychological, or
physical harm to individuals or organizations. Confidentiality arrangements should consider
jurisdictional laws and regulations or other obligations, including those for privacy, protecting
information, and discoverability.
Subject to jurisdictional laws and the organization’s policies and practices, confidentiality admonitions should be
provided to interviewees at the beginning of the investigation interview. The investigator should clearly explain the
confidentiality and disclosure relationship and its limitations. Investigators should strive to minimize the possibility
of inadvertent disclosure of information unless instructed by counsel. Confidentiality arrangements consider
jurisdictional laws and regulations or other obligations, including those for protecting information as well as
requirements related to discoverability. Attorney investigators may be held to a different standard and have additional
ethical obligations regarding confidentiality.
Failure to protect personal or confidential information, either by the organization, investigator, or interviewees, may
result in: increased risk; retaliation; leaked information; lawsuits; bias of the process; and erroneous conclusions.
Confidentiality should be maintained to prevent compromise or unwanted exposure of an investigation. Only those
with a need to know should be involved in or told of the investigation. To do otherwise may risk the integrity of the
investigation as well as may put people (including the investigator) at risk.
In order to require confidentiality, it may be important to consider and document one or more of the following business
reasons for maintaining confidentiality:
5.1 General
5.1.1 Managing Investigation Programs
The purpose and objectives of an investigation drive the approach and methodology. Most successful
investigations are process driven. Investigations can be complex undertakings which are time
consuming and fraught with enormous potential for legal liability. When properly managed, they
combine an intricate mixture of skill, experience and knowledge. A sound understanding of
9
ANSI/ASIS INV.1-2015
investigation management fundamentals is necessary for success and efficient use of resources.
Managing the risk associated with an investigation is essential given that few organizational activities
invoke so much risk and at the same time, so much opportunity.
Like any other organizational function, managing investigations entails basic functions of management:
planning, organizing, directing, coordinating, and controlling. All five of these functions apply to
managing the overall investigative program, as well as when conducting individual investigations.
The strategic level of an investigation program involves the management program and its relationship
with the organization’s top management. Legal counsel, human resources, risk management, and other
relevant departments should be involved at this level to ensure the proper focus of the investigation as
it relates to organizational policy and procedure, labor relations, or the law. Issues at this level may
include:
a) Establishing attorney work product protection;
b) Designating head of the investigative function;
c) Identifying the organizational structure;
d) Defining strategic goals and objectives;
e) Focusing investigative efforts; and
f) Identifying and allocating resources.
At the case level, individual investigation parameters and details are prescribed, including the particular
investigators, investigative techniques, and case management protocols associated with them.
The details of both the overall program and individual investigations include technical aspects of the
investigative function and how the function works within the program. Such issues as case load, case
assessment, quality control, investigative policies and procedures, reporting formats, liaison, team
composition, supplies and equipment, evidence management, and outside contracts are considered at
this level.
The investigation unit manager (IUM), sometimes referred to as the project manager or case manager,
should participate at the program and individual investigation levels while simultaneously considering
factors that transcend the investigative management levels. The IUM is typically the person directly
responsible for the investigative function in an organization and depending on the organizational
structure; this individual may hold the title of chief security officer, security director, director of
investigations, director of human resources or something similar.
10
ANSI/ASIS INV.1-2015
11
ANSI/ASIS INV.1-2015
12
ANSI/ASIS INV.1-2015
13
ANSI/ASIS INV.1-2015
j) Oversight by general counsel or other in-house attorney with specific expertise of the internal or
external investigation team;
k) Human resources or employee relations executive with oversight over investigation team; or
l) Outside counsel with oversight over internal or external investigation team.
In larger or more geographically dispersed organizations, regional investigative units or personnel may
be established in order to conserve travel costs and time. This arrangement also allows for investigators
who are familiar with local issues (culture, geography, procedures, laws, regulations, etc.) and provides
an opportunity to work more effectively with local liaison contacts. Organizations may also establish
separate investigative capabilities within different business units.
The reporting chain for investigative information or results is critical and can affect both the outcome of
specific cases and the effectiveness of the unit itself. Generally, the shortest reporting chain between the
source of the information and the final decision maker is best.
If litigation is anticipated or there is suspected unlawful conduct within the workplace, legal counsel may engage the
investigator and communicate that the investigation is “confidential and privileged.” By this assertion, any
communication, inclusive of reports, occurring between the investigator and legal counsel should be considered
“attorney work product.” In some jurisdictions, the work product may be considered protected and not discoverable
in the litigation process. Alternative means exist for establishing attorney-client and work-product protections, such
as by clearly establishing at the outset (either by contract or other dictate) that the investigator is charged with
producing factual findings to legal counsel, so that legal counsel may use the findings to provide legal advice to the
organization.
The final decision maker(s) should be top management, such as the chief executive officer, chief operating
officer, chief legal counsel, president, or some other official who has similar executive and decision
making authority (e.g., person authorizing the investigation). It is important to identify the decision
maker, establish a close working (and trust) relationship with him or her, and develop a formal reporting
mechanism. In some situations, it may be advisable to establish an alternate or contingency reporting
mechanism in case the identified decision maker is unavailable, is a party in the case or investigation, or
is possibly involved in the investigative matter.
The lineup of liaison contacts, potential outside sources for investigative services, specialists, and
equipment vendors should be tailored to the primary focus areas of the investigative unit. Whether the
investigative capability of an organization consists of a dedicated unit, a single investigator, the security
director alone, or another arrangement, a specific individual (with a backup) should be designated to
manage these outside investigative resources. This provides continuity and facilitates rapid
implementation of capabilities. Investigative needs generally arise on short notice and on a surge basis.
Figure 3 provides an example of reporting lines during the investigative process.
See Annex E for more information on determining the need for an investigation within an organization.
14
ANSI/ASIS INV.1-2015
investigation should also understand the reason and purpose for the investigation. There should be a
clear understanding between the IUM and top management as to the purpose of the investigation
program and intended use of the outcomes. Examples are:
a) Personnel screening;
b) Employee misconduct (including but not limited to harassment, discrimination, retaliation,
policy violations);
c) Internal or external theft;
d) Fraud prevention and detection;
e) Provide input for human resource management processes;
f) Better protect tangible and intangible assets;
g) Determine causes of accidents, mishaps, or disruptive incidents;
h) Use of a systematic process to identify weaknesses in the organization’s processes and risk
management approach;
i) Identify opportunities for improvement;
j) Evaluate effectiveness of training and awareness programs;
k) Evaluate and improve the allocation of resources;
l) Demonstrate regulatory compliance (including but not limited to food, health, safety,
production, labor, equal employment opportunity, and discrimination regulations);
m) Conformance with organizational policies;
n) Reduce liabilities;
o) Provide information for post investigation activities and actions;
p) Reputation and brand protection; and
q) Evaluate business relationships and supply chain needs, as well as address customer/client
concerns.
When developing the investigation program, the IUM should understand the organization’s intended
use of the investigation results.
The needs and requirements of the organization for the investigative function may change based on:
a) Economic realities of the organization;
b) Market forces;
c) Risk appetite (the amount of risk an organization is willing to accept, retain, or pursue1);
d) Increase or decrease in the number of incidents requiring an investigation;
17
ANSI/ASIS INV.1-2015
The investigative unit should demonstrate value to the organization consistent with its needs and requirements.
Support for budget justifications can be bolstered by any or all of the following:
a) Proper investigative focus to support the organizational mission as well as strategic and business objectives;
f) Creating a safe and respectful work environment for employees and others; and
Carefully tracking and managing operational and overhead costs can significantly improve the response to funding
requests. Costs can be tracked by case type, location, business unit, or other variable. Additionally, recoveries and
restitution figures should be tracked and reported to senior management to help demonstrate a financial benefit to the
organization and support return on investment (ROI) arguments. Often, IUs can demonstrate ROI through civil
recovery efforts, recovering not only the losses but also the related investigative costs.
18
ANSI/ASIS INV.1-2015
19
ANSI/ASIS INV.1-2015
20
ANSI/ASIS INV.1-2015
Many small organizations keep qualified investigative consultants or private investigators on retainer to respond
quickly to various issues that require an investigative response. In larger organizations or other environments with a
constant need for investigative services, a full-time investigator or investigative staff may be justified. Regardless of
the organizational structure of the investigative function, a clearly defined investigative program is essential to assure
a transparent, accurate, fair, and unbiased investigation program.
Investigation program success requires the development and deployment of a sound investigative
strategy. Effective investigative strategies involve more than mixing and matching investigative methods
and tools. The investigative process must be sufficiently structured so that it provides efficiencies and
the opportunity to measure results. However, the process must be sufficiently flexible so that it permits
the changing of objectives and strategy as new information is learned. The IUM and investigators should
have the ability to change their objectives and modify their strategy as new information is developed.
21
ANSI/ASIS INV.1-2015
a) Investigation unit manager (IUM) – the person responsible for managing the investigation
program and assuring the necessary financial, human, physical, and time resources are
committed to conduct an effective investigation;
b) Investigation team leader (ITL) – the person designated as leading the investigation team;
c) Investigator – a person competent in conducting the investigation, individually, or as a member
of a team;
d) Technical expert – a person with specific knowledge or expertise supporting the investigation
team but does not act as an investigator (e.g. a language, legal, or industry sector expert);
e) Observer – a person who is present but not actively participating in the investigation (e.g. a
client’s representative or guide); and
f) Client – top management of an organization that requests the investigation.
The IUM is responsible for the planning, management, and conduct of the investigation program, while
the ITL is responsible for the conduct of individual investigations. They are both responsible for the
professional and ethical behavior of the investigation team members. The IUM and ITL are responsible
for:
a) Defining the objectives, criteria, and scope of the investigation program as well as individual
investigations;
b) Communicating and consulting with relevant parties to the investigation;
c) Ensuring the investigation team and its members have the necessary competence to successfully
conduct the investigation;
d) Ensuring the allocation of adequate resources for the investigation;
e) Ensuring compliance with applicable laws, regulations, and policies;
f) Ensuring the investigation program is executed as planned in a timely fashion;
g) Ensuring the completeness and integrity of documentation;
h) Minimizing impartiality and bias related risks;
i) Ensuring risks of the investigation program to the client and investigation team are
appropriately managed;
j) Reviewing work product(s) of investigators for completeness and accuracy; and
k) Ensuring the integrity and confidentiality of information.
The organization requesting the investigation (“client”) should appoint at least one representative from
top management to interface with the investigation team. The client’s representative should have the
authority to make appropriate and timely decisions and to provide the investigators with:
a) Appropriate organizational, functional, stakeholder, and historical information to evaluate
risks;
b) Access to areas and activities within the scope of the investigation;
c) Access to relevant persons and information;
22
ANSI/ASIS INV.1-2015
d) Facilities for the investigation team use (e.g. private work space, telecommunications, safety and
hygiene facilities, etc.);
e) Support personnel if needed;
f) Access to legal counsel and human resources;
g) Safety, security, and regulatory requirements; and
h) Information needed for protection of brand, reputation, proprietary rights, and confidentiality.
Investigations support the achievement of objectives of the organization. Because many investigations are complex
and often involve potential litigation, management commitment is an essential component if success is to be achieved.
From the very beginning, the management representative of the organization requesting the investigation (“client”)
needs to be prepared to commit the requisite time, patience and resources in order to achieve the investigation
objectives. In accepting the assignment, the IUM must be prepared to accept responsibility and communicate honestly
with the client. Only with the proper information and a thorough understanding of the issues and options can the client
make decisions that are sound and appropriate. Therefore, the client should commit the time, patience, and resources
necessary for the investigation to succeed.
23
ANSI/ASIS INV.1-2015
Investigators should be apprised of their responsibilities to report illegal and unsafe activities within or
outside the scope of the investigation, including legal requirements for disclosure. Once discovered, an
investigator should not ignore illegal or unsafe activities. Investigators should inform the ITL - who
informs the client and investigative unit manager. The ITL should verify and create a record of the
condition. If the team is endangered, the investigation should be paused until the risk can be assessed
and issues rectified.
It is incumbent on the IUM to ensure the investigation team is familiar with all applicable laws and
regulations, as well as organizational (client) policies. This can become a significant task, especially if the
client has locations in several different jurisdictions, even in other countries. The venue of a particular
case may not necessarily be within the expected jurisdiction. Applicable laws, regulations, and
restrictions may vary across the different jurisdictions. Jurisdictional requirements should be understood
by the investigation team, particularly those associated with:
a) Privacy;
b) Human and civil rights;
c) Access to legal counsel;
d) Chain of custody of evidence;
e) Consumer reporting;
f) Financial reporting;
g) Detention;
h) Physical contact and use of force;
i) Confidentiality;
j) Regulatory reporting and discoverability; and
k) Information storage.
Investigators have enormous responsibility. The outcomes of their effort often impact the organizations they serve and
the employees that work for them but also anyone else their investigation touches. Those who conduct private sector
investigations are governed largely by organizational (client) dictates and ethics. Regardless of the venue or the
likelihood of critical examination, all investigations should be conducted ethically and lawfully. To do otherwise is a
disservice to the subject, the client and the investigative profession.
24
ANSI/ASIS INV.1-2015
25
ANSI/ASIS INV.1-2015
26
ANSI/ASIS INV.1-2015
27
ANSI/ASIS INV.1-2015
d) Liaison agents;
e) Neighboring communities;
f) Civil society groups and organizations; and
g) The media.
Some stakeholders may be inclined to use investigation results for unintended or undisclosed purposes. Defining the
threat entails identifying, within reason, all potential information collectors or adversaries who may access
investigation results using legal or illegal means. The following are examples of potential adversaries:
c) Parties in litigation;
e) News media and simple public curiosity (especially in high-profile cases); and
28
ANSI/ASIS INV.1-2015
In other types of investigations, a working hypothesis is not recommended and if done, can create legal
liability for the client. The investigator in all types of investigations must come to the investigation open,
impartial and giving the complainant the opportunity to provide their version of the facts concerning the
allegations. Likewise, the investigator must provide opportunities for the subject of the investigation to
provide relevant evidence, leads, and to admit, deny or explain the allegations and evidence.
The IUM should develop one or more procedures for managing the investigation program. When
developing the procedures, the IUM should identify performance metrics that will be used to determine
if the procedures were effective and successfully applied. Procedures should be developed for:
a) Planning the investigations to meet the investigation objectives consistent with promoting the
organizational business and risk management objectives;
b) Identifying and maintaining the appropriate level of investigator competence;
c) Selection of investigation team members and appointment of ITL;
d) Ensuring effective communication between all parties involved in the investigation;
e) Evaluating required resources, logistics, and feasibility of investigation success;
f) Conducting the investigation, including data collection and sampling techniques;
g) Ensuring time management and scheduling;
h) Evaluating the investigation data, definition of priorities, and improvement of risk treatment
methods to promote awareness and prevent recurrences of undesirable behaviors and incidents;
i) Performance assessment of the investigation process to identify opportunities for improvement;
j) Conformance with organizational policies and commitments;
k) Compliance with jurisdictional laws and regulations or other obligations, as well as liability
issues;
l) Integrity, confidentiality, and protection of information;
m) Handling, chain of custody, access control, and archiving of records;
n) Proper documentation and review of investigative findings before providing reports to the
client; and
o) Monitoring, review, and continual improvement of the investigation program.
investigation team should reflect the objectives of the investigation program and the complexity of
organization’s business and risk management systems. The IUM should calculate the personnel hours
required to successfully complete each portion of the investigation.
Factors that will affect the allocation of resource requirements (particularly personnel and time
requirements) include (but are not limited to):
a) Complexity of investigation nature and range of issues (associated risks) to be investigated;
b) Expected type of cases and projected caseload per investigator;
c) Risks associated with the organization, its activities, and its context;
d) Complexity and size of the organization to be assessed (e.g. technologically complex or labor-
intense organizations may increase the personnel hours needed);
e) Maturity of the existing risk management system;
f) Risks associated with the investigation program (including minimizing bias);
g) Desired timeframe in which the investigation is to be conducted;
h) Investigation methodologies and sampling methods;
i) Results of prior investigations;
j) Extent of changes in operating environment;
k) Review of documentation;
l) Availability and accessibility of interviewees and information;
m) Number of sites, multi-site considerations and diversity of stakeholders;
n) Single or multiple shifts, as well as weekends and off-hours;
o) Physical size and layout of the organization to be assessed;
p) Meeting requirements (opening and closing meetings, top management briefings, and
investigation team meetings);
q) Communications (including availability of information and communications technologies and
methods);
r) Administrative or other support needs;
s) Safety and security arrangements and equipment;
t) Travel and logistics (including lodging, meals, and breaks);
u) Data analysis and report preparation;
v) Availability of competent personnel to conduct the investigations; and
w) Anticipated scheduling delays.
30
ANSI/ASIS INV.1-2015
To ensure a successful investigation and achieve objectives, the IUM should obtain a commitment for the resources
needed prior to the investigation’s initiation. If staffing needs cannot be accurately projected or benchmarked, the best
approach is to start small, using outsourced resources when required, and grow the unit over time if necessary.
Selecting professional personnel is an important aspect of setting up a proprietary IU. Many positions in today’s
environment require backgrounds in specialized fields, such as computer investigations, contract fraud, or financial
crimes.
Tip #15: Questions the IU and its Investigators Might Ask Themselves When Contemplating an Investigative
Strategy are:
a) Is it legal?
c) Is it relevant?
d) Is it balanced?
e) Is it necessary?
g) Is it affordable?
h) Is it ethical?
31
ANSI/ASIS INV.1-2015
The scope of the individual investigations should be clearly defined and documented. Examples of
individual investigation scope include (but are not limited to):
a) Specific investigation type;
b) Incident investigation;
c) Specific facilities and physical locations;
d) Individual divisions and organizational units;
e) A value chain in the organization;
f) A specific set of risks;
g) Individual(s) within the human resource pool;
h) Evaluation risks related to new products and services; and
i) Specific processes.
The criteria of the individual investigations should be clearly defined and documented. Examples of
individual investigation criteria include (but are not limited to):
a) Investigation objectives set by top management;
b) Organizational policies;
c) Level or burden of proof;
d) Risk management goals established by top management;
e) Management system standards requirements of one or more standards;
f) Accepted industry practices;
g) Headquarters, contractual, or supply chain requirements;
h) Jurisdictional laws and regulations or other obligations;
i) Security requirements;
j) Concerns and perceived risks of stakeholders; and
k) Risk management policies and procedures.
See Annex D for more information on types of investigations.
32
ANSI/ASIS INV.1-2015
decision making processes. When trying to determine the methodology, previous investigations may be
a good starting point concerning protocols for protecting data and evidence, confidentiality, and
logistical issues. However, extreme care should be taken to make sure the investigator is not provided
information that could later be seen as creating bias. Always evaluate the appropriateness of the current
circumstances when reviewing prior investigations.
When selecting a methodology, it is important to understand the reliability and confidence levels of the
available data. There is no single methodology and therefore each one requires independent judgment
regarding its design.
Examples of basic methods of investigation include (but are not limited to):
a) Physical surveillance;
b) Electronic surveillance;
c) Physical examination;
d) Searches;
e) Information review;
f) Forensic analysis;
g) Undercover;
h) Interviews; and
i) Legal mechanisms for discovery (generally not available pre-litigation).
Other methods of investigation may be considered subcategories of one of these. Not all of these methods
are appropriate for every type of investigation.
Most investigations use one or more of the investigative methods. The IUM and ITL should select the
method(s) most suitable to achieve the investigation objectives given the particular circumstances and
cost/benefit; and deploy them properly and efficiently. Typically, there is a need to combine the methods
in some fashion or mix and match them. Using the PDCA Model as described in this Standard, the IUM
and ITL should plan, implement, evaluate and review the method(s) for each individual investigation
with a goal of continually improving the methodology.
33
ANSI/ASIS INV.1-2015
To the extent criminal and civil records are obtained, the investigator must be aware of jurisdictional laws governing
such sources, including for example, reporting and privacy regulations. The investigator should also fully explore all
relevant information sources, including but not limited to, electronic documents, text messages, emails, social media
writings, personnel files, supervisor files, interviewee notes, incident notes, personal websites, blogs, demographic
information, policies and procedures, past complaints, time cards, expense reports, internet usage, and calendars.
Caution should be exercised when transferring information between jurisdictions, particularly international
boundaries.
34
ANSI/ASIS INV.1-2015
5.5.2.5 Undercover
Use of undercover methods can be one of the most effective methods of investigation due to its interactive
nature. This method involves the surreptitious placement of a trained and skilled investigator for the
purpose of gathering information. It permits the investigator to interact and communicate with those
being investigated. Due to its covert nature, the use of an undercover investigator is complex and may
be fraught with psychological, financial, and legal challenges that may create serious liabilities for both
the client and the investigator. Therefore, when conducting an undercover investigation, investigators
should be aware and trained on jurisdictional limitations, particularly with regard to entrapment.
5.5.2.6 Interviews
An interview is a conversation in which one or more persons question, consult, or evaluate another
person. Interviews should be well-conceived and conducted within the parameters of the investigation
objectives, ethics, and the law.
Interviews conducted during investigations, can be either highly structured or a casual conversation, and
should focus on obtaining facts and evidence about the events under question. It affords the investigator
the opportunity to determine: who, what, when, where, how, and why from persons with relevant
information and to provide context. The purpose is to determine what happened or did not happen. This
benefit combined with the opportunity to obtain the relevant evidence makes interviews the most
powerful form of investigative method for those conducting investigations. The investigator needs to
remain objective and maintain control even if the interview becomes adversarial, confrontational or
accusatory.
Interviews are an investigative method used between two or more persons where the interviewer(s) poses questions to the
interviewee(s) to elicit facts or statements about the events under investigation. Interviews fall into several categories,
including but not limited to:
a) Subject;
b) Witness;
c) Complainant; and
d) Applicant.
Regardless of the category of interview, the conversation should be focused on obtaining the information about events. The
level of aggressiveness of the questioning varies with the type of interview, personalities of the parties of the interview, and
objectives of the interview. If questioning becomes confrontational or accusatory, the interviewer should be aware of ethical
and legal boundaries, and should be able to maintain sufficient control to scale the level of aggressiveness of the questioning.
5.5.2.8 Searches
A search is the structured, detailed and careful examination of an area (e.g., room, vehicle, desk, locker,
etc.), the purpose of which is to locate specific items or materials that are suspected to be in the area
35
ANSI/ASIS INV.1-2015
searched and that will be useful in furthering the investigation and/or as evidence. Prior investigative
steps generally indicate areas that are appropriate and likely fruitful for search. Because they can lead
to claims of invasion of privacy, searches have the potential to create serious liability exposure for both
the client and investigator if conducted improperly. After a thorough legal vetting, review of
organizational policies, and requirements under any collective bargaining agreement, a fully competent
investigator should execute the search within the appropriate guidelines of the organization.
36
ANSI/ASIS INV.1-2015
l) Leadership requirements and the need to oversee and train new investigators.
When considering the selection of investigators, the IUM should evaluate the qualifications, knowledge,
experience, personal skills, and traits of the investigators needed to achieve the investigation objectives.
The IUM should have a documented process for evaluating and selecting investigators. See Annex B for
additional details.
Technical experts may supplement the competence of an investigation team. At all times the technical
experts should operate under the direction of an investigator and not function as an investigator.
Technical experts are intended to supplement the overall expertise of an investigation team to provide
subject matter expertise.
Investigators-in-training may also be included in the investigation team. Investigators-in-training
should have knowledge of investigation methods. They should participate under the direction and
guidance of an experienced investigator.
The IUM and ITL may make adjustments to the investigation team during the course of the investigation
depending on the necessity for additional competencies.
37
ANSI/ASIS INV.1-2015
5.5.5 Managing and Maintaining Program Documentation, Records, and Document Control
The IUM should identify the documentation needs of the investigation. Procedures should be
established by the IUM for the use and handling of documents and records created for the investigation
program. Clear procedures should be outlined for obtaining and handling client and other
organizational documentation. The client must explicitly approve copying of any information or
photography. Investigators should not remove, modify, delete, or destroy documents (including
electronic files) without explicit permission to do so.
The IUM should establish, implement, and maintain procedures to protect the sensitivity, confidentiality,
and integrity of documents and records including access to, identification, storage, protection, retrieval,
retention, and disposal of records. Documents should be clearly labelled as to their status and version
(e.g. draft or final, active or archival) as well as level of sensitivity and confidentiality. Records of access
to information and documents should be maintained.
In instances where reports are deemed confidential, the IUM should establish computer and network
controls over files and investigation information to prevent access by unauthorized users. When
confidential information is collected the IUM should establish procedures and provide technology to
investigation team members to use encrypted storage devices or laptops to secure this information.
Records and documentation should be created, maintained, and appropriately stored for both the overall
investigation program and individual investigations, including;
a) Program objectives, criteria, and scope;
b) Risk assessment and treatment measures;
c) Evaluation of achievement of investigation objectives; and
d) Investigation program effectiveness and opportunities for improvement.
For individual investigations, records should include:
a) Plans and reports;
b) Safety, security, and confidentiality requirements and conditions;
c) Agenda and minutes from opening and closing meetings;
d) Non-conformance reports;
e) Corrective action requests; and
f) Investigation follow-up reports.
Procedures should be established to create and maintain records of investigation performance.
Performance review records should be used to drive continual improvement of investigation process and
investigation team. Examples of performance records include:
a) Feedback from the client;
b) Selection criteria and competence of investigation team members;
c) Performance evaluations of the investigation team members and team leader;
38
ANSI/ASIS INV.1-2015
Retention of records and files is professional practice and client preference. The client is the recipient of the final report
of the investigation and ownership of information is transferred when the report of the investigation is accepted.
Establishing a destruction of record routine at a set interval is recommended to protect the information obtained from
disclosure outside the client contract, unless required by jurisdictional law and regulations, policy, or other obligation
to maintain records for specified time periods.
39
ANSI/ASIS INV.1-2015
When conducting the initial document review, attention should be given to:
a) Nature and scope of the investigation;
b) Context of the risk environment;
c) Methodology and key outcomes of the investigation risk assessment;
d) Selection and effectiveness of risk treatment measures relative to the investigation;
e) Policies, procedures, and internal audits related to the issues addressed in the investigation; and
f) Availability of current documents and responsible duties.
The document review should provide input into planning the investigation and an indication of areas
needing additional focus and resources to conduct the investigation.
The document review will indicate the likelihood of achieving the investigation objectives and may
indicate the need for changes in the investigation approach and investigation team composition. Any
changes should be made in consultation with the IUM and client.
The next stage of the investigation consists of information and evidence gathering to substantiate
findings and draw conclusions. It should consider:
a) Are matters being investigated contrary to jurisdictional law and regulations, policy, or other
obligations?
b) Are issues defined in organizational policies and procedures effectively being addressed?
c) Are legal, regulatory, and contractual obligations being met?
d) Are infractions and deviations from expected outcomes due to deliberate or undeliberate actions?
e) Has the organization acted on identified non-conformances, internal audit findings, exercise
results, and lessons learned from events by implementing appropriate corrective and preventive
actions?
f) Are changes adequately addressed in a timely fashion?
40
ANSI/ASIS INV.1-2015
41
ANSI/ASIS INV.1-2015
The IUM, ITL, and members of the investigation team should pursue ongoing improvement of their investigation
competence. This may be accomplished by:
a) Skills training;
c) Continuing education;
42
ANSI/ASIS INV.1-2015
c) Conformity to investigation program procedures and jurisdictional laws and regulations, or other
obligations;
d) Effectiveness and accuracy of investigation methods;
e) Resource allocations (including human resources);
f) Maintenance of records and documentation; and
g) Protection and integrity of information.
43
ANSI/ASIS INV.1-2015
6.1 General
This section focuses on individual investigations, both the preparation for and the execution of these
investigations. Depending on the scope of the investigation, not all provisions in this section are
applicable to all investigations.
An investigation can be conducted by an internal team, external team, or combination depending on the
resources of the organization and depth of expertise. An investigation often follows the order described
in this section; however this is not always the case depending on the circumstances of the investigation,
particularly the definition of investigation objectives.
44
ANSI/ASIS INV.1-2015
45
ANSI/ASIS INV.1-2015
In order to be successful, the process of investigation must be fluid and dynamic. Because facts can alter outcomes, the
objectives of the investigation must be flexible. Situations change and the investigator must be able to adapt. As
information and facts are developed, the true nature of the problem becomes increasingly clear. It is logical therefore,
that if the nature of the problem under investigation is not what it was thought to be, then the objectives of the
investigation must change accordingly. Steering a rigid course, no matter how well planned in advance will not
typically get one to his desired destination when the destination has changed. In other words, the investigative process
cannot be so rigid and single-purposed that it cannot be altered when necessary.
46
ANSI/ASIS INV.1-2015
Care should be taken to not be influenced by the needs of stakeholders who may have a bias or agenda regarding the
outcome of the investigation. The investigation should be as confidential as possible and involving stakeholders may
impede efforts at confidentiality. Many employers have obligations under jurisdictional law and the impact on
stakeholders as part of the investigation may be irrelevant. Certainly care should be given to contractual relationships,
working relationships between complainants and subjects, co-workers, and third parties.
6.2.4 Assumptions
Assumptions are frequently part of fact-finding and problem-solving and often linked to an individual’s
perspective and point of view. Investigators should be aware of assumptions and potential bias that can
occur. An investigator can potentially misinterpret information if the assumptions are not clearly
identified.
Persons conducting the investigation should consider:
a) What are the assumptions based on?
b) How are the underlying assumptions impacting the outcomes?
c) How is the assumption affected by the level of uncertainty?
d) Are the assumptions a reflection of investigator biases?
e) Are assumptions that something is a “given” based on opinions or evidence?
f) How do the assumptions affect the confidence in the interpretation of evidence?
g) Are assumptions about likelihood balanced by potential consequences in achieving objectives?
h) Could the assumptions be different if made by another individual?
47
ANSI/ASIS INV.1-2015
48
ANSI/ASIS INV.1-2015
secured then the objectives and scope of the investigation should be modified accordingly with the
agreement of the client.
b) Does the allegation require an investigation consistent with jurisdictional laws and regulations
or other obligations?
c) Does the investigation fall within either the grievance or whistle-blower policies of the
organization?
h) Can the investigation drive a reduction of risk and identify opportunities for improvement?
Legal privilege can be invoked in certain cases to protect legal work, thought process and legal communication by the
organization's attorneys from disclosure. Legal privilege can extend to investigations, particularly if those
investigations are conducted in anticipation of litigation and directed by an attorney. Litigation can result from most
circumstances that warrant investigations. Therefore, an investigator should consult with the legal counsel to
determine whether and how to preserve privilege protections for an investigation. In general, the privilege is protected
by demonstrating an intent to protect the privilege nature of the documents and keeping the investigation confidential.
Common strategies to protect legal privilege include marking documents with statements such as "Confidential:
Privileged Communication" and limiting the investigation results to those who have a reason to know related to the
litigation. The investigator is encouraged to obtain advice from the organization's attorney on when to use the
statement "Confidential: Privileged Communication" and on which types of documentation. Be mindful that
communication or distribution of privileged documentation, including e-mails, may result in the loss of privilege and
should be avoided.
50
ANSI/ASIS INV.1-2015
b) Investigation criteria such as risk criteria, standards, contracts, regulations, manuals, and
reference documents to be used in the investigation;
51
ANSI/ASIS INV.1-2015
d) The client, management representative, guides, and the divisions, facilities and functions
related to the investigation;
e) Investigation team members (e.g., ITL, investigators, technical experts, observers), their roles
and responsibilities;
h) Investigation logistics including date and place of the investigation, travel, lodging, and
facilities;
l) Issues identified related to the investigation, the client, organization, and investigation team;
q) Specific exclusions.
b) Consider the effect that the investigation activities may have on the client and its functions;
d) Take into consideration the competence and composition of the investigation team (including
whether technical or security experts are needed);
e) Outline appropriate investigation methods and practices (e.g., sampling and interview
techniques); and
The complexity and scope of the investigation and the confidence level of achieving the investigation
objective determines the amount of detail needed in the investigation plan. The scope of the investigation
may be dynamic. The investigation plan should include appropriate flexibility to allow for changes as
the investigation progresses. Significant changes should be reviewed and approved by the client.
52
ANSI/ASIS INV.1-2015
53
ANSI/ASIS INV.1-2015
g) Include space to document samples taken, documents reviewed, as well as record comments and
observations;
h) Provide evidence of the thoroughness of the investigation; and
i) Be reviewed at the end of the investigation for effectiveness and improvement.
Checklists should be reviewed before each investigation to determine if they are still relevant and
appropriate. When preparing checklists they should be designed to:
a) Maintain clarity of investigation’s objectives;
b) Provide structure;
c) Help ensure thoroughness;
d) Maintain the rhythm and continuity of investigation;
e) Reduce the investigator’s bias thereby increasing objectivity in evidence;
f) Reduce the workload during investigating and provides formatted evidence collection; and
g) Provide a record of the investigation and evidence collection.
55
ANSI/ASIS INV.1-2015
The ITL should report and provide an explanation to the client if the available investigation evidence
suggests that the investigation objectives are unattainable. The ITL and client should determine the
appropriate action (e.g. modify the investigation plan, change the investigation scope or objective, and
terminate the investigation). The need for a change in the investigation plan may become apparent
through the progression of the investigation and should be reviewed and approved by the client and
IUM, where appropriate.
6.4.4.1 General
The investigation team's responsibility is to collect, analyze, and document information which is relevant,
credible, and supportable. It is the investigator's role to assess the information and determine by a
preponderance of the evidence whether it is sufficient to draw conclusions. The investigation team
should have a well-developed data collection strategy and sampling plan to ensure the gathering of
comprehensive information. Avoid collecting information unless specifically required to achieve the
objectives of the investigation.
Information can be gathered from various sources, including (but not limited to):
a) Review of documents, performance indicators, and records;
b) Digital evidence (e.g., websites, email accounts, mobile phones, social media, and databases);
c) External reports;
d) Interviews with persons;
e) Physical evidence; and
f) Observation of operational processes.
The ITL, in consultation with investigation team members, should determine how much evidence needs
to be gathered in order to achieve credible findings and conclusions. When developing a sampling plan
it is important to keep in mind that the investigation can provide added value to the client if systemic
weaknesses and opportunities for improvement are identified. Sampling examines selected items and
elements from the overall population. The method of sampling should be defined and documented using
57
ANSI/ASIS INV.1-2015
sampling practice and procedures appropriate for the data collection objectives. If contradictory data is
collected or possible systemic problems are identified, the sampling size may be increased to determine
if there is a trend or pattern of problems.
Evidence is collected by appropriate sampling techniques from multiple sources of information (e.g.,
documents, records, interviews, and observations). The evidence is then evaluated against the
investigation criteria to produce investigation findings. Findings are then discussed and evaluated to
form the conclusions of the investigation.
a) Testimonial evidence: Most, if not all, investigations will involve collecting this type of evidence. Testimonial
evidence is derived from interviews with subjects or interviewees, stakeholders and affected parties, and
subject matter experts.
b) Documentary evidence: As the name implies, is derived from documents and other writings (hard copy or
electronic). Documents could include but are not limited to: invoices, forged or altered company records,
sales records, etc.
c) Physical evidence: Physical evidence is derived from physical objects, such as computers, smartphones,
equipment, tools, process equipment, company vehicle, etc.
58
ANSI/ASIS INV.1-2015
a) Establish rapport by providing a personal introduction and exchange business cards where
appropriate;
b) Explain the purpose of the interview emphasizing that the interviewee will provide important
and useful information;
c) Explain, consistent with the organization's practices and any legal limitations, that the
interviewee should treat the substance of the interview as a confidential matter, or one
warranting a high degree of discretion;
d) Inform the interviewee about non-retaliation policies for raising issues or participating in the
investigation;
e) Explain reasons for note-taking during the interview and explain that the information elicited is
to be handled with appropriate confidentiality;
f) Use a funneling technique during the interview process;
i. Start with an open-ended question to get the interviewee to describe their work and
activities related to the investigation (this may include asking the interviewee to provide
free associations regarding investigation topics);
ii. Use clarifying or probing questions to fill gaps and obtain additional information; and
iii. Closed-ended questions may be used to obtain additional information on specific points.
g) Analyze the major issues raised during the interview to determine if additional information is
needed;
h) Summarize and review the salient points of the interview with the interviewee;
i) Where appropriate, obtain a written, signed statement from the interviewee that incorporates
the important information provided during the interview;
j) Explain any next steps that may be necessary with regard to the interviewee; and
k) Thank the interviewee for their contribution and sharing their time.
See Annex F for additional information on types of questions.
59
ANSI/ASIS INV.1-2015
Interviews may also yield admissions. Depending on jurisdictional laws and regulations or other obligations, a
properly obtained admission constitutes the best evidence obtainable. Unlike criminal law, where admissions and even
confessions often only have corroborative value, private investigations need only to proffer an admission to make a
case and may be used even when other information may be in conflict. However, the investigator should exercise
caution and assess if an admission is consistent with other facts in the case or is it being used to mask other factors.
If there are any inconsistencies within one person's response, the interviewer should note and attempt to resolve those
inconsistencies by giving the interviewee the opportunity to explain, reposing the question, or through other
investigative methods. The investigator should attempt to determine the reasons for inconsistencies (e.g., cognitive
processes, questioning techniques, external influences, or untruthfulness).
60
ANSI/ASIS INV.1-2015
a) Direct evidence: Is information that is based on personal knowledge or observation. Direct evident may also
include documentary or electronic evidence, a documented event, recorded conversations, or an original
contract. It directly proves or disproves a disputed fact without inference or presumption. Direct evidence, if
true, conclusively establishes that fact. Testimony from an interviewee who actually experienced an event is
an example of direct evidence.
b) Circumstantial or indirect evidence: Is information that is associated with the fact being investigated and that
the fact to be proved may be inferred from the existence of the indirect evidence. Inference drawn from one
piece of indirect evidence may not guarantee accuracy of the association. Presence at an event is an example
of circumstantial evidence.
c) Forensic evidence: Is information obtained by scientific methods that are based on scientific theories are
established and accepted in the scientific community. Examples of forensic evidence include ballistics, and
blood and DNA testing.
d) Hearsay evidence: Is information provided by a person who does not have direct knowledge of the fact
asserted, but knows it only from being told by someone else or from a secondary source (e.g., media, online
research and resources). Hearsay evidence may be useful in the investigative process and may identify other
sources of information. The admissibility of hearsay evidence varies by jurisdiction.
e) Admissibility of evidence: Is information which the adjudicator finds is useful in establishing the facts of an
event that are considered relevant and material. Depending on the type of proceedings the adjudicator will
establish “rules of evidence” to determine what is admissible and what may prejudice the objectives of
determining the truth.
f) Materiality of evidence: Information that relates to specific issues necessary for proving or disproving a case
is considered material. Materiality of the evidence is based on the relevance of evidence associated with the
facts being investigated.
61
ANSI/ASIS INV.1-2015
62
ANSI/ASIS INV.1-2015
Improper handling of evidence exposes both the investigator and the evidence to credibility challenges.
Claims of evidence tampering, alteration or contamination are possible when evidence is mishandled.
Therefore, the transport and storage of evidence should have clearly defined procedures to assure the
integrity of the information.
63
ANSI/ASIS INV.1-2015
The investigators should understand the standard of proof to be used. Most civil cases utilize the
standard of proof of “preponderance of the evidence," which is, whether it is more likely than not that
the event occurred.
It should be emphasized that decision-making regarding discipline is the responsibility of the client organization’s
decision-makers. It is often better that the investigator is not involved in the decision-making or discipline
disbursement phase of the investigation. To do otherwise may create the appearance of bias or prejudice. Similarly,
those who are not investigators should not become part of the fact-finding process. Segregating these duties enhances
the independence and impartiality of the investigation.
64
ANSI/ASIS INV.1-2015
formal communication of the investigation findings. The formality of the meeting is dependent on the
type of investigation.
If situations arose during the investigation that might call the results of the investigation into question,
the investigation team should advise those present of the situation. Furthermore, any differences in
opinion regarding the investigation conclusions or findings within the investigation team should be
discussed. The parties should try to resolve any disagreements. If the parties cannot resolve their
differing views, it should be recorded.
Participants may discuss an action plan to address investigation findings and adapt the risk management
system, where needed. Recommendations for improvements may be presented if specified by the
investigation objectives. It should be clear that any recommendations are non-binding, and should be
noted that in subsequent investigations these may bias an impartial evaluation.
The following points should be addressed with the organization’s management so that they are
acknowledged and understood at the post-investigation meeting (where appropriate):
a) The investigation findings and conclusions;
b) The method of reporting;
c) The handling of investigation findings and possible consequences;
d) Implications for improved management of risk; and
e) Post-investigation activities, including recommendations for risk treatments and corrective
action (where applicable).
Some investigations provide opportunities to improve the organization’s policies, practices and system for managing
risk. The client and investigation team critique the effort, benchmark, identify best practices and analyze their
performance. Additionally, the client and investigation team may assess the damage and identify root causes. What
was it that allowed the problem to occur and how can it be prevented in the future? This evaluation provides ROI to
the organization. Clearly, if the organization continues the same practices, it is likely to get the same result again in the
future. Such behavior is worse than pointless, it may also be negligent. Under the legal theory of foreseeability,
negligence is compounded when a party should have reasonably foreseen an event that could have been prevented
had it taken corrective or preventative action. Organizations make the mistake often and in doing so incur unnecessary
additional liability.
6.5.2.1 Overview
The investigation report is prepared by the ITL, with input from the investigation team, and is provided
to the IUM as soon as possible after the post-investigation meeting. The investigation report is approved
and reviewed by the IUM prior to distribution. For credibility, any changes to the report, including
findings, should be made by the ITL. The client determines who will receive copies of the investigation
report. The purpose of the investigation report is to:
a) Provide information about the objectives, scope, and criteria of the investigation;
65
ANSI/ASIS INV.1-2015
66
ANSI/ASIS INV.1-2015
Actions taken should be appropriate to the impact of the potential problems, and resource realities.
The IUM and ITL should ensure that timely actions are taken to exploit opportunities for improvement.
Where existing arrangements are revised and new arrangements are introduced that could impact on the
overall investigation program, the ITL should consider the associated outcomes before their
implementation.
The results of the reviews and actions taken should be clearly documented and records should be
maintained. Follow-up activities should include the verification of the actions taken and the reporting
of verification results.
7.1 General
The credibility of any investigation program is a reflection of the competence of the investigators. All
persons involved in the investigation should be competent to perform their roles and assigned tasks.
Investigators should possess the technical expertise and interpersonal skills to effectively evaluate the
criteria of the investigation. Investigators should provide value to the organization by being able to also
evaluate the effectiveness of the risk management measures, not merely checking a box indicating
measures exist. Therefore, to add value to the client and organization, the investigators should
understand the management and risk approaches from the client’s business and risk environment.
Investigators should have a clear understanding of how to apply the investigation criteria. Investigator
competence is comprised of several elements:
a) Personal traits and interpersonal skills;
b) Investigation skills;
c) Communication skills;
It is not sufficient to be a generalist. Investigators should have a proficient understanding of the business,
types of investigations, and disciplines they are assessing. The investigation team should project an
image to the client and organization that they have the competence relevant to the appropriate technical
area of the investigation, risk-related disciplines, industry sector, and geographic location.
See Annex A for additional information on investigator qualifications and personal traits.
7.2 Competence
7.2.1 General
The IUM and ITL should determine and document the competence required to evaluate each technical
area and function in the investigation activity. When identifying competence requirements, the IUM and
68
ANSI/ASIS INV.1-2015
ITL should tailor the competence requirements for the types of investigations required by the client and
organization, and locations of operations, in order to:
a) Define the scope of the activities that it undertakes;
b) Identify any technical qualification of its investigators necessary for that particular type of
investigation, services, and location of operation;
c) Ensure that personnel have appropriate knowledge, skills, and experience relevant to types of
services provided, organizational and cultural requirements, and geographic areas of operation;
and
d) Recruit and select a suitably qualified investigation team.
The IUM and ITL should determine the means for the demonstration of competence prior to carrying out
specific functions. Records of the determination should be maintained and made available upon request
by the client and/or organization.
69
ANSI/ASIS INV.1-2015
g) The need for balance and avoidance of bias in the investigation process;
h) Complexity of the business and risk management environment to be assessed; and
i) Risk related to achieving investigation objectives.
When determining the competence criteria the IUM and ITL should establish performance based
evaluation criteria and a consistent documented method for evaluating competence. Examples of
evaluation methods include (but are not limited to):
a) Verifying the background, education, and experience;
b) Psychometric (quantitative) testing of knowledge and skills (may include variables such as
abilities, attitudes, personality traits, and educational achievement);
c) Reviewing written samples of work;
d) Interviews to evaluate knowledge, communications skills, and personal behavior;
e) Observation of investigation skills;
f) Certifications and professional credentialing; and
g) Feedback and post-investigation review.
70
ANSI/ASIS INV.1-2015
The IUM and ITL should establish, document, and maintain a process to evaluate and verify the training
and competence of persons conducting investigations, including appropriate continual training
according to their specific qualification requirements to maintain competence.
72
ANSI/ASIS INV.1-2015
7.3.1.2 Interviews
The IUM and ITL should establish an interview procedure, including the hierarchy of interviewers,
which should be overseen by the IUM. Top management should appoint an IUM who has been verified
by interview and vetting as trustworthy and having the necessary competence and judgment to vet
personnel involved in its investigation activities. The responsible manager should assess through review
of documentation, submitted by candidates, and interviews and on-going monitoring, the
trustworthiness and appropriate behavioral characteristics of personnel involved in its investigation
activities.
7.3.4 Accountability
The IUM and ITL should establish, document and maintain procedures to make personnel involved in
its investigation activities aware of infractions that could subject them to disciplinary actions, civil
liability, and criminal prosecutions. The procedures may include a process to address infractions or
procedures including investigative procedure and disciplinary actions, the code of ethics, and
73
ANSI/ASIS INV.1-2015
7.3.5 Records
The IUM and ITL should establish, document, and maintain procedures to maintain records of personnel
involved in its investigation activities. Records should be retained for periods that the IUM and ITL
deem appropriate and according to retention periods designated by the organization’s policies, as well
as jurisdictional law and regulations, or other obligations.
74
ANSI/ASIS INV.1-2015
Annex A
(informative)
75
ANSI/ASIS INV.1-2015
Balance. At the same time, however, the individual must be able to draw an appropriate balance
between aggressively pursuing a successful outcome and following established rules and
protocols (so as not to threaten the legal basis of the case or unduly raise the liability risk to the
organization).
Maturity. A mature and realistic view of self and surroundings is an important trait for anyone
who deals with investigative matters, private information, legal issues and activities that can
affect people’s lives and careers—and the organization itself. It allows an individual to keep their
activities in perspective and place information, events and situations within the appropriate
context.
76
ANSI/ASIS INV.1-2015
Ability to Deal Effectively with People. Despite our techno-centric society, people form the core of
almost every investigation worldwide. The ability to deal with all types of people, in every role,
in a highly effective manner is absolutely essential to an investigator.
Self-Motivating and Self-Starting. In most environments, investigators operate with very little
direct management oversight (other than from a legal and regulatory perspective) and are
expected to perform independently. The ability to motivate oneself in combination with an
inherent inner drive is of extreme value.
Ability to Multitask. The ability to manage several activities simultaneously is an extremely useful
attribute for an investigator. Each investigation has numerous elements—and often a large
number of information inputs. In addition, most investigators are assigned several investigations
at any given time.
Professional Demeanor. In all aspects of the investigative function including dealing with people,
collecting and analyzing information and presenting facts and conclusions, the investigator must
maintain a professional demeanor. To do otherwise will threaten his or her effectiveness as well
as the unit’s (and the organization’s) credibility.
77
ANSI/ASIS INV.1-2015
78
ANSI/ASIS INV.1-2015
Annex B
(informative)
B.1 General
Using outside resources to assist with or conduct one’s internal workplace investigation is an acceptable
practice. Some investigations are too complex to be conducted by resources internal to the organization.
At times, the use of an external, independent investigator is necessary to ensure fairness, objectivity, and
confidentiality, in order to produce a credible investigation. When top management are the subject of
allegations the use of an external investigator may be preferable. High profile sexual harassment
investigations would fall into this category. Another example would be employee substance abuse where
the only investigative solution might be an undercover investigator. Regardless of the issue, sometimes
it makes more sense to have someone external to the organization perform the investigation than
expending the time and resources to do it internally. In addition to a cost-benefit analysis, the most
important consideration should be whether or not the organization has the skill and experience necessary
to do the job properly.
Investigative firms contemplating undertaking a complex investigation should consider:
a) If they have the necessary skills and experience to do the job properly;
b) If they have the equipment and technology to do the job properly;
c) If they have an investigative plan that is committed to writing;
d) If undertaking an investigation is the best use of the firm’s time and resources right now;
e) Is a contingency plan in place if something goes wrong?
f) If someone else is more qualified or better suited for the job; and
g) If the firm is prepared to handle the matter if it turns out to be more complicated or dangerous
than anticipated.
B.2.1 Licensing
In many jurisdictions, licensing is required for persons participating in the investigation and their
agencies. Where licensing exists, a failure to be licensed can result in criminal charges against the
investigation team and in some cases their investigative results rendered inadmissible. In some
jurisdictions, attorneys may be allowed to conduct investigations if acting in their capacity as an attorney.
79
ANSI/ASIS INV.1-2015
B.2.2 Training
The organization may provide orientation or training to assure an appropriate level of competence.
B.2.3 Experience
Ensure the investigative firm as well as the employees they assign to the investigation have the
experience necessary to do the job properly. If possible, interview them and demand answers to difficult
questions regarding their knowledge and experience with investigations of the type under consideration.
B.2.4 Reputation
Reputations vary widely in the industry. Qualified investigative firms are well known in the business
community and are active in their professional associations. Request references and check them
thoroughly. Inquire about the firm’s litigation and claims experience. A reputation of sloppy work, high
profile lawsuits, and big settlements is undesirable and possibly indicates process deficiencies.
B.2.6 Reports
Reports are an important part of every investigation. The information provided in a report should be
complete, concise and correct. Samples should be examined thoroughly before selecting a vendor.
B.2.7 Insurance
Most quality investigative firms carry general liability, errors, omissions, and other types of professional
insurance. In many jurisdictions licensed investigators are required to carry insurance in some form.
However, bonding, allowed in some jurisdictions, may not provide enough protection. In order to be
safe and protect the organization, require the investigative firm under consideration to provide a
Certificate of Insurance naming the organization as an additional insured.
80
ANSI/ASIS INV.1-2015
81
ANSI/ASIS INV.1-2015
Annex C
(informative)
82
ANSI/ASIS INV.1-2015
Annex D
(informative)
D TYPES OF INVESTIGATIONS
D.1 General
Most IUs focus on a particular function or set of functions. They may range from relatively simple
activities such as documenting facts surrounding a security force response to a workplace incident to
complex procurement fraud investigations. These functions are generally referred to as types of
investigations, and frequently the unit’s incident management system is organized according to incident
types. The following are examples of typical types of investigations in the organizational arena:
a) Incident or accident;
b) Employee misconduct;
c) Misuse or abuse of computer or IT system;
d) Substance abuse;
e) Due diligence;
f) Regulatory compliance violation;
g) Lifestyle or financial inquiries for organizational executives and personnel;
h) Personnel security or background;
i) Theft, pilferage, or misappropriation;
j) Lapping (crediting one account with money from another account);
k) Assaults and crimes against persons;
l) Property damage and vandalism;
m) Inventory discrepancies or unexplained shrinkage;
n) Sabotage;
o) Industrial espionage;
p) Copyright and proprietary information violations;
q) Embezzlement or defalcation (appropriation of property by a person to whom it has been
entrusted);
r) Fraud (general, procurement, insurance, travel, accounting, etc.);
s) Product tampering (actual and hoax);
t) Diverted, counterfeit, adulterated product;
83
ANSI/ASIS INV.1-2015
84
ANSI/ASIS INV.1-2015
Annex E
(informative)
E.1 General
Investigations are not considered part of the core activities of most organizations in the public, not-for-
profit and private sectors. However many organizations encounter events and situations that have a
real, or perceived, negative effect on the achievement of objectives which may require an investigation.
This annex provides guidance for organizations to establish criteria to assess the need for an investigation
and determine the objectives, scope, timing, and criteria defining the conduct and resolution of
investigations, whether conducted by the organization itself, contracted to an external organization or is
the responsibility of law enforcement.
This Annex provides a basis for organizations to develop and implement an Organizational
Investigations Policy (OIP), in order to:
a) Identify internal and/or external events and situations requiring an investigation;
b) Know what actions are necessary, appropriate and adequate;
c) Consider if the events and situations address issues in the civil, administrative or criminal
domain or any combination of the three; and
d) Define the parameters of the investigation that best support the interests of the organization.
By establishing an OIP, the organization will proactively prepare for events that may require
investigation. This will facilitate the decision-making process as to whether, how, and when to establish
and conduct an investigation and what constitutes resolution. The OIP will assist the organization in
understanding key parameters for a successful investigation, including, but not limited to:
a) Legal, regulatory, and litigation considerations;
b) Internal and external relations; and
c) Logistics of managing the investigation and the persons who conduct it.
Through the process of identifying the triggers and parameters for an investigation the organization
will assess whether its policies are adequate to avoid undesirable and disruptive events, mitigate or
resolve such events, identify needs for new or modified policies and procedures, elucidate information
management needs, and review documentation requirements.
An OIP will also help both the organization and the persons conducting the investigation to better
understand the needs and expectations of the organization itself.
85
ANSI/ASIS INV.1-2015
86
ANSI/ASIS INV.1-2015
consider both the capability and intent of any threat actors to better understand the
potential for the threat to successfully materialize;
ii. Identify and analyze its vulnerability to a risk event and evaluate the efficacy of existing
technical, operational and administrative controls; and
iii. Identify and analyze the range of impacts that may be a consequence of a risk event
materializing and the need for an investigation.
b) Risk analysis: Based on the threat, vulnerability, and impact analysis the organization should
determine the likelihood and consequences of each identified risk. Based on the likelihood and
consequence analysis the organization should:
i. Determine the level of risk; and
ii. Rank the risks that may require investigative actions.
c) Risk Evaluation: Based on the risk ranking the organization should evaluate which risks fall
within its risk appetite and which risks require treatment. The organization should evaluate:
i. Positive and negative internal and external implications of conducting or not conducting
the investigation;
ii. The need to proactively modify operations, functions and activities to minimize the
likelihood of a risk event occurring that may require an investigation and bring the risk
level into a range that is as low as reasonably practical;
iii. The physical, operational, human, and financial resources needed to manage risk; and
iv. The triggers for initiating an investigation and identify the investigative processes that
may be needed.
The output of the risk assessment is typically summarized in a risk register which catalogues information
including but not limited to: asset owners, risk events and their potential impacts, level of risk, line
management of the persons who could be involved in the activity, and potential in-place information
resources (e.g., cameras, access control records, paper files, trusted witnesses and knowledgeable
individuals, and internal data bases/computer programs), trigger levels for a response, timeframe for
managing the risk, and resources needed to manage the risk.
87
ANSI/ASIS INV.1-2015
d) Legal and liability implications of what actions can and cannot be taken;
e) Consensus with top management regarding which actions should or should not be investigated
and how any information gained during the investigation will be managed;
f) Top management commitment to make the necessary resources available;
g) Establish an OIP defining which matters will be subjected to internal, outsourced and/or law
enforcement investigations; and
h) Determine the logistics of managing the investigation and the persons who conduct it.
88
ANSI/ASIS INV.1-2015
The following template is provided for illustrative purposes only. The organization should tailor it OIP
to its needs.
Preamble
This organization possesses both tangible and intangible assets which could possibly be the target of illegal or unethical
action by internal or external elements. The organization’s security management plan has considered the risks to our
assets and has provided for appropriate and adequate protection measures. However, full protection cannot be guaranteed
and despite optimal planning, unwanted events could occur. Consequently this Organizational Investigation Policy (OIP)
assesses potential situations that could require investigation and analysis, and establishes information and processes that
should be available, if or when an investigation is warranted.
The OIP contains guidance for assessment, pre-planning and the management of an investigation.
Introduction
[Name of organization] will endeavor to prepare for any situation that may warrant consideration of an investigative
activity to protect the organization’s assets, minimize risk to operations, and resolve outstanding issues.
Purpose
This document sets criteria for assessing the need for an investigation and to determine the objectives, scope, timing, and
parameters relative to the conduct of investigations; whether conducted by the organization, contracted to an external
organization or the responsibility of law enforcement.
Definitions
The organization should provide definitions and comments, if deemed opportune, to understand the OIP
Policy
[Name of organization] has a duty to exercise due care over its assets and to be in a position to make timely decisions
whether, and how, to conduct investigations. Our organization also has the duty to take pre-emptive steps to ensure that
information, or other relevant elements that can be beneficial to the successful conclusion of an investigation are practically
available and that legal and ethical issues have been duly considered.
[Name of organization] will implement procedures that will, as far as is practical, ensure that investigations will not be
hampered by insufficient preplanning.
89
ANSI/ASIS INV.1-2015
To this end, the following working groups are established and will meet regularly to review investigations and issues
relevant to their charter: (the following list is not exhaustive.)
a) Workplace Violence Working Group (Organizational Security, HR, Legal).
b) Ethics and Policies Working Group (HR, Legal, Organizational Security, IT, Internal Audit)
c) External and Supply Chain Working Group (Logistics, Organizational Security, Legal)
d) Financial Crimes and Fraud Working Group (Internal Audit, Finance, Organizational Security, IT, Legal)
90
ANSI/ASIS INV.1-2015
Responsibilities
It is the responsibility of the Board, with the assistance of the CEO and the Investigations Management Officer to identify
assets, the owners of the assets and the risks that the assets face. It is the responsibility of the CEO to ensure that:
x They are familiar with the organization’s Organizational Investigations Policy management procedures
applicable to their sector.
x Maintain regular contacts with the owners of assets and discuss with them any changes in the status of the
assets.
x Maintain regular contact with relevant departments such as Legal and HR, in order to keep up to date with any
relevant jurisdictional laws and regulations or other obligations or administrative issues that could impact
investigations.
x Consult with these departments and with Top Management if any changes in procedures would seem to be
appropriate.
x Keep the records secure and only available to those who are authorized.
The Investigations Management Officer should participate in any Risk Management exercise to ensure consistency of
approach.
91
ANSI/ASIS INV.1-2015
Authorization
<Signature of CEO>
<Name of CEO>
92
ANSI/ASIS INV.1-2015
light situations that had not been contemplated during Step one. Document lessons learned from the
exercise for future consultation.
E.8 Policy
The development of a framework for the risk assessment of the organization’s assets and a methodology
for their classification should entail:
a) Establishing the context of the organization and its assets, both tangible and intangible.
Remember that reputation may be the organization’s key asset;
b) Conducting a risk assessment including risk identification, analysis, and evaluation including
classifying the assets according to relative importance, vulnerability to illegal or improper
behavior, and the motivations.
Tip #29: OIP Risk Assessment Considerations
The probability of illegal / improper behavior occurring will depend on the level of opportunity, how easy it is to attack and
how important it is for the attacker (motivation), not just for the organization. The risk assessment needs to consider both
these factors.
c) Getting prepared. Make a general assessment of the assets at risk. Identify the person(s) with the
potential opportunity and, where possible, motivation for committing illegal / improper actions.
Identify the owner(s) of the assets. Discuss with them the prospective methodologies of a
potential attacker. Consult HR and Legal Counsel to determine what counter actions
(investigations) are legal and feasible if such action were to occur. Take into consideration
whether it would be preferable to conduct internal enquiries or to involve public or private
93
ANSI/ASIS INV.1-2015
external assistance. Decide the course of action you intend to take against the person found
guilty. e.g. Keep it private or seek a civil and/or criminal solution?
Tip #30: Creating Working Groups
Avoid consulting legal counsel at the last moment and possibly losing essential time before commencing the investigation or
worse always being in a reactive mode instead of having one or more proactive remedies or solutions to address issues that
may require an investigation; i.e. create a working group(s) that meets quarterly to discuss issues and risks to various assets.
The group(s) would discuss what has happened across the organizational footprint the previous quarter, what has happened
across ‘the industry’ the previous quarter and what is being done to prepare for events that may require addressing by
management or an investigation.
b) Organizations, especially large corporations, should review internal policy regarding contractors.
If the procedures for engaging the services of new contractors are long and complicated, as is
often the case, then the organization should consider identifying and certifying in advance, as a
contractor for investigative services, a qualified professional person or entity, so that precious
time will not be lost if the need for an urgent investigation should arise.
b) The assessment, case by case, whether to conduct internal, external or both, investigations.
The organization needs to act both legally and in its own interests. The choice between handling
the investigation as an internal affair, with or without external private sector assistance, must
take into consideration whether reporting the event to the authorities is mandatory or not. In
order to act efficiently in a timely manner and, above all, legally the organization must be aware
94
ANSI/ASIS INV.1-2015
of what is mandatory or not. Only if the matter is not mandatory can the organization consider
the pros and cons of a public or private investigation.
c) Pitfalls to be avoided. (Refer to the ANSI/ASIS/RIMS RA.1-2015 Risk Assessment standard for
practical advice.)
Attempt to keep the investigation as covert as possible by only sharing information with those
that have a need to know. When conducting interviews advise the interviewee not to discuss the
interview and situation with anyone else, if this is compliant with jurisdictional laws.
Conduct the investigation as quickly as reasonably possible for the situation; document
everything done during the investigation. Conclusions reached should be documented and
answer Why, Who, What, When, Where, and How. This will provide the deciding member of
management with the information needed to make a decision that is supported by clearly
documented facts and evidence.
d) Evidence management. Investigators, in both the public and private sectors must know how to
handle and not compromise evidence. Evidence that has been mishandled could end up being
useless in a court of law or an administrative action and could be a boomerang for the
organization.
As a rule of thumb all evidence should be handled in accordance with documented jurisdictional legal requirements, even if
no legal action is anticipated. Do not touch evidence before a professional has had the opportunity to evaluate and advise
(e.g., the organization may possibly have the legal right to consult an employee’s computer but the simple act of just switching
it on could invalidate evidence).
E.9 Responsibilities
It will depend on the size and complexity of the organization where, within the organization, this role
resides and whether this will be a full time role or added to other duties. Typically, it will be the
responsibility of loss management, human resources, or security management.
Awareness and cooperation are fundamental to the success of all security related functions, including
investigations. The OIP should be presented and explained to all relevant persons and the organization
should be prepared to discuss, as opportune, its contents and purpose. The first two points, in the policy
template, have been addressed in the section “Pre-emptive steps.”
If the organization promotes employee knowledge of, and pride in, ownership of assets, it will achieve
major protection from, and increased assistance, following an illegal/improper act.
95
ANSI/ASIS INV.1-2015
It is advisable to create adequate documentation of the information gathered and establish file
maintenance and retention policies. This can be done by talking through potential scenarios and reaching
overall decisions as how to classify them. If opportune seek assistance and advice from public or private
sector professionals.
All employees must be informed in a way that is understandable for them and records kept of when and
how this has been done.
E.10 Procedures
The establishment of regular, friendly contacts and making constructive use of information gathered can
be decisive in the prevention of illegal/unethical acts. This is particularly important when the
organization diversifies activity and/or begins operations in new jurisdictions, or for change
management, and could be of use in legal proceedings as a demonstration of the organization’s ethical
conduct.
96
ANSI/ASIS INV.1-2015
Annex F
(informative)
F TYPES OF QUESTIONS
An interview is a conversation in which one or more persons question, consult, or evaluate another
person. It is important that investigators develop good interviewing techniques to maximize reliability
and minimize pitfalls, and to establish a rapport with the interviewee to promote the sharing of
information. Interviews are conducted to obtain factual information. The interviewer may use various
types of questions, including:
a) Open-ended: Require more than one word answers. They encourage the person being asked the
question to think, reflect, and describe a situation. The respondent provides an answer that may
include facts, opinions, and feelings about a subject.
b) Probing: A follow-on clarifying question, typically an open-ended question. It is intended to
help the person being asked the question to think more deeply about a subject or specific issue.
c) Closed-ended: Can be answered in only one word or short phrase. Respondents answer from
limited number of choices (e.g., “yes” or “no”). They are direct questions that ask for specific bits
of information.
d) Leading: Prompts or encourages the desired answer. They suggests to the person being
questioned how to answer the questions or embeds the answer in the question. Leading questions
should not be used as they bias the response.
97
ANSI/ASIS INV.1-2015
98
ANSI/ASIS INV.1-2015
Annex G
(informative)
99
ANSI/ASIS INV.1-2015
e) Due Process: The obligations for due process vary for public and private investigations
depending on the jurisdictions in which the investigation is being conducted. Due process
includes, but is not limited to: the right to know the offense(s) and crime(s) of which one is
accused; the right to view and examine the government’s evidence; the right to face one’s accusers
and examine them as well as any and all interviewees; the right to competent representation; and
the right to protection against self-incrimination.
f) Consequences: Successful public sector prosecutions may result in fines, sanctions, and/or
incarceration. Consequences vary widely based on jurisdiction of the prosecution. Requirements
and protections for reporting and records of the investigative process and disciplinary action also
vary by jurisdiction. Private sector consequences may be subject to the employment contract,
collective bargaining agreements, and relevant law.
100
ANSI/ASIS INV.1-2015
Annex H
(informative)
H BIBLIOGRAPHY
3 Available at www.asisonline.org
4 Available at www.iso.org
101
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2882
Virginia 22314-2882
22314-2882
USA
USA
USA
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org