STD Investigations

A S I S I N T E R N A T I O N A L
Investigations
ANSI/ASIS INV.1-2015
S TA N D A R D
The worldwide leader in security standards
and guidelines development
an American National Standard
INVESTIGATIONS
Approved July 28, 2015

American National Standards Institute, Inc.
ASIS International
Abstract
This Standard provides guidance for conducting investigations. It provides guidance on establishing investigative programs as
well as the conduct of individual investigations, including the competence and evaluation of investigators.
NOTICE AND DISCLAIMER

The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is
unanimous agreement among the participants in the development of this document.
ASIS International standards and guideline publications, of which the document contained herein is one, are developed through
a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of
persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and
establishes rules to promote fairness in the development of consensus, it does not write the document and it does not
independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments
contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or
anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce
compliance with its standards or guidelines. It assumes no duty of care to the general public because its works are not obligatory
and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect,
consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this
document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any
information published herein, and disclaims and makes no warranty that the information in this document will fulfill any
person’s or entity’s particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual
manufacturer or seller’s products or services by virtue of this Standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on
behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else.
Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a
competent professional in determining the exercise of reasonable care in any given circumstances. Information and other
standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for
additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no
control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct
that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials,
designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third
parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any
information in this document should not be attributable to ASIS and is solely the responsibility of the certifier or maker of the
statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright
owner.
Copyright © 2015 ASIS International
ISBN: 978-1-934904-76-3
ii
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed
in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected
to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are
designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a
recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having
distinct compatibility or performance advantages.
About ASIS
ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry
sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is
dedicated to increasing the effectiveness of security professionals at all levels.
With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts
networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs,
including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought
leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government,
or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence,
resources, and technology needed within the business enterprise. www.asisonline.org
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines
Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development
Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards
and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience,
and expertise of ASIS membership, security professionals, and the global security industry.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street,
Alexandria, VA 22314-2818.
Commission Members
Charles Baley, Farmers Insurance Group, Inc.
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance LLC
Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Bernard Greenawalt, CPP, Securitas Security Services USA, Inc.
Robert Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Michael Knoke, CPP, Express Scripts, Inc., Vice Chair
Bryan Leadbetter, CPP, Alcoa Inc.
Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Jose Miguel Sobron, United Nations
Roger Warwick, CPP, Pyramid International Temi Group
Allison Wylde, Consultant
iii
At the time it approved this document, the INV Standards Committee, which is responsible for the development of this Standard,
had the following members:
Committee Members
Committee Chairman: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Commission Liaison: Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
Committee Secretariat: Sue Carioti, ASIS Secretariat
Deborah Aebi, SPHR, McPherson Organization Consultants, LLC

John Albanese, CPP, Independent
Greg Alexander, CPP, CFE, Praxair, Inc.
Frank Amoyaw, LandMark Security Limited
Thomas Anderson, Independent
Edgard Ansola, CISA, CISSP, CEH, CCNA, Asepeyo MATEPSS nº151
Charles Atkinson Jr., A and K Investigations
Don Aviv, CPP, PSP, PCI, Interfor Inc.
William Badertscher, CPP, PMP, GSEC, Georgetown University
David Bagnoni, CPP, Independent
Lester Bain, CFE, Burke and Herbert Bank
Pradeep Bajaj, Eagle Hunter Solutions Limited
Michael Balentine, CPP, ConocoPhillips Company
Luis Bauza, CPP, Purdue Pharma
Dean Beers, CLI, CCDI, Independent
Jay Beighley, CPP, CFE, Nationwide Insurance
Dennis Blass, CPP, PSP, CISSP, CFE, CHSP, Children's of Alabama
John Boal, CPP, PCI, Independent
Michael Bouchard, Security Dynamics Group LLC
Tom Bourgeois, CPP, Health Care Service Corporation
Tena Bracy, SPHR, GPHR, CDM, Independent
Marc Brenman, Independent
Robert Brzenchek, Independent
Michael Brzozowski, CPP, PSP, Symcor
Rod Buckingham, PCI, SaskGaming
Gary Bukowicki, CPP, G4S Security Systems (Hong Kong) Ltd
Keith Butler, Independent
Louis Carpenter, Jr., CPP, AT&T Asset Protection
Darren Carter, MSyI, Radisson Blu Edwardian Group
John Casas, PSP, John Casas & Associates LLC
Rene Castillo, CITIBANK Mexico & Latam based in Mexico
Steven Castor, CPP, CBRE Security Services
Fernan Cepero, PHR, The YMCA of Greater Rochester
Darlene Chames, SELEX Galileo Inc.
Antony Chattin, IRCA 9001 Lead Auditor, Maritime Security Solutions Global Ltd
iv
John Cholewa, CPP, Mentor Associates, LLC

Marvin Clark, CPP, AT&T Asset Protection
Winoka Clements, PHR, Erickson - Wind Crest
Roland Cloutier, ADP
Scott Coggins, CPP, Flextronics International
Bill Cooper, T-Mobile
Terry Cooper, JD, SPHR, Saft America, Inc.
Hugues Costes, ArcelorMittal
Frank Davis, CPP, Independent
Joe Davis, CPP, CFI, LPC, T-Mobile USA
Steven Dawson, Owens Corning
Robert Day, CPP, PCI, CSP, Office of Regulatory Change Management
Edward De Lise, CPP, W. T. Hill & Associates, LLC
Iain Deckard, Cox Communications, Central Region
Candy Delgado, Independent
Philip Deming, CPP, SPHR, Independent
Anthony DiSalvatore, CPP, PSP, PCI, REVEL
Bobby Dominguez, CPP, CISSP, PMP, Infinite Computer Systems, Inc.
James Dowling, Independent
Nicholas Economou, Cablevision Systems Corporation
Steve Elliot, SGS
Cheryl Elliott, CPP, CPI, Emory Police
Idris Elmas, FedEx
Domenico Fama', Independent
Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
Benjamin Ferris, CPP, CISSP, CCEP, Alutiiq, LLC
Linda Florence, PhD, CPP, University of Phoenix
David Flower, JD, PCI, CFE, C. David Flower PLLC
Robert Fluharty, Private Investigation and Security Professionals of West Virginia (PISPWV)
Jeremiah Frazier, CPP, Coca-Cola
Shaun Fynes, CPP, CPI, PSP, CRM, Independent
Carlos Galvez, Jr., CPP, Cisco Systems, Inc.
Lorraine Galvin, PCI, Kreller Business Information Group, Inc.
Nanpon Gambo, CSS, Suffolk Petroleum Services Limited
Scott Gane, CPP, CRSIC, Gane Security Solutions, LLC
Brian Glynn, CPP, Independent
Guillermo Gonzalez, CHPP, Sempra Energy/OSAC
Phillip Guffey, CPP, Roche
Carlos Guzman, Security 101 Denver
Linda Haft, SPHR, Independent
Francis Hall, CPP, PCI, Independent
S. Hauri, CPP, CFE, Bradford Garrett Group
Larry Henning, CFE, CIFI, G4S
Irene Higgins, SPHR, Resources Global Professionals
v
William Hill, CPP, W. T. Hill & Associates, LLC

Brian Hollstein, CPP, Independent
Patricia Hoofnagle, Magellan Health Services, Inc.
Jeffrey Horblit, Northeast Intelligence Group, Inc.
Barry Horvick, Corporate Intelligence Researchers, Inc.
Tim Houghton, Alberta Association of Private Investigators (AAPI)
Taras Hryb, PSP, Hemispheres Security Investigation Corporation - CAPI
Nadeem Ijaz, Secure Options Group
Katherine Johnson, Harsco Corporation
Ross Johnson, CPP, Capital Power
Lisa Johnston-O'Hara, PhD, The Pennsylvania State University
Robert Jones, Socrates Ltd
Karen Jones, CPP, Independent
Syl Juxon Smith, BSc, Independent
Brian Kaye, CBCP, Global Response Center
Michael Keenan, Forest Laboratories
Richard Kelly, CPP, Ingersoll Rand
Mitchell Kemp, CPP, Cummins Filtration
Steven Kerley, CPP, Air Force Office of Special Investigations
Todd Lacy, CPP, Harley-Davidson Motor Company
Misty Ladd, CPP, PCI, CPOI, Academy of Professional Education
Henrik Laidlow-Petersen, Siemens Wind Power
Marie LaMarche, Harrison Medical Center
William Lang, CBCP, MBCI, CBCV, Independent
Bryan Leadbetter, CPP, CFE, Alcoa Inc.
Vickie Leighton, AMBCI, Avanade Inc.
Paulo Lino, JD, CFE, MBA, Cisco Systems - SPTVSS
John Lohse, University of California System
Anthony Macisco, CPP, Executive Security Group Inc.
Duncan MacLeod, CPP, Battelle Memorial Institute
Virginia MacSuibhne, JD, CCEP, Roche Molecular Systems
Alissa Mallow, Acacia Network
Mark Mason, Hollywood Casino Lawrenceburg
Jioacchino (Jack) Mattera, CPP, CFE, AECOM
Joe Mazza, CHPP, Independent
Scott McClellan, Independent
George McCloskey, CPP, Pixar Animation Studios
James McMahon, CPP, CISSP, McMahon & Associates
Tracy McPhail, Assessment & Organizational Development, TECO Energy
Keith McRae, CPP, Independent
David McRoberts, CPP, Assured Assessments
Marisel Melendez, Casino del Sol
Paul Michaels, CPP, PSP, PCI, CISSP, CB&I Federal Services
Murray Mills, CPP, Independent
vi
Robert Molina, Stewart & Stevenson

Jason Morris, EmployeeScreenIQ
Richard Moulton, CPP, AlliedBarton Security Services
Deyanira Murga, International Private Security IPS
Isaac Nakamoto, Sr., CPP, PCI, PSP, Verisign
Ahsan Naqvi, CFE, CICA, San & Associates
Todd Noebel, Sr., SPHR, Independent
Curtis Noffsinger, CPP, PSP, Independent
Ray O'Hara, CPP, Andrews International
Augustine Okereke, MBA, CPP, PZ Cussons Nigeria PLC
Joseph Olmeda, Jr., CPP, PCI, Independent
Amy Oppenheimer, Independent
James Paulsen, CPP, Minnesota Discovery Center
Matthew Payne, CFE, Intuit Inc.
Mario Pecoraro, Alliance Worldwide Investigative Group Inc.
Juan Carlos Pena, Cummins
Kevin Peterson, CPP, CPOI, Innovative Protection Solutions, LLC
Axel Petri, Deutsche Telekom AG
William Phillips, P.E., CNA
John Pool, Target Corporation
Peter Psarouthakis, EWI & Associates, Inc.
Celeste Purdie, Verizon Wireless
Jeff Puttkammer, M.Ed., HSS
Joseph Rector, CPP, PSP, PCI, 11th Security Forces Group
John Reus, CPP, PCI, Virginia Department of Transportation
Michael Robbins, Association of Workplace Investigators
Joseph Robinson, CPP, CHS-III, Independent
Dr Kim Rocha, ITT Technical Institute
Thomas Rohr Sr, CPP, Carestream Health, Inc.
James Rowan, II, Independent
Jeffrey Sarnacki, CPP, Independent
Dr. Gavriel Schneider, CPP, Dynamic Alternatives
Jeffrey Schoepf, CPP, Independent
Alister Shepherd, Allen & Overy LLP
Maya Siegel, M. Siegel Associates
Nancy Slotnick, SPHR, GPHR, Setracon, Inc.
Keith Slotter, CPA, CFE, CFF, CGMA, Stroz Friedberg LLC
Darien Smith, Independent
Kevin Smith, CPP, Nationwide Insurance
Rebecca Speer, JD, Speer Associates
Patrick Speice, Jr., Compliance Counsel
Barry Stanford, CPP, AEG
Paul Stanford, CBRE Security Services
Thomas Stephens, Independent
vii
J. Kelly Stewart, CPP, Newcastle Consulting, LLC

Peter Stiernstedt, Cikraitz AB
Neil Stinchcombe, Eskenzi PR
Jarod Stockdale, CPP, CFI, Independent
Timothy Sutton, CPP, Sorensen, Wilder & Associates
Karl Swope, CPP, CFE, CFI, Rush Enterprises
Donald Taussig, CPP, Land O'Lakes, Inc.
Mark Theisen, Thrivent Financial
Melanie Thomas, SAS Institute
Rajeev Thykatt, Infosys BPO Ltd
Richard Tonowski, Independent
Bonnie Turner, PhD, SPHR, MBCI
Gregory Tweed, The Preston Matthews Group - PIABC
Dana Valley, Cardinal Health
Sue Ann Van Dermyden, Independent
Shawn VanDiver, CPP, CEM, CTT, VanDiver Consulting
Lloyd Vaughan, Council of Private Investigators Ontario
Carlos Velez, Johnson & Johnson
Stéphane Vuille, CFE, Novartis International AG
Colin Walker, Mclean Walker Security Risk Management Inc.
Lee Webster, University of Texas Medical Branch
Allison West, Esq., SPHR, SHRM-SCP, Employment Practices Specialists
Allan Wick, CFE, CPP, PSP, PCI, CBCP, Tri-State Generation & Transmission Association, Inc.
Wei-Ning Wong, PhD, CBCP, MBCI, Instramax
Loftin Woodiel, CPP, Missouri Baptist University
Trisha Zulic, Efficient Edge HR & Insurance Services, Inc.
viii
Working Group Members

Working Group Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Don Aviv, CPP, PSP, PCI, Interfor Inc.

William Badertscher, CPP, PMP, GSEC, Georgetown University
David Bagnoni, CPP, Independent
Lester Bain, CFE, Burke and Herbert Bank
Dennis Blass, CPP, PSP, CISSP, CFE, CHSP, Children's of Alabama
Michael Bouchard, Security Dynamics Group LLC
Tena Bracy, SPHR, GPHR, CDM, Independent
Marc Brenman, Independent
Robert Brzenchek, Independent
John Casas, PSP, John Casas & Associates LLC
Winoka Clements, PHR, Erickson - Wind Crest
Steven Dawson, Owens Corning
Nicholas Economou, Cablevision Systems Corporation
Cheryl Elliott, CPP, CPI, Emory Police
Idris Elmas, FedEx
Benjamin Ferris, CPP, CISSP, CCEP, Alutiiq, LLC
Robert Fluharty, Private Investigation and Security Professionals of West Virginia (PISPWV)
Brian Glynn, CPP, Independent
Guillermo Gonzalez, CHPP, Sempra Energy/OSAC
Linda Haft, SPHR, Independent
Francis Hall, CPP, PCI, Independent
Jeffrey Horblit, Northeast Intelligence Group, Inc.
Barry Horvick, Corporate Intelligence Researchers, Inc.
Taras Hryb, PSP, Hemispheres Security Investigation Corporation - CAPI
Syl Juxon Smith, BSc, Independent
Michael Keenan, Forest Laboratories
Todd Lacy, CPP, Harley-Davidson Motor Company
Misty Ladd, CPP, PCI, CPOI, Academy of Professional Education
Bryan Leadbetter, CPP, CFE, Alcoa Inc.
John Lohse, University of California System
Anthony Macisco, CPP, Executive Security Group Inc.
James McMahon, CPP, CISSP, McMahon & Associates
Marisel Melendez, Casino del Sol
Ahsan Naqvi, CFE, CICA, San & Associates
Curtis Noffsinger, CPP, PSP, Independent
Amy Oppenheimer, Independent
James Paulsen, CPP, Minnesota Discovery Center
Mario Pecoraro, Alliance Worldwide Investigative Group Inc.
Celeste Purdie, Verizon Wireless
Joseph Rector, CPP, PSP, PCI, 11th Security Forces Group
ix
Michael Robbins, Association of Workplace Investigators

Thomas Rohr Sr, CPP, Carestream Health, Inc.
Jeffrey Sarnacki, CPP, Independent
Nancy Slotnick, SPHR, GPHR, Setracon, Inc.
Kevin Smith, CPP, Nationwide Insurance
Thomas Stephens, Independent
J. Kelly Stewart, Newcastle Consulting, LLC
Donald Taussig, CPP, Land O'Lakes, Inc.
Rajeev Thykatt, Infosys BPO Ltd
Sue Ann Van Dermyden, Independent
Shawn VanDiver, CPP, CEM, CTT, VanDiver Consulting
Stéphane Vuille, CFE, Novartis International AG
Colin Walker, Mclean Walker Security Risk Management Inc.
Lee Webster, University of Texas Medical Branch
Allison West, Esq., SPHR, SHRM-SCP, Employment Practices Specialists
x
TABLE OF CONTENTS
0. INTRODUCTION ....................................................................................................................................................... XIII

0.1 GENERAL ............................................................................................................................................................................. XIII
0.2 INVESTIGATION DEFINED ........................................................................................................................................................XIV
0.3 MANAGING INVESTIGATION PROGRAMS AND INDIVIDUAL INVESTIGATIONS ......................................................................................XIV
0.4 PLAN-DO-CHECK-ACT MODEL ................................................................................................................................................ XV
1 SCOPE ......................................................................................................................................................................... 1
2 NORMATIVE REFERENCES ............................................................................................................................................ 1
3 TERMS & DEFINITIONS ................................................................................................................................................ 2
4 PRINCIPLES.................................................................................................................................................................. 5
4.1 GENERAL ............................................................................................................................................................................. 5
4.2 IMPARTIALITY........................................................................................................................................................................ 5
4.3 TRUST, ETHICS, COMPETENCE, AND DUE PROFESSIONAL CARE ....................................................................................................... 6
4.4 HONEST AND ACCURATE REPORTING ......................................................................................................................................... 6
4.5 INDEPENDENCE AND OBJECTIVITY ............................................................................................................................................. 7
4.6 FACT-BASED APPROACH .......................................................................................................................................................... 7
4.7 RELEVANCE .......................................................................................................................................................................... 8
4.8 THOROUGHNESS.................................................................................................................................................................... 8
4.9 TIMELINESS .......................................................................................................................................................................... 8
4.10 RESPONSIBILITY AND AUTHORITY ............................................................................................................................................ 8
4.11 CONFIDENTIALITY ................................................................................................................................................................ 9
4.12 CONTINUAL IMPROVEMENT ................................................................................................................................................... 9
5 MANAGING AN INVESTIGATIONS PROGRAM ............................................................................................................... 9
5.1 GENERAL ............................................................................................................................................................................. 9
5.2 UNDERSTANDING THE ORGANIZATION AND ITS OBJECTIVES ......................................................................................................... 12
5.3 ESTABLISHING THE FRAMEWORK............................................................................................................................................. 15
5.4 ESTABLISHING THE PROGRAM ................................................................................................................................................ 21
5.5 IMPLEMENTING THE INVESTIGATION PROGRAM ......................................................................................................................... 31
5.6 MONITORING THE INVESTIGATION PROGRAM ........................................................................................................................... 41
5.7 REVIEW AND IMPROVEMENT.................................................................................................................................................. 42
6 PERFORMING INDIVIDUAL PROCESS DRIVEN INVESTIGATIONS .................................................................................. 44
6.1 GENERAL ........................................................................................................................................................................... 44
6.2 COMMENCING THE INVESTIGATION ......................................................................................................................................... 44
6.3 PLANNING INVESTIGATION ACTIVITIES ..................................................................................................................................... 49
6.4 CONDUCTING INVESTIGATION ACTIVITIES ................................................................................................................................. 54
6.5 POST INVESTIGATION ACTIVITIES............................................................................................................................................. 64
7 CONFIRMING THE COMPETENCE OF INVESTIGATORS ................................................................................................. 68
7.1 GENERAL ........................................................................................................................................................................... 68
7.2 COMPETENCE ..................................................................................................................................................................... 68
A REQUIRED QUALIFICATIONS AND PERSONAL TRAITS OF INVESTIGATORS .................................................................. 75
A.1 PROFESSIONAL QUALIFICATIONS .............................................................................................................................................. 75
A.2 PERSONAL TRAITS ................................................................................................................................................................. 76
A.3 UNACCEPTABLE BEHAVIORS .................................................................................................................................................... 77
B USE OF EXTERNAL RESOURCES .................................................................................................................................. 79
B.1 GENERAL ............................................................................................................................................................................. 79
xi
B.2 USE OF EXTERNAL INVESTIGATORS AND TECHNICAL EXPERTS ......................................................................................................... 79

C LEGAL ISSUES AND LITIGATION AVOIDANCE .............................................................................................................. 82
D TYPES OF INVESTIGATIONS ....................................................................................................................................... 83
D.1 GENERAL ........................................................................................................................................................................... 83
E DETERMINING THE NEED FOR AN INVESTIGATION ..................................................................................................... 85
F TYPES OF QUESTIONS ................................................................................................................................................ 97
G EXAMPLES OF DIFFERENCES IN REGULATORY, LAW ENFORCEMENT, AND PRIVATE SECTOR INVESTIGATIONS ............ 99
H BIBLIOGRAPHY........................................................................................................................................................ 101
TABLE OF FIGURES
FIGURE 1: PLAN-DO-CHECK-ACT MODEL ........................................................................................................................................... XV
FIGURE 2: INVESTIGATION PDCA FLOW DIAGRAM ............................................................................................................................... 11
FIGURE 3: REPORTING LINES DURING THE INVESTIGATION PROCESS .......................................................................................................... 15
FIGURE 4: DEFINING INVESTIGATION PROGRAM OBJECTIVES .................................................................................................................. 20
xii
0. INTRODUCTION
0.1 General
This Standard provides guidance for individuals and organizations conducting investigations. The
Standard uses a systems approach for developing an investigation program consistent with the business
management principles related to the Plan-Do-Check-Act (PDCA) Model.
The Standard provides insight and guidance for generally accepted practices including the processes and
considerations one should contemplate when undertaking an investigation. As guidance, it does not
contain requirements, nor is it intended for third-party certification. If implemented, the framework
offered should provide users a high degree of assurance that the investigations conducted will be:
a) Effective;
b) Ethical;
c) Lawful;
d) Useful in meeting the intended objective(s);
e) Minimally disruptive to the organization and its operations;
f) Able to provide feedback on procedure/policy deviations; and
g) Value added, providing the highest return on investment without compromising the
investigation.
The guidance in this Standard provides a framework for establishing an investigation program and
conducting individual investigations within the overall program. It uses the PDCA Model approach to
facilitate integration of an investigation program into any risk and resilience based management system.
It describes establishing and managing an investigation program as well as conducting individual
investigations. The competence of investigators is the foundation for conducting reliable investigations.
This Standard provides competence criteria for investigators conducting investigations.
Investigators understand their activities involve interacting with people; therefore, there is a need to
build rapport, trust, and confidence while avoiding the creation of an adversarial atmosphere. Good
investigative techniques project a sense of fairness based on an impartial approach. An investigation
supports the achievement of the objectives of the organization; therefore, it adds value and may lead to
opportunities for improvement. Good investigative techniques help identify and understand root causes
of any problems, thereby supporting proactive improvements to avoid a recurrence.
Organizations should adapt this guidance to fit the specific needs, size, nature and level of maturity of
their risk management system. This Standard can be used by anybody involved in the investigative
process supporting the achievement of the organization’s objectives.
xiii
0.2 Investigation Defined

For the purposes of this Standard:
An investigation is a fact-finding process of logically, methodically, and lawfully gathering and documenting
information for the specific purpose of objectively developing a reasonable conclusion based on the facts learned
through this process.
An investigation is conducted to reveal information and facts that can be used to support conclusions
about an allegation, assertion, claim, or process. By focusing on uncovering facts and essential
information needed to reach conclusions and solve problems, a properly conducted investigation can
provide additional benefits, such as:
a) Increased awareness of policies and procedures of the organization;
b) A means to analyze and identify process and system failures;
c) Providing actionable information to resolve problems and mitigate consequences;
d) Providing an informed response to litigation and regulatory actions;
e) Identifying and understanding the root causes of an incident to prevent a recurrence; and
f) A basis for improvement of the organization’s operations and activities.
This definition applies to public and private organizations. It covers the broad range of investigations,
from preemployment screening, to administrative and internal inquiries, to criminal matters, to
allegations of improprieties. The value of investigative capabilities may be measured in terms of
recovery, restitution, risk reduction, and process improvements.
Investigations may differ in terms of legal authorities, resource allocations, and use of outcomes based
on jurisdictional laws, policies, and procedures.
This Standard examines investigative functions which may be conducted with internal and external
resources, or a combination of both.
0.3 Managing Investigation Programs and Individual Investigations

The investigation program establishes the overall investigation process. The investigation program is the
overarching organizational structure, resources, commitment, and documented methods used to plan
and execute investigations. An effective program is built by clearly defining the investigation objectives.
A competent person should manage the investigation program and the necessary resources (including
qualified personnel and sufficient time) should be committed to meet the program objectives. Priority
should be given to gathering and assessing information significant to the mission of the organization and
meeting legal, ethical, and contractual obligations.
Individual investigations within the overall investigation program are conducted within a clearly
defined scope consistent with achieving the objectives of the overall investigation program. This
Standard also provides guidance on the preparation for and execution of individual investigations.
xiv
0.4 Plan-Do-Check-Act Model

This Standard adopts the PDCA model from Total Quality Management (TQM). Figure 1 illustrates the
model.
Plan
Define & Analyze an
Issue and the Context
Do
Act
Devise a Solution
Standardize Solution
Develop Detailed Action
Review and Define
Plan & Implement it
Next Issues
Systematically
Check
Confirm Outcomes
Against Plan
Identify Deviations
and Issues
Figure 1: Plan-Do-Check-Act Model

The PDCA model is a clear, systematic, and documented approach to:
a) Set measurable policies, objectives, and targets;
b) Methodically implement the program;
c) Monitor, measure, and evaluate progress;
d) Identify, prevent, or remedy problems as they occur;
e) Assess competence requirements and train persons working on the organization’s behalf; and
f) Provide top management with a feedback loop to assess progress and make appropriate changes
to the investigation program.
Furthermore, it contributes to information management within the organization, thereby improving
operational efficiency.
In conjunction with the PDCA model, this Standard uses a process approach for the investigation program.
An investigation program is a compilation of a system of interrelated processes. The identification,
linkages, and interactions of the processes comprising the investigation, and their management, can be
referred to as a “process approach”. When designing an investigation program, it is necessary to identify
and manage many activities in order to function effectively. Any managed activity using resources to
enable the transformation of inputs to outputs can be considered a process. In developing the
xv
investigation, and individual investigations, it is important to recognize that often the output from one
process directly forms the input of another process.
Tip #1: Investigations and PDCA
Though the objectives, and certainly the scope of investigations vary widely, their principal purpose is always objective
fact-finding. Thus the investigator must be fair, impartial, thorough and certainly purposeful. Lacking an effective
process, investigators often spend more time and resources than necessary, produce inconsistent results, and create
unnecessary liabilities for those they serve. No investigation, regardless of its objectives or scope, can be successful if
not properly planned, lawfully executed, and within a prescribed process.
xvi
AN AMERICAN NATIONAL STANDARD ANSI/ASIS INV.1-2015
Investigations
1 SCOPE
This Standard provides guidance for individuals and organizations intending to undertake the collection
and examination of information pursuant to an investigation. It should be noted that although this
Standard is intended for use in the private sector, this document may also be applicable to the processes
and methods used in the public sector.
This Standard:
a) Provides a framework for investigative processes that is intended to enable an organization to
identify, develop and implement policies, objectives, protocols and programs;
b) Identifies some of the jurisdictional laws and regulations or other obligations that may impact
or govern the investigative process and the various ways investigations are used;
c) Describes the process for conducting investigations consistent with the PDCA Model;
d) Provides confidence that the information was gathered and assessed in a fair, objective,
thorough, and purposeful fashion; and
e) Provides insight and guidance regarding generally accepted practices relative to the processes
and considerations for an investigation.
This Standard is applicable to all organizations that conduct investigations whether using persons who
are internal or external to the organization. Annex E provides information for organizations considering
the use of external investigators.
Furthermore, the guidance offered is sufficiently generic to be applicable to all organizations, regardless
of type, size, geographic footprint or nature of their activities, products or services.
This Standard is a guidance document and not intended as a specification for third-party certification.
2 NORMATIVE REFERENCES
This Standard does not make reference to any normative documents which constitute foundational
knowledge for the use of this American National Standard.
1
3 TERMS & DEFINITIONS

For the purposes of this Standard the following terms and definitions apply:
Term Definition
3.1 action A lawsuit brought in court.
3.2 actionable A matter which may be subject to legal or administrative action or
intervention.
3.3 admissibility The legal authority permitting the entry of evidence into a legal proceeding.
3.4 admissible Evidence which may be formally considered in a legal proceeding.
3.5 admission The simple admission to the commission of an offense, work rule or policy
violation, or violation of the law. Differs from a confession in that it may or
may not contain all of the elements of the offense or crime in question.
3.6 agency Fiduciary relationship between two parties in which one (Agent) is under
the control of (is obligated to) the other (Principal).
NOTE 1: The agent is authorized by the principal to perform certain acts, for
and on behalf of the principal.
NOTE 2: The Principal is the person from whom an agent's authority derives.
3.7 appeal An application to a higher court to correct or modify a judgment rendered
by a lower court.
3.8 arrest The taking of a person into custody in a manner provided by law for the
purpose of detention in order to answer a criminal charge or civil demand.
3.9 attorney work product Evidence which a party to a lawsuit does not have to reveal during the
discovery process because it represents the thought process and strategy of
the opposing attorney giving legal advice.
3.10 case file The tool used by investigators to organize and maintain their records,
documents and reports during an investigation.
3.11 chain of custody A record detailing those who handled or possessed a piece of evidence.
Synonymous with chain of evidence.
3.12 chain of evidence See Chain of Custody.
3.13 circumstantial evidence Indirect evidence which in and of itself does not prove a material fact. Often
gathered and used cumulatively to prove a fact.
3.14 confession A comprehensive admission to the commission of an offense or violation of
the law that contains all of the elements of the offense or crime in question.
Not to be confused with admission.
3.15 credibility The reliability or trustworthiness of an individual.
3.16 custodian of record The person or entity responsible for record possession, retention, and/or
preservation.
3.17 client The individual or entity for which an investigation is performed.
NOTE: A customer is a more general term used to indicate the recipient of a
tangible or intangible service or product.
3.18 decision-maker A person who decides things, especially at a high level in an organization.
NOTE: The decision-maker rather than a member of the investigative team
is responsible for making decisions regarding discipline and corrective
action.
3.19 direct evidence Evidence which proves a material fact.
2
Term Definition
3.20 discovery The legal process of obtaining information and/or evidence from a legal
opponent.
3.21 due process A fundamental guarantee that all legal proceedings will be fair and that one
will be given notice of the proceedings and an opportunity to be heard before
the government acts to take away one's life, liberty, or property.
3.22 electronic surveillance Any form of surveillance which uses electronic technology.
3.23 embezzlement The unlawful appropriation of property or assets of another of which one
has been entrusted.
3.24 entrapment Actions which might induce an otherwise honest citizen to commit a crime
that without the inducement would not have committed. Entrapment is a
criminal defense and is not a crime. In order to use entrapment as a defense,
the accused must first admit they committed the offense.
NOTE: Legality is based on jurisdictional laws.
3.25 ethics A collection of “accepted principles that govern” a particular group or

profession.
3.26 evidence Evidence is any type of proof that when presented, is materially capable of
proving or disproving a contention or fact. In order to be used or admissible,
the evidence must be material to the matter in question.
3.27 fact pattern The collection of known facts associated with or directly related to the matter
in question.
3.28 false imprisonment The criminal or civil offense of improper arrest or detainment with
confinement, of a person without proper warrant or authority for that
purpose by force, intimidation or coercion.
3.29 fraud Theft by deceit and deception.
3.30 hearsay evidence Testimony from a person who has secondhand knowledge.
3.31 inadmissible Evidence which cannot be formerly considered in a legal proceeding.
3.32 intent A state of mind which if proven, demonstrates the intention to commit a
criminal act.
3.33 interview A conversational exchange for the purpose of collecting information to
reveal facts and the truth about the events under question.
3.34 interviewer One who conducts interviews.
3.35 investigation findings A result or conclusion reached after examination or investigation.
NOTE: The term as used in this Standard should not be confused with the
word findings when used as a term of art by the legal profession. Generally
when used as such, the word describes the result of the deliberations of a
jury or court following a judicial proceeding or investigation.
3.36 investigation process A structured and sometimes scientific approach to investigation. Sufficiently
structured to provide uniformity and consistency yet, fluid and flexible
enough to accommodate any situation or fact pattern.
3.37 investigation A fact-finding process of logically, methodically, and lawfully gathering and
documenting information for the specific purpose of objectively developing
a reasonable conclusion based on the facts learned through this process.
3.38 investigation team leader (ITL) The person designated as leading the investigation team. The ITL is typically
the point of contact through whom those outside the investigative team
communicate with it.
3.39 investigator A person engaged in the systematic collection, analysis and preservation of
information and/or facts related to the matter in question.
3
Term Definition
NOTE: The investigator may be a member of an investigative team working
under the direction of an investigation team leader and/or investigation unit
manager.
3.40 investigative unit (IU) The entity within the organization tasked with conducting or overseeing
investigations.
3.41 investigation unit manager The person responsible for managing the investigation program and
(IUM) assuring the necessary financial, human, physical, and time resources are
committed to conduct an effective investigation.
3.42 judgment A legal finding of responsibility.
3.43 jurisdiction An area or subject over which a party has authority.
3.44 management system standard A framework of processes and procedures used to ensure that an
organization perform activities needed to achieve its objectives.
3.45 organizational investigations Investigations performed at the direction of the organization, for the
organization. Usually involves the investigation of crimes and offences
committed against the organization and/or as a method of establishing the
facts and organizational due diligence relating to potential regulatory action.
NOTE: Differs from workplace investigations in that the subject of the
investigation may not be an employee or former employee of the
organization.
3.46 physical surveillance A form of monitoring where the subject is kept under physical observation.
NOTE: May be augmented with technology but requires constant human
monitoring.
3.47 preemployment screening A form of investigation used to verify the identity, personal history and
credentials of an employment applicant.
3.48 preponderance of the evidence The amount of evidence needed to prevail in most civil matters, which is
based on a finding that it is more likely than not that an alleged event
occurred.
3.49 privacy, the right to privacy A human right and an element of various legal traditions which may restrain
both government and private party action that threatens an individual to be
free from being observed or disturbed by other people, or having their affairs
made public.
3.50 private investigations Investigations performed for and by the private sector.
3.51 private sector The part of the economy that is not under direct government control.
NOTE 1: Run by private individuals or groups either for profit or not for profit.
NOTE 2: Those suspected of a workplace offence may be the subject of a
private sector investigation conducted by their employer or agents, and if
determined responsible, disciplined by their employer.
3.52 privilege A legal protection which permits the lawful withholding of information or
evidence from an opponent during the course of litigation. May be used in
both criminal and civil cases.
3.53 public sector The part of an economy that is controlled by the government.
NOTE: Composition of the public sector varies by country, but in most
countries the public sector provides services which benefit all of society
rather than just the individual who uses the service.
3.54 restitution Returning to the proper owner property or the monetary value of loss.
3.55 return on investment (ROI) The return enjoyed on any particular investment. The return may be
monetary or otherwise.
3.56 spoliation The intentional or negligent destruction, alteration, or mutilation of
evidence, and may constitute an obstruction of justice.
4
Term Definition
3.57 standard of proof The quality and quantity of proof necessary to make a finding.
3.58 subject The individual who is under investigation or the matter in question. Not to
be confused with suspect as used in the public sector. The individual may or
may not be a suspect.
NOTE: Sometimes referred to as “respondent”.
3.59 surveillance The direct and deliberate observation or monitoring of people, places or
things.
3.60 workplace investigations Any investigation taking place in or involving the workplace.
NOTE 1: May be conducted by those either in the private or public sector.
NOTE 2: Typically involving the investigation of employee misconduct,
workplace policy violations or work rule violations. The matter under
investigation may or may not be a violation of the law.
NOTE: Some legal definitions may vary by jurisdiction, therefore, some of the terms in this glossary may have specific legal
definitions in certain jurisdictions. The definitions provided are based on common usage.
4 PRINCIPLES
4.1 General
The principles in this Standard give guidance necessary to provide consistency, accuracy, credibility,
fairness and scalability in the fact-finding, documentation, information rendering, and reporting
processes as they relate to investigations. Examples of stakeholders in these processes include, but are
not limited to:
a) Customers, clients, shareholders, directors, employers, employees, vendors, or anyone engaged
in commerce or other lawful activities in the private sector;
b) Government and regulatory authorities including elements of both the criminal justice system
and all of its counterparts in the civil justice system;
c) Civil society groups, non-governmental organizations, and non-profit entities;
d) Organizations that provide and/or support investigative services whether for profit or not; and
e) Members of the public (including the media).
The principles below apply to the activities involved in most routine investigative activities, as well as
those conducted for special or specific purposes. Use of these principles helps ensure those conducting
investigations independently yet in similar circumstances will likely produce similar findings based on
similar circumstances.
4.2 Impartiality
Impartiality is the ability to separate one’s self and self-interests from the investigation and its outcome.
Confidence in the investigation process is dependent on an independent and impartial fact-finding
process and a complete separation of self-interests from the investigation’s ultimate outcome.
Impartiality requires both the actual and perceived presence of objectivity. Investigation programs
5
should implement measures to ensure and monitor impartiality. These measures should demonstrate to
stakeholders that a credible investigation process is in place.
Investigators should be objective, impartial, unbiased, have no vested interest in the outcome, and avoid
any conflict of interest. Any possible conflicts of interest should be identified, disclosed, resolved, and
documented before an investigation begins. Threats to impartiality include:
a) Self-interest threats: arise from having a vested or financial self-interest;
b) Self-review threats: arise from reviewing advice or the work done by oneself on behalf of the
organization;
c) Familiarity threats: arise from being too familiar with processes and persons being investigated
to obtain unbiased evidence and conclusions;
d) Cognitive bias threats: arise from individuals creating their own subjective reality from their
preconceived perception of the input; and
e) Intimidation threats: arise from having a perception of being coerced or pressured.
Tip #2: Impartiality
The investigator can demonstrate their impartiality by:
a) Not deciding the investigation’s objectives and not having a vested interest in the outcome.
b) Excluding themselves from any decision-making process at the conclusion of the investigation. By not being
party to the decisions regarding discipline or corrective action, the investigator has no say in the outcome.
c) Demonstrating their impartiality by their work. The analysis in the investigative report should fairly show
how the investigator weighed all the evidence, both for and against the ultimate findings.
4.3 Trust, Ethics, Competence, and Due Professional Care

Activities in investigations should be conducted honestly, diligently, and responsibly. All interested
parties should be confident the investigator possesses the technical competence and integrity required to
conduct the investigation in a professional manner throughout the investigation process. Competence
is the ability to apply knowledge and skills relevant to the investigation in order to achieve intended
accurate results. Investigations should be conducted with proficiency and with due professional care.
Integrity provides the foundation for professionalism and trust. Investigators have a responsibility to
observe and comply with any applicable legal, safety, and security requirements.
To be ethical requires the investigator to behave in such a fashion as to protect the rights of those under
investigation, obey the law, respect organizational policies and procedures, and protect the integrity of
the process. Many organizations have established a code of ethics that sets standards of conduct in the
performance of work. Actions such as truthfulness, honesty and impartiality collectively constitute
ethical behaviour. To instil trust, an investigator’s ethical principles and integrity may be codified by a
formal set of ethical standards addressing issues of independence, diligence, honesty, impartiality, and
confidentiality.
4.4 Honest and Accurate Reporting

Investigation findings and conclusions should be based on evidence that accurately and honestly reflects
investigative activities and is truthfully presented in the reports. Impediments to achieving investigation
6
objectives, unresolved issues, and divergent opinions should be reported. Communications should be
timely, accurate, unambiguous, unbiased, and complete. Evidence should be clearly documented.
4.5 Independence and Objectivity

Investigators should be independent and objective in performing their work. Investigation activities
should be free from interference in fact-finding and reporting. Questions related to impairment of
independence or objectivity should be analyzed, mitigated, and reported. Investigators should be aware
of and sensitive to influences that may affect their judgment when conducting an investigation.
Investigators should evaluate if they can conduct an investigation in a cultural, professional,
organizational and technically unbiased fashion.
Confidence in the investigative process, which is necessary to encourage the reporting of incidents or
allegations, is not only dependent on the actual independence of the investigator, but also on the
perception of independence by a variety of third party observers (e.g. employees, vendors, regulators,
etc.). Organizational segregation of duties insulates the investigative process from undue influence and
provides a significant counterweight to possible allegations that the investigation was not fair and
objective.
Tip #3: Independence and Objectivity
To aid in maintaining objectivity, every investigator should consciously recognize their personal prejudices and
neutralize the effects of those prejudices on investigative activities, including the formation of the hypothesis. In other
words, the professional investigator must ensure that the investigative findings form the basis for their impressions,
not the reverse.
In addition, the investigator’s approach and demeanor is of critical importance to the successful outcome of a case.
First and foremost, the investigator should project an air of objectivity. This is accomplished by choosing words and
phrases carefully during the investigative process and by avoiding facial expressions and body language that might
project an inappropriate attitude or prejudgment.
4.6 Fact-based Approach

Investigation conclusions should be based on verifiable information or evidence gathered through a
systematic investigation process that ensures reliability and integrity. It should be recognized that an
investigation is conducted with finite resources. Investigators should effectively determine the depth,
breadth, and quality of information required for accurate fact-finding. This should be done by
considering an adequate spectrum and depth of details without gathering so much data as to confuse the
facts of the case, causing unnecessary delay to the investigation or possibly even obscuring the truth.
The accuracy of a fact-based approach is reflected by the credibility of the information source, whether
human, documentary, physical, or electronic.
7
4.7 Relevance
Investigations should be focused on the information that pertains to the purpose of the investigation and
is at the appropriate level of detail. The spectrum of details pertains to how wide a net the investigator
needs to cast in order to gather all relevant information.
Tip #4: Cause and Effect Relationships
Cause and effect relationships may be relevant to an investigation. For example, the subject of a personnel background
investigation may have a poor credit rating. Rather than simply reporting a potential weakness in the applicant, the
investigator should attempt to determine and verify the cause of the credit rating, as well as possible mitigating
information. The subject may have been a victim of identity theft or may have suffered the loss of a close relative and
been saddled with large secondary financial debts until the estate could be settled. In either case, the concerns may be
addressed through the investigative process and may provide the appropriate information to decision-makers..
4.8 Thoroughness
Based on the investigative scope, activities should follow relevant leads to their conclusion. A thorough
investigation involves making efforts to corroborate allegations and facts, doing follow-up enquiries to
clarify and confirm testimony and evidence. Corroborating important aspects through different sources
is a helpful means of achieving thoroughness along with using different types of sources.
Tip #5: Thoroughness
Various types of sources for a particular piece of information might be interviewees or witnesses, subject matter
experts, physical evidence, electronic evidence, public records, surveillance results, open sources, databases, etc.
4.9 Timeliness
Investigators should conduct the investigation in a timely manner, achieving the investigative objectives
while ensuring the quality and integrity of the investigation. Investigations should be conducted as soon
as possible, consistent with jurisdictional requirements, and to avoid degradation of human, physical, or
electronic evidence. Once an investigation is under way, it should be completed in an expedient manner
to conserve resources, allow operations to return to normal as soon as possible, and implement corrective
actions. However, care should be taken not to rush an investigation at the expense of quality,
thoroughness, or accuracy.
4.10 Responsibility and Authority

It is the responsibility of the investigation team to objectively evaluate the criteria of the investigation
program by collecting and documenting unbiased evidence. Findings should be supported by sufficient
documentation and evidence.
The authority to perform an investigation should be verified prior to the start of investigation activities.
Authority for an investigation may be granted by either a single source or multiple sources; internal or
external to the organization. It is the responsibility of the investigation team leader to confirm any
authorizations and that the investigation tasking is within the bounds of jurisdictional laws and
regulations or other obligations. Explicit authority to conduct the investigation confers legitimacy to the
investigation. The relationship between the permitting authority and the investigation team should be
clearly understood.
8
4.11 Confidentiality
Persons involved in the investigative process should maintain confidentiality. Investigators should strive
to minimize the possibility of inadvertent disclosure which may result in reputational, psychological, or
physical harm to individuals or organizations. Confidentiality arrangements should consider
jurisdictional laws and regulations or other obligations, including those for privacy, protecting
information, and discoverability.
Tip #6: Confidentiality
Subject to jurisdictional laws and the organization’s policies and practices, confidentiality admonitions should be
provided to interviewees at the beginning of the investigation interview. The investigator should clearly explain the
confidentiality and disclosure relationship and its limitations. Investigators should strive to minimize the possibility
of inadvertent disclosure of information unless instructed by counsel. Confidentiality arrangements consider
jurisdictional laws and regulations or other obligations, including those for protecting information as well as
requirements related to discoverability. Attorney investigators may be held to a different standard and have additional
ethical obligations regarding confidentiality.
Failure to protect personal or confidential information, either by the organization, investigator, or interviewees, may
result in: increased risk; retaliation; leaked information; lawsuits; bias of the process; and erroneous conclusions.
Confidentiality should be maintained to prevent compromise or unwanted exposure of an investigation. Only those
with a need to know should be involved in or told of the investigation. To do otherwise may risk the integrity of the
investigation as well as may put people (including the investigator) at risk.
In order to require confidentiality, it may be important to consider and document one or more of the following business
reasons for maintaining confidentiality:
a) That an employee is in need of protection;

b) Evidence may be destroyed;
c) Testimony is in danger of being fabricated;
d) There is a risk of a cover-up; and
e) Protection of privacy rights.
4.12 Continual Improvement

Managers improve their investigation processes through the monitoring, measurement, review, and
subsequent modification of the investigation program, processes, procedures, capabilities, and
information within a continual improvement cycle. Formal, documented reviews are conducted
regularly. The findings of such reviews should be considered by top management, and action taken
where necessary to identify opportunities for improvement.
5 MANAGING AN INVESTIGATIONS PROGRAM
5.1 General
5.1.1 Managing Investigation Programs
The purpose and objectives of an investigation drive the approach and methodology. Most successful
investigations are process driven. Investigations can be complex undertakings which are time
consuming and fraught with enormous potential for legal liability. When properly managed, they
combine an intricate mixture of skill, experience and knowledge. A sound understanding of
9
investigation management fundamentals is necessary for success and efficient use of resources.
Managing the risk associated with an investigation is essential given that few organizational activities
invoke so much risk and at the same time, so much opportunity.
Like any other organizational function, managing investigations entails basic functions of management:
planning, organizing, directing, coordinating, and controlling. All five of these functions apply to
managing the overall investigative program, as well as when conducting individual investigations.
The strategic level of an investigation program involves the management program and its relationship
with the organization’s top management. Legal counsel, human resources, risk management, and other
relevant departments should be involved at this level to ensure the proper focus of the investigation as
it relates to organizational policy and procedure, labor relations, or the law. Issues at this level may
include:
a) Establishing attorney work product protection;
b) Designating head of the investigative function;
c) Identifying the organizational structure;
d) Defining strategic goals and objectives;
e) Focusing investigative efforts; and
f) Identifying and allocating resources.
At the case level, individual investigation parameters and details are prescribed, including the particular
investigators, investigative techniques, and case management protocols associated with them.
The details of both the overall program and individual investigations include technical aspects of the
investigative function and how the function works within the program. Such issues as case load, case
assessment, quality control, investigative policies and procedures, reporting formats, liaison, team
composition, supplies and equipment, evidence management, and outside contracts are considered at
this level.
The investigation unit manager (IUM), sometimes referred to as the project manager or case manager,
should participate at the program and individual investigation levels while simultaneously considering
factors that transcend the investigative management levels. The IUM is typically the person directly
responsible for the investigative function in an organization and depending on the organizational
structure; this individual may hold the title of chief security officer, security director, director of
investigations, director of human resources or something similar.
5.1.2 Characteristics of an Investigation

In order for the results of an investigation to be useful, it should have well defined objectives understood
within the business and risk management context of the organization. An investigation should be
properly and lawfully executed, be fair and impartial, and the results accurately documented and
communicated. Figure 2 illustrates how to build an efficient investigation using the concepts of the
PDCA model.
10
Figure 2: Investigation PDCA Flow Diagram

The properly planned and executed investigation will often produce tangible, measurable results such
as the reduction or deterrence of undesirable events and infractions of policy; the recovery of stolen
assets; the termination of dishonest employees or vendors; and successful prosecution. Protection of
brand and reputation provides significant benefit to the organization, but may be difficult to quantify.
Also possible are civil recovery, restitution, damage awards, and successful insurance claims. In some
instances, even the cost of the investigation can be recovered.
By using the PDCA model the organization clearly defines the objectives, methodologies, and processes
thereby enabling the efficiencies of repeatability and scalability. The PDCA model, by defining the
approach, results in reliable and predictable outcomes. While all investigations are unique and are
tailored to the fact pattern or allegation presented, the PDCA provides a repeatable and scalable
framework for the conduct of the investigation.
The objectives of the investigation will drive what facts and evidence are to be gathered. Experienced
investigators will find that over a period of time investigations of similar type take on similar themes.
These themes should be documented as defined and repeatable processes which then support that
particular type of investigation. Examples of support tools include, but are not limited to:
a) Case management software;
11
b) Case files and file storage systems;

c) Evidence management tools and systems;
d) Report styles and templates; and
e) Document retention protocols.
5.1.3 The Elements of a Successful Investigation

Given the diverse nature of investigations and their many purposes, successful investigation programs
require the following common elements:
a) Management commitment;
b) Meaningful objectives;
c) A well-conceived strategy;
d) Well-deliberated time plan;
e) Properly pooled resources and expertise; and
f) Lawful execution.
5.2 Understanding the Organization and its Objectives

Investigations are conducted as part of the organization’s overall business and risk management
activities. Therefore, ultimately investigations must be considered within the context of the
organization’s mission and achievement of enterprise-wide objectives. Persons planning and conducting
an investigation need to develop an understanding of the organization where the investigation is being
conducted in order to understand how the investigative activities impact the organization and its human,
tangible, and intangible assets. Investigations support the core mission of the organization, market
research, competitive intelligence, and other functions. The investigative activities should be seen as a
resource and employed in ways that support overall business objectives.
The IUM should understand how the investigative capability fits into the organization and how top
management envisions its application in support of overall risk and business management objectives.
Ideally, the IUM plays a key role in defining the fit and the nature of the investigative functions.
Understanding the organization may include factors such as:
a) Organization mission and business objectives;
b) Nature of the business activity;
c) Governance, authority, and management style;
d) Types of services provided or products produced, manufactured, stored, or otherwise supplied;
e) Risk appetite (including reputational risk);
f) Stakeholders and their objectives;
g) Types of clients served;
h) Information flow, command and control;
12
i) Supply chain and critical infrastructure dependencies and interdependencies;

j) Regulatory environment;
k) Competitive nature of the industry;
l) Organization culture;
m) Cultures, informal structures, and geographic spread within the organization;
n) Any special issues raised by the production, administration and service processes (e.g.,
environmental waste, disposal of defective goods, etc.);
o) Type of labor (e.g., labor union, unskilled, use of temporary workers, outsourcing, use of
immigrants, etc.);
p) Hours of operation;
q) Sensitivity of information; and
r) Stakeholder perception of risk tolerance and acceptance (internally and externally).
5.2.1 Investigative Function within the Organization

The investigative function and its location in the organizational structure varies significantly from one
organization to the next. The structure of an investigative function should be the result of a needs
assessment and a cost-benefit analysis. Senior security, assets protection, or risk management
professionals should advise top management on realistic investigative needs and the most effective
structure for meeting those needs. The following are examples of common structures for an investigative
capability within organizations:
a) A separate investigative unit with the IUM or investigative team leader, (ITL) reporting to the
chief security officer (CSO);
b) A separate investigative unit with the IUM or ITL reporting to the risk management or assets
protection director;
c) A separate investigative unit with the IUM or ITL reporting to the legal department;
d) A separate investigative unit with the IUM or ITL reporting to the chief compliance or audit
officer;
e) Specialized investigation teams supported by internal audit or IT;
f) Investigations performed by an independent function, such as an inspector general or
equivalent, which reports directly to top management;
g) Investigations conducted by the security director personally since no dedicated investigative
unit or investigator exists;
h) Security director oversight of an outsourced investigative capability, calling on an outside
vendor as needed under a prearranged agreement;
i) Specialized investigations supported by a special litigation committee which is typically
comprised of a sub-group of a board of directors, executives or outsiders with specific expertise;
13
j) Oversight by general counsel or other in-house attorney with specific expertise of the internal or
external investigation team;
k) Human resources or employee relations executive with oversight over investigation team; or
l) Outside counsel with oversight over internal or external investigation team.
In larger or more geographically dispersed organizations, regional investigative units or personnel may
be established in order to conserve travel costs and time. This arrangement also allows for investigators
who are familiar with local issues (culture, geography, procedures, laws, regulations, etc.) and provides
an opportunity to work more effectively with local liaison contacts. Organizations may also establish
separate investigative capabilities within different business units.
The reporting chain for investigative information or results is critical and can affect both the outcome of
specific cases and the effectiveness of the unit itself. Generally, the shortest reporting chain between the
source of the information and the final decision maker is best.
Tip #7: Reporting Chain
If litigation is anticipated or there is suspected unlawful conduct within the workplace, legal counsel may engage the
investigator and communicate that the investigation is “confidential and privileged.” By this assertion, any
communication, inclusive of reports, occurring between the investigator and legal counsel should be considered
“attorney work product.” In some jurisdictions, the work product may be considered protected and not discoverable
in the litigation process. Alternative means exist for establishing attorney-client and work-product protections, such
as by clearly establishing at the outset (either by contract or other dictate) that the investigator is charged with
producing factual findings to legal counsel, so that legal counsel may use the findings to provide legal advice to the
organization.
The final decision maker(s) should be top management, such as the chief executive officer, chief operating
officer, chief legal counsel, president, or some other official who has similar executive and decision
making authority (e.g., person authorizing the investigation). It is important to identify the decision
maker, establish a close working (and trust) relationship with him or her, and develop a formal reporting
mechanism. In some situations, it may be advisable to establish an alternate or contingency reporting
mechanism in case the identified decision maker is unavailable, is a party in the case or investigation, or
is possibly involved in the investigative matter.
The lineup of liaison contacts, potential outside sources for investigative services, specialists, and
equipment vendors should be tailored to the primary focus areas of the investigative unit. Whether the
investigative capability of an organization consists of a dedicated unit, a single investigator, the security
director alone, or another arrangement, a specific individual (with a backup) should be designated to
manage these outside investigative resources. This provides continuity and facilitates rapid
implementation of capabilities. Investigative needs generally arise on short notice and on a surge basis.
Figure 3 provides an example of reporting lines during the investigative process.
See Annex E for more information on determining the need for an investigation within an organization.
14
Figure 3: Reporting lines during the Investigative process
5.3 Establishing the Framework

5.3.1 Context of the Organization
Conducting investigations within an organization requires knowledge of the internal and external factors
that can influence an organization’s performance in managing its business and risks. When planning the
investigation process it is important to consider:
a) Risks associated with the industry sector and organization’s processes;

b) Internal factors affecting the operating environment of the organization;
c) External factors affecting the operating environment of the organization;
d) Internal and external stakeholders who contribute to risks associated with the investigation;
e) Internal and external stakeholders who are impacted by outcome of the investigation; and
f) Factors that influence the acceptance of risk in the organization and by its stakeholders.
15
5.3.1.1 Internal Context

The investigative unit should identify, evaluate, and document the internal context, including:
a) Strategies, policies, objectives, plans, and guidelines to achieve objectives;
b) Governance, roles and responsibilities, and accountabilities;
c) Values, ethos, and culture;
d) Financial arrangements and restraints;
e) Information flow and decision-making processes;
f) Internal stakeholders who are the owners, contributors, impacted parties, and managers of risk
(enterprise-wide and by sub-divisions);
g) Capabilities, resources, and assets (tangible and intangible);
h) Procedures and practices;
i) Activities, functions, services, and products including their value streams; and
j) Brand and reputation.
5.3.1.2 External Context

The investigative unit should define and document the external context, including:
a) The cultural and political context;
b) Legal, regulatory, technological, economic, natural, and competitive environment;
c) Contractual agreements, including other organizations within the contract scope;
d) Infrastructure dependencies and operational interdependencies;
e) Supply chain and contractor relationships and commitments;
f) External stakeholders who are the owners, contributors, impacted parties, and managers of risk
(within the supply chain, vested interests, impacted communities, and the media);
g) Key issues and trends that may impact the processes and/or objectives of the organization;
h) Perceptions, values, needs, and interests of external stakeholders (including local communities
in areas of operation); and
i) Operational forces and lines of authority.
In establishing its external context, the organization should ensure that the objectives and concerns of
external stakeholders are considered when determining investigation criteria, where appropriate.
The focus of the investigation will help identify the internal and external factors that will affect how the
investigation is conducted and its outputs.
5.3.2 Needs and Requirements

The needs and requirements for the investigative function vary between organizations, as well as within
business units of an organization. Therefore, the IUM and ITL need to have a clear understanding of the
needs and requirements of the organization for investigative functions. The persons conducting the
16
investigation should also understand the reason and purpose for the investigation. There should be a
clear understanding between the IUM and top management as to the purpose of the investigation
program and intended use of the outcomes. Examples are:
a) Personnel screening;
b) Employee misconduct (including but not limited to harassment, discrimination, retaliation,
policy violations);
c) Internal or external theft;
d) Fraud prevention and detection;
e) Provide input for human resource management processes;
f) Better protect tangible and intangible assets;
g) Determine causes of accidents, mishaps, or disruptive incidents;
h) Use of a systematic process to identify weaknesses in the organization’s processes and risk
management approach;
i) Identify opportunities for improvement;
j) Evaluate effectiveness of training and awareness programs;
k) Evaluate and improve the allocation of resources;
l) Demonstrate regulatory compliance (including but not limited to food, health, safety,
production, labor, equal employment opportunity, and discrimination regulations);
m) Conformance with organizational policies;
n) Reduce liabilities;
o) Provide information for post investigation activities and actions;
p) Reputation and brand protection; and
q) Evaluate business relationships and supply chain needs, as well as address customer/client
concerns.
When developing the investigation program, the IUM should understand the organization’s intended
use of the investigation results.
The needs and requirements of the organization for the investigative function may change based on:
a) Economic realities of the organization;
b) Market forces;
c) Risk appetite (the amount of risk an organization is willing to accept, retain, or pursue1);
d) Increase or decrease in the number of incidents requiring an investigation;
1 Adapted from ANSI/ASIS/RIMS RA.1-2015, Risk Assessment
17
e) Organizational response to criminal and unethical behavior;

f) Reputational considerations;
g) Jurisdictional laws and regulations or other obligations;
h) Outsourcing of services and activities; and
i) Stakeholder perceptions and interests.
Tip #8: Linking Value Added to Needs and Requirements
The investigative unit should demonstrate value to the organization consistent with its needs and requirements.
Support for budget justifications can be bolstered by any or all of the following:
a) Proper investigative focus to support the organizational mission as well as strategic and business objectives;
b) Accurate and detailed tracking of investigative costs;
c) Effective implementation of cost management and efficiency measures;
d) Demonstration of restitution and recovery benefits;
e) Quantitative estimation of risk avoidance in monetary terms;
f) Creating a safe and respectful work environment for employees and others; and
g) Compliance driven to meet requirements and minimize organizational risk.
Carefully tracking and managing operational and overhead costs can significantly improve the response to funding
requests. Costs can be tracked by case type, location, business unit, or other variable. Additionally, recoveries and
restitution figures should be tracked and reported to senior management to help demonstrate a financial benefit to the
organization and support return on investment (ROI) arguments. Often, IUs can demonstrate ROI through civil
recovery efforts, recovering not only the losses but also the related investigative costs.
5.3.3 Objectives of the Investigation Program

Clearly defined investigation objectives are crucial to implementing a successful investigation program.
Investigations provide more value to the organization if the investigation program objectives are aligned
with organizational and management objectives (as may be articulated in the enterprise-wide strategic
business plan). The IUM and top management should clearly define and agree upon the investigation
objectives.
Both overarching and specific objectives are critical to the investigation from a strategic and tactical
perspective. Long-term and overarching objectives should be consistent with the organization’s strategic
intentions and should be incorporated into the investigative unit’s mission statement. Specific objectives
(short and long term) should be measurable, providing the basis for key performance indicators (metrics)
used to gauge the progress, success, or achievement of an investigative unit.
When defining the investigation program objectives, the following factors should be considered:
a) Management and decision making requirements;
b) Human, tangible and intangible assets to be protected;
c) Business management system requirements;
d) Organizational, business, and operational goals;
e) Jurisdictional laws and regulations or other obligations;
18
f) Risk management priorities and performance;

g) Perceptions and expectations of stakeholders and other interested parties, including supply
chain needs;
h) Cultural and informal structures within the organization;
i) Previous risk events; and
j) Level of maturity of the organization’s management system.
Examples of program objectives include, but are not limited to:
a) Support human resource management functions of the organization;
b) Identify root causes of problems;
c) Prevent, manage, and remediate undesirable events and behaviors;
d) Loss prevention and recovery;
e) Prevention and awareness of potential risk events;
f) Demonstrate compliance with laws, regulations, or other obligations;
g) Verify conformance of a management system to the requirements of relevant standards;
h) Demonstrate effectiveness of risk treatment measures;
i) Validate organizational risk management for internal and external stakeholders;
j) Demonstrate consistency with accepted industry practices; and
k) Evaluate alignment of risk management with the overall business management approach in
order to achieve the overall organizational objectives.
The investigation’s objectives define the investigator’s purpose, and provide a basis to benchmark
progress and provide the framework to support individual investigations. The investigative objectives
must be carefully articulated at the beginning of the process to establish the investigation’s starting point
and where it is intended to finish. The objectives should make it clear that the investigation’s purpose is
proper and lawful.
Figure 4 illustrates the considerations in defining the investigation program objectives.
19
Figure 4: Defining Investigation Program Objectives
5.3.4 Establishing the Scope of the Investigation Program

The scope of the investigation program should be defined in order to achieve the investigative objectives
and consider the context of the organization, its needs, and requirements. The scope of the investigative
program should define which processes, functions, activities, physical boundaries (facilities and
locations), and stakeholders to include. It will have a direct effect on the resource and time requirements
needed for the individual investigations. When setting the scope of the investigation program, it should
be kept in mind that resource and time requirements are directly proportional to the size of the scope.
The IUM and top management should agree to the investigation program scope prior to establishing the
investigations program; any subsequent changes in scope should be mutually agreed upon in writing.
The scope of the investigation program may consist of one or more individual investigations. If
conformance to a management system standard is the objective of the investigation program, the scope
of the program should be in alignment with the scope of the management system with any divergence
noted and understood.
Additional factors to consider in setting the scope:
a) Business and risk management objectives of the organization;
b) Size and complexity of the organization;
20
c) Facilities and geographic factors;

d) Jurisdictional laws and regulations or other obligations;
e) Available in-house and external expertise;
f) Results of previous investigations;
g) The likelihood and consequences of known undesirable and disruptive events (including
consideration of previous incidents and weaknesses of the management system);
h) Reports and concerns of internal and external stakeholders;
i) Supply chain tiers to be included and supply chain partner requirements;
j) Complexity and maturity of the risk management system;
k) Organizational and community culture; and
l) Factors related to timing, logistics, communications, and information accessibility.
When setting the scope of the investigation program, it is important to consider that many organizations
that deal with both internal and external investigations establish separate units for each. Doing so allows
investigators to focus on a particular activity and to develop special expertise, liaison networks, and
prosecutorial contacts. It also reduces confusion regarding investigative outcomes and processes. The
boundaries of these activities should be defined in the program scope.
5.4 Establishing the Program

There is no typical organizational structure for the investigative function in organizations. Factors such
as the industry and the organization’s mission, size, and scope all play a role in determining how the
investigative function looks and how it fits in the organization. When establishing or reengineering an
investigative function, the IUM should align the investigation program with the program objectives and
scope.
Tip #9: Size of organization:
Many small organizations keep qualified investigative consultants or private investigators on retainer to respond
quickly to various issues that require an investigative response. In larger organizations or other environments with a
constant need for investigative services, a full-time investigator or investigative staff may be justified. Regardless of
the organizational structure of the investigative function, a clearly defined investigative program is essential to assure
a transparent, accurate, fair, and unbiased investigation program.
Investigation program success requires the development and deployment of a sound investigative
strategy. Effective investigative strategies involve more than mixing and matching investigative methods
and tools. The investigative process must be sufficiently structured so that it provides efficiencies and
the opportunity to measure results. However, the process must be sufficiently flexible so that it permits
the changing of objectives and strategy as new information is learned. The IUM and investigators should
have the ability to change their objectives and modify their strategy as new information is developed.
5.4.1 Roles and Responsibilities

The roles and responsibilities of the parties conducting the investigation and the client should be clearly
defined and understood, and may include:
21
a) Investigation unit manager (IUM) – the person responsible for managing the investigation
program and assuring the necessary financial, human, physical, and time resources are
committed to conduct an effective investigation;
b) Investigation team leader (ITL) – the person designated as leading the investigation team;
c) Investigator – a person competent in conducting the investigation, individually, or as a member
of a team;
d) Technical expert – a person with specific knowledge or expertise supporting the investigation
team but does not act as an investigator (e.g. a language, legal, or industry sector expert);
e) Observer – a person who is present but not actively participating in the investigation (e.g. a
client’s representative or guide); and
f) Client – top management of an organization that requests the investigation.
The IUM is responsible for the planning, management, and conduct of the investigation program, while
the ITL is responsible for the conduct of individual investigations. They are both responsible for the
professional and ethical behavior of the investigation team members. The IUM and ITL are responsible
for:
a) Defining the objectives, criteria, and scope of the investigation program as well as individual
investigations;
b) Communicating and consulting with relevant parties to the investigation;
c) Ensuring the investigation team and its members have the necessary competence to successfully
conduct the investigation;
d) Ensuring the allocation of adequate resources for the investigation;
e) Ensuring compliance with applicable laws, regulations, and policies;
f) Ensuring the investigation program is executed as planned in a timely fashion;
g) Ensuring the completeness and integrity of documentation;
h) Minimizing impartiality and bias related risks;
i) Ensuring risks of the investigation program to the client and investigation team are
appropriately managed;
j) Reviewing work product(s) of investigators for completeness and accuracy; and
k) Ensuring the integrity and confidentiality of information.
The organization requesting the investigation (“client”) should appoint at least one representative from
top management to interface with the investigation team. The client’s representative should have the
authority to make appropriate and timely decisions and to provide the investigators with:
a) Appropriate organizational, functional, stakeholder, and historical information to evaluate
risks;
b) Access to areas and activities within the scope of the investigation;
c) Access to relevant persons and information;
22
d) Facilities for the investigation team use (e.g. private work space, telecommunications, safety and
hygiene facilities, etc.);
e) Support personnel if needed;
f) Access to legal counsel and human resources;
g) Safety, security, and regulatory requirements; and
h) Information needed for protection of brand, reputation, proprietary rights, and confidentiality.
Tip #10: Management Commitment
Investigations support the achievement of objectives of the organization. Because many investigations are complex
and often involve potential litigation, management commitment is an essential component if success is to be achieved.
From the very beginning, the management representative of the organization requesting the investigation (“client”)
needs to be prepared to commit the requisite time, patience and resources in order to achieve the investigation
objectives. In accepting the assignment, the IUM must be prepared to accept responsibility and communicate honestly
with the client. Only with the proper information and a thorough understanding of the issues and options can the client
make decisions that are sound and appropriate. Therefore, the client should commit the time, patience, and resources
necessary for the investigation to succeed.
5.4.2 Legal and Other Requirements

Investigators should perform professional duties in accordance with the law and the highest ethical
principles. An investigator should observe the principles as listed in Section 4 to be faithful and diligent
in discharging professional responsibilities. Investigators should safeguard confidential information and
exercise due care to prevent its improper disclosure. The investigators should not maliciously injure the
professional or personal reputation of colleagues, clients, employees, employers or individuals under
investigation.
IUM and ITLs should be mindful of legal and liability issues related to the investigation. Investigators
should understand their responsibilities to:
a) Be compliant with laws regarding the licensing of investigators and consultants and their work;
b) Comply with applicable laws and regulations;
c) Respect the rights of individuals;
d) Minimize compliance risks;
e) Minimize liability of the investigation to the investigative unit and client;
f) Avoid conflicts of interest and protect real and perceived impartiality;
g) Not disclose proprietary information or use information learned during the course of the
investigation for personal gain or the gain of others;
h) Not share information beyond a need to know basis or that can be used to cause business or
personal harm;
i) Exercise responsible care and competence to avoid violation of the principle of due care;
j) Report findings accurately; and
k) Observe environmental, safety, and security regulations.
23
Investigators should be apprised of their responsibilities to report illegal and unsafe activities within or
outside the scope of the investigation, including legal requirements for disclosure. Once discovered, an
investigator should not ignore illegal or unsafe activities. Investigators should inform the ITL - who
informs the client and investigative unit manager. The ITL should verify and create a record of the
condition. If the team is endangered, the investigation should be paused until the risk can be assessed
and issues rectified.
It is incumbent on the IUM to ensure the investigation team is familiar with all applicable laws and
regulations, as well as organizational (client) policies. This can become a significant task, especially if the
client has locations in several different jurisdictions, even in other countries. The venue of a particular
case may not necessarily be within the expected jurisdiction. Applicable laws, regulations, and
restrictions may vary across the different jurisdictions. Jurisdictional requirements should be understood
by the investigation team, particularly those associated with:
a) Privacy;
b) Human and civil rights;
c) Access to legal counsel;
d) Chain of custody of evidence;
e) Consumer reporting;
f) Financial reporting;
g) Detention;
h) Physical contact and use of force;
i) Confidentiality;
j) Regulatory reporting and discoverability; and
k) Information storage.
Tip #11: Lawful Execution
Investigators have enormous responsibility. The outcomes of their effort often impact the organizations they serve and
the employees that work for them but also anyone else their investigation touches. Those who conduct private sector
investigations are governed largely by organizational (client) dictates and ethics. Regardless of the venue or the
likelihood of critical examination, all investigations should be conducted ethically and lawfully. To do otherwise is a
disservice to the subject, the client and the investigative profession.
See Annex C for additional information on legal and liability issues.
5.4.3 Competence Requirements

Competence – the ability to apply pertinent knowledge and skills to achieve intended results, is necessary
for persons involved in conducting investigations. Competence is the demonstrated sum of personal
attributes, general investigation knowledge, techniques, and skills, business and risk management
knowledge, and industry sector specific knowledge and skills.
To conduct an effective investigation, the IUM, ITL, and investigators should demonstrate skills and
knowledge in the following areas:
24
a) Interpersonal and communications skills;

b) Relevant client policies and parameters for the investigation;
c) Knowledge of applicable laws in the areas being investigated;
d) Ability to analyze and weigh evidence and information;
e) Systems, PDCA, and process approaches to investigations;
f) Standards being used, as well as normative documents;
g) Principles of investigations articulated in Section 4;
h) Technical knowledge of the investigative techniques used;
i) Risk assessment and management from a business perspective;
j) General knowledge of jurisdictional laws and regulations or other obligations; and
k) Industry sector and risk discipline (e.g., security, safety, compliance, etc.) specific good
practices.
The IUM and ITL should ensure the investigative team provide investigation services in those areas
where they have the requisite knowledge, skills, and experience.
5.4.4 Identifying and Managing Uncertainty in the Investigation Program

Conducting investigations involves uncertainty in achieving program objectives. Changes both within
and external to the organization may affect risk. Therefore, analysis of the uncertainty related to the
investigation processes is an integral part of developing and improving the investigation program. To
effectively conduct an investigation, it is important to understand the risks related to:
a) Operations and operating environment of the client;
b) Achieving the objectives of the investigations;
c) Real and perceived impartiality;
d) Jurisdictional laws and regulations or other obligations;
e) Execution and disruptive effects of the investigation on the client’s organization and its
activities;
f) Health safety and security of the investigation teams; and
g) Perceptions of interested parties.
By managing the uncertainties related to the investigation program, failure to meet program objectives
and damage to the reputation of the investigation process can be minimized.
5.4.4.1 Risk to the Organization Sponsoring the Investigations

Investigations involve evaluating inherently sensitive information of organizations. This introduces an
element of uncertainty to the investigation process. The IUM should evaluate the potential tangible and
intangible impacts of the conduct of the investigation on the client.
25
The IUM should consider:

a) Information security and confidentiality needs;
b) Background of the investigation team;
c) Clearances;
d) Litigation;
e) Reputational and brand aspects (e.g. adverse publicity);
f) Retaliation by or towards the complainant, respondent, or interviewees involved in the
investigation;
g) Morale of stakeholders;
h) Exposures of vulnerabilities;
i) Reporting requirements (including disclosures); and
j) Disruption of activities and continuity of operations.
5.4.4.2 Risk to Achieving the Objectives of the Investigations

Persons conducting the investigation should understand the uncertainty that may have an impact on
achieving the objectives of the investigation. It is also important to allocate available time and resources
to the areas with higher levels of risk. The planning process should prioritize resources commensurate
with the associated level of risk and ensure important risk factors are not overlooked.
In identifying, analyzing, and evaluating risks to the investigation program, the IUM should consider:
a) Planning;
b) Overall competence of the investigation team and team members;
c) Allocation of sufficient resources;
d) Implementation of the investigation plan;
e) Communication between team members, as well as between the investigation team and client;
f) Appropriate documentation and recordkeeping (and documentation control) consistent with
jurisdictional requirements; and
g) Monitoring of program outcomes.
5.4.4.3 Risk to Real and Perceived Impartiality and Biases

The IUM should establish and document a procedure for identifying, analyzing, evaluating, and treating
(reducing) risks associated with real and perceived threats to impartiality. Consideration should be
given to biases that may impact the outcomes of the investigation. The IUM should identify and
understand the inherent and cognitive biases within the organization and the individuals conducting the
investigation. The inherent bias is the effect that underlying factors and assumptions may have an impact
on information collection and analysis. Cognitive biases are tendencies to think in certain ways.
26
Tip #12: Examples of Cognitive Biases
Types of biases to consider include:
a) Social and cultural biases;
b) Familiarity and confirmation biases;
c) Perception, observational selection, and memory biases;
d) Belief and behavioral biases;
e) Relational and group-think biases;
f) Confirmation and post rationalization biases;
g) Decision making biases;
h) Illusion of control biases; and
i) Biases related to organizational structure.
5.4.4.4 Legal and Regulatory Issues

When planning the investigation program, the IUM should consider the jurisdictional requirements
related to:
a) Security (physical and information);
b) Jurisdictional labor laws and collective bargaining agreements;
c) Safety;
d) Disclosure and non-disclosure requirements;
e) Liability issues;
f) Privacy requirements; and
g) Contractual obligations.
5.4.4.5 Health, Safety, and Security of the Investigation Teams

When there is the potential for exposure of the investigation team to threats and hazards during the
investigation, the IUM should evaluate health, safety, and security related risks and take appropriate
actions.
5.4.4.6 Perceptions of Stakeholders

The perceptions of stakeholders may impact the design and implementation of the investigation
program. Therefore, during the design of the investigations, the IUM should be aware of and consider
the perceptions of:
a) Key stakeholders (e.g. workers, unions and labor organizations, customers/clients, investors,
etc.);
b) Supply chain partners;
c) Government regulators and law enforcement;
27
d) Liaison agents;
e) Neighboring communities;
f) Civil society groups and organizations; and
g) The media.
Tip #13: Adversarial Stakeholders
Some stakeholders may be inclined to use investigation results for unintended or undisclosed purposes. Defining the
threat entails identifying, within reason, all potential information collectors or adversaries who may access
investigation results using legal or illegal means. The following are examples of potential adversaries:
a) Individuals or organizations with a stake in the outcome of the investigation;
b) Friends or supporters of the parties involved in the investigation;
c) Parties in litigation;
d) Co-conspirators not yet identified (individuals or organizations);
e) News media and simple public curiosity (especially in high-profile cases); and
f) Potential copycats or others engaging in similar wrongdoing.
5.4.5 Program Approach and Procedures

Design of effective investigative procedures should be based on clearly defined objectives, always taking
into account the legal obligations of the organization and the respect for rights of the individuals
involved. In many types of investigation it is important to have an understanding of how the outcomes
of the investigation will be utilized. However, sometimes how the investigative outcomes will be used
is not defined in advance to avoid potential investigator biases. In addition, how the outcomes will be
utilized may change depending on the information obtained. Knowledge of how the investigative
outcomes will be utilized needs to be considered on a case-by-case basis, depending on the facts of the
case, parties involved, or organization's practices. In all cases, the level of confidence in the investigation
outcomes will be based on the evidence and facts collected, not perceptions and assumptions.
A balance must be drawn between gathering too much and too little information during an investigation.
There is frequently a tendency to follow every possible lead to its logical conclusion. This can result in
an unnecessarily prolonged investigation. In some organizational environments, there can be pressure
to complete an investigation quickly. The natural tension between following every lead to its logical
conclusion and completing the investigation in a timely manner is a balance that must be managed by
the IUM and ITL. Those individuals will need to decide when continued investigative effort is required
to meet the objective(s) of the investigation and when following additional leads has become non-
productive.
Some types of investigations are founded on a working hypothesis, which may be developed at the outset
or later, and may change one or more times. The hypothesis is appropriately used as a tool as long as it
remains within the bounds of objectivity. Effective procedures avoid jumping to conclusions even in the
face of what seems to be overwhelming and conclusive evidence – without first attempting to corroborate
the facts. Defining objective procedures helps the investigator identify and avoid biases, including in the
formation of the hypothesis.
28
In other types of investigations, a working hypothesis is not recommended and if done, can create legal
liability for the client. The investigator in all types of investigations must come to the investigation open,
impartial and giving the complainant the opportunity to provide their version of the facts concerning the
allegations. Likewise, the investigator must provide opportunities for the subject of the investigation to
provide relevant evidence, leads, and to admit, deny or explain the allegations and evidence.
The IUM should develop one or more procedures for managing the investigation program. When
developing the procedures, the IUM should identify performance metrics that will be used to determine
if the procedures were effective and successfully applied. Procedures should be developed for:
a) Planning the investigations to meet the investigation objectives consistent with promoting the
organizational business and risk management objectives;
b) Identifying and maintaining the appropriate level of investigator competence;
c) Selection of investigation team members and appointment of ITL;
d) Ensuring effective communication between all parties involved in the investigation;
e) Evaluating required resources, logistics, and feasibility of investigation success;
f) Conducting the investigation, including data collection and sampling techniques;
g) Ensuring time management and scheduling;
h) Evaluating the investigation data, definition of priorities, and improvement of risk treatment
methods to promote awareness and prevent recurrences of undesirable behaviors and incidents;
i) Performance assessment of the investigation process to identify opportunities for improvement;
j) Conformance with organizational policies and commitments;
k) Compliance with jurisdictional laws and regulations or other obligations, as well as liability
issues;
l) Integrity, confidentiality, and protection of information;
m) Handling, chain of custody, access control, and archiving of records;
n) Proper documentation and review of investigative findings before providing reports to the
client; and
o) Monitoring, review, and continual improvement of the investigation program.
5.4.6 Commitment of Resources

Once the objectives and scope have been established, the IUM should identify and assure the
commitment of resources necessary to conduct a successful investigation program. The IUM should
obtain a commitment from top management to provide resources in terms of personnel, time, travel, and
the finances necessary to develop, implement, manage, and improve the investigation activities
(including assuring investigator competence). From the organization’s perspective, the tangible and
intangible benefits of increasing the likelihood of achieving organizational objectives should outweigh
the costs of conducting the investigation.
Personnel resources may include the allocation of appropriate and adequate full and part-time internal
and external investigators, as well as any accompanying technical experts. The makeup of the
29
investigation team should reflect the objectives of the investigation program and the complexity of
organization’s business and risk management systems. The IUM should calculate the personnel hours
required to successfully complete each portion of the investigation.
Factors that will affect the allocation of resource requirements (particularly personnel and time
requirements) include (but are not limited to):
a) Complexity of investigation nature and range of issues (associated risks) to be investigated;
b) Expected type of cases and projected caseload per investigator;
c) Risks associated with the organization, its activities, and its context;
d) Complexity and size of the organization to be assessed (e.g. technologically complex or labor-
intense organizations may increase the personnel hours needed);
e) Maturity of the existing risk management system;
f) Risks associated with the investigation program (including minimizing bias);
g) Desired timeframe in which the investigation is to be conducted;
h) Investigation methodologies and sampling methods;
i) Results of prior investigations;
j) Extent of changes in operating environment;
k) Review of documentation;
l) Availability and accessibility of interviewees and information;
m) Number of sites, multi-site considerations and diversity of stakeholders;
n) Single or multiple shifts, as well as weekends and off-hours;
o) Physical size and layout of the organization to be assessed;
p) Meeting requirements (opening and closing meetings, top management briefings, and
investigation team meetings);
q) Communications (including availability of information and communications technologies and
methods);
r) Administrative or other support needs;
s) Safety and security arrangements and equipment;
t) Travel and logistics (including lodging, meals, and breaks);
u) Data analysis and report preparation;
v) Availability of competent personnel to conduct the investigations; and
w) Anticipated scheduling delays.
30
Tip #14: Commitment of Resources
To ensure a successful investigation and achieve objectives, the IUM should obtain a commitment for the resources
needed prior to the investigation’s initiation. If staffing needs cannot be accurately projected or benchmarked, the best
approach is to start small, using outsourced resources when required, and grow the unit over time if necessary.
Selecting professional personnel is an important aspect of setting up a proprietary IU. Many positions in today’s
environment require backgrounds in specialized fields, such as computer investigations, contract fraud, or financial
crimes.
5.4.7 Establishing a Code of Ethics

As a normal course of business, the organization should establish, implement, and maintain a Code of
Ethics for norms of behavior for all persons working on its behalf in the investigation program. The Code
of Ethics should be documented and clearly communicated. It should clearly articulate the following key
parameters to ensure diligent, honest, and professional conduct:
a) People are treated with respect and dignity;
b) Business is conducted with objectivity, honesty, and integrity;
c) Conflicts of interest and impartiality risks are divulged;
d) Focus on the scope of the investigation; and
e) Confidentiality and integrity of information is respected.
Tip #15: Questions the IU and its Investigators Might Ask Themselves When Contemplating an Investigative
Strategy are:
a) Is it legal?
b) Is it fair and impartial?
c) Is it relevant?
d) Is it balanced?
e) Is it necessary?
f) Is it consistent with organizational values, both internally and professionally?
g) Is it affordable?
h) Is it ethical?
5.5 Implementing the Investigation Program

5.5.1 Setting Criteria for Individual Investigations
The investigation program may consist of one or more investigations, the sum of which achieves the
overall objectives of the investigation program. The objectives, scope, and criteria of the individual
investigations within the program should be consistent with the overall objectives of the investigation
program. The objectives of the individual investigations should be clearly defined and documented.
The objectives of an individual investigation will be determined by the type of investigation needed. The
functions required may range from relatively simple activities such as documenting facts surrounding a
security force response, to a workplace incident,or to complex procurement fraud investigations.
31
The scope of the individual investigations should be clearly defined and documented. Examples of
individual investigation scope include (but are not limited to):
a) Specific investigation type;
b) Incident investigation;
c) Specific facilities and physical locations;
d) Individual divisions and organizational units;
e) A value chain in the organization;
f) A specific set of risks;
g) Individual(s) within the human resource pool;
h) Evaluation risks related to new products and services; and
i) Specific processes.
The criteria of the individual investigations should be clearly defined and documented. Examples of
individual investigation criteria include (but are not limited to):
a) Investigation objectives set by top management;
b) Organizational policies;
c) Level or burden of proof;
d) Risk management goals established by top management;
e) Management system standards requirements of one or more standards;
f) Accepted industry practices;
g) Headquarters, contractual, or supply chain requirements;
h) Jurisdictional laws and regulations or other obligations;
i) Security requirements;
j) Concerns and perceived risks of stakeholders; and
k) Risk management policies and procedures.
See Annex D for more information on types of investigations.
5.5.2 Identifying Investigation Methods

The IUM and ITL should determine the appropriate methodology for conducting an investigation to
achieve the objectives, scope and criteria. Methods chosen will be a function of the size and nature of the
organization as well as risk, human, cultural, legal, infrastructure, and geographic factors. The
investigative methods utilized should be reviewed by legal counsel familiar with jurisdictional
regulations.
When choosing a methodology, it is important to understand the capabilities, competencies and
resources required to effectively execute the methodology. The methodology should follow a logical
process by which the inputs into an investigation are evaluated to produce the outputs that inform the
32
decision making processes. When trying to determine the methodology, previous investigations may be
a good starting point concerning protocols for protecting data and evidence, confidentiality, and
logistical issues. However, extreme care should be taken to make sure the investigator is not provided
information that could later be seen as creating bias. Always evaluate the appropriateness of the current
circumstances when reviewing prior investigations.
When selecting a methodology, it is important to understand the reliability and confidence levels of the
available data. There is no single methodology and therefore each one requires independent judgment
regarding its design.
Examples of basic methods of investigation include (but are not limited to):
a) Physical surveillance;
b) Electronic surveillance;
c) Physical examination;
d) Searches;
e) Information review;
f) Forensic analysis;
g) Undercover;
h) Interviews; and
i) Legal mechanisms for discovery (generally not available pre-litigation).
Other methods of investigation may be considered subcategories of one of these. Not all of these methods
are appropriate for every type of investigation.
Most investigations use one or more of the investigative methods. The IUM and ITL should select the
method(s) most suitable to achieve the investigation objectives given the particular circumstances and
cost/benefit; and deploy them properly and efficiently. Typically, there is a need to combine the methods
in some fashion or mix and match them. Using the PDCA Model as described in this Standard, the IUM
and ITL should plan, implement, evaluate and review the method(s) for each individual investigation
with a goal of continually improving the methodology.
5.5.2.1 Physical Surveillance

Physical surveillance involves observing people, places, things and activities. Surveillance has only two
requirements; there is something to watch, and someone to watch it. Physical surveillance requires
significant skill and patience and should always be conducted consistent with jurisdictional laws.
For physical surveillance to be generally effective, it should:
a) Have a clearly designed purpose and goals;
b) Not interfere with what is being observed;
c) Record and document what the investigator is observing; and
d) Support the objectives of the investigation.
33
5.5.2.2 Electronic Surveillance

Electronic surveillance is similar to physical surveillance in that it too involves observing people, places,
things, and activities. Electronic surveillance is another tool for investigators to use to gather information
to corroborate or disprove testimony, provide additional leads, and possibly provide evidence. Because
electronic surveillance uses technology such as audiovisual and covert cameras, and personal computer
monitoring software, it can be used when and where physical surveillance is not possible. This
surveillance method may enhance the investigative process and outcome by providing a permanent
record of the observed activities.
Electronic surveillance regulation varies by jurisdiction. Legal counsel should be consulted to avoid
violation of laws and regulations, particularly the right to privacy. An individual’s right to a reasonable
expectation of privacy is broad and to violate it may be both criminally and civilly actionable.
5.5.2.3 Information Review

Information review is the combination of research and evaluation of cross-media resources. This method
involves the collection and examination of information from both public and private sources. The
collection and examination of public records or public sources may include criminal and civil records,
asset ownership records, financial liabilities (liens and judgments), organizational records, and address
histories, among others (access to which may be controlled differently in different jurisdictions). Public
records often afford the investigator a source of information and can assist in reaching conclusions.
Information review also can be conducted on records and documents internal to the organization -
specifically the examination of documents and information that would not normally be available to
someone outside the organization. The investigator should be aware of access and confidentiality
requirements of the organization to protect information integrity and avoid liability issues related to both
the organization and the individual(s) under investigation.
Tip #16: Information Sources
To the extent criminal and civil records are obtained, the investigator must be aware of jurisdictional laws governing
such sources, including for example, reporting and privacy regulations. The investigator should also fully explore all
relevant information sources, including but not limited to, electronic documents, text messages, emails, social media
writings, personnel files, supervisor files, interviewee notes, incident notes, personal websites, blogs, demographic
information, policies and procedures, past complaints, time cards, expense reports, internet usage, and calendars.
Caution should be exercised when transferring information between jurisdictions, particularly international
boundaries.
5.5.2.4 Forensic Analysis

Forensic analysis includes investigations that employ science and/or scientific method. This category can
include: biological, chemical, and substance analysis; fingerprint examination and comparison; computer
forensics; various deception detection methods; and forensic document examination. The forensic
analysis should be conducted by individuals with demonstrated expertise in the field so that the
conclusions of the analysis hold credibility with stakeholders and in a court of law.
34
5.5.2.5 Undercover
Use of undercover methods can be one of the most effective methods of investigation due to its interactive
nature. This method involves the surreptitious placement of a trained and skilled investigator for the
purpose of gathering information. It permits the investigator to interact and communicate with those
being investigated. Due to its covert nature, the use of an undercover investigator is complex and may
be fraught with psychological, financial, and legal challenges that may create serious liabilities for both
the client and the investigator. Therefore, when conducting an undercover investigation, investigators
should be aware and trained on jurisdictional limitations, particularly with regard to entrapment.
5.5.2.6 Interviews
An interview is a conversation in which one or more persons question, consult, or evaluate another
person. Interviews should be well-conceived and conducted within the parameters of the investigation
objectives, ethics, and the law.
Interviews conducted during investigations, can be either highly structured or a casual conversation, and
should focus on obtaining facts and evidence about the events under question. It affords the investigator
the opportunity to determine: who, what, when, where, how, and why from persons with relevant
information and to provide context. The purpose is to determine what happened or did not happen. This
benefit combined with the opportunity to obtain the relevant evidence makes interviews the most
powerful form of investigative method for those conducting investigations. The investigator needs to
remain objective and maintain control even if the interview becomes adversarial, confrontational or
accusatory.
Tip #17: Types of Interviews
Interviews are an investigative method used between two or more persons where the interviewer(s) poses questions to the
interviewee(s) to elicit facts or statements about the events under investigation. Interviews fall into several categories,
including but not limited to:
a) Subject;
b) Witness;
c) Complainant; and
d) Applicant.
Regardless of the category of interview, the conversation should be focused on obtaining the information about events. The
level of aggressiveness of the questioning varies with the type of interview, personalities of the parties of the interview, and
objectives of the interview. If questioning becomes confrontational or accusatory, the interviewer should be aware of ethical
and legal boundaries, and should be able to maintain sufficient control to scale the level of aggressiveness of the questioning.
5.5.2.7 Physical Examination

Physical examination is the inspection of items (e.g., doors, tools, locks, fencing, etc.) for information that
may be useful in furthering the investigation and/or as evidence. It is also the inspection of areas (e.g.,
rooms, fields, walkways, etc.) in search of the same type of information.
5.5.2.8 Searches
A search is the structured, detailed and careful examination of an area (e.g., room, vehicle, desk, locker,
etc.), the purpose of which is to locate specific items or materials that are suspected to be in the area
35
searched and that will be useful in furthering the investigation and/or as evidence. Prior investigative
steps generally indicate areas that are appropriate and likely fruitful for search. Because they can lead
to claims of invasion of privacy, searches have the potential to create serious liability exposure for both
the client and investigator if conducted improperly. After a thorough legal vetting, review of
organizational policies, and requirements under any collective bargaining agreement, a fully competent
investigator should execute the search within the appropriate guidelines of the organization.
5.5.3 Competence, Evaluation, and Selection of Investigators

The credibility of any investigation program is dependent on the experience, knowledge, and
interpersonal skills of the investigators. The IUM should select investigation team members and an ITL
based on the competence needed to achieve the objectives of the investigation and with the interpersonal
skills necessary to achieve the objectives of the investigation. The IUM should select the correct mix of
ITL, investigators, and technical experts so that the sum of their competence and interpersonal skills will
result in a successful investigation. The size and composition of the investigation team will be dependent
on the objectives, scope, and criteria of the investigation.
The investigation team members are responsible to collect factual-based evidence. Investigation team
members should be able to gather information efficiently, objectively and with due consideration of
potential disruption to normal routine.
The IUM should establish well-defined investigator criteria for selection of individuals and assigning
work. Procedures should be developed to evaluate particular investigator qualifications, including:
a) Knowledge;
b) Experience;
c) Personal skills and traits; and
d) Legal and licensing requirements.
Factors to consider in selecting members of an investigation team include:
a) Overall competence of the investigation team needed to achieve the investigation objectives;
b) Nature of the investigation;
c) Knowledge of industry sector and the risks the sector faces, including understanding the specific
context of the organization and its supply chain;
d) Complexity of the investigation;
e) Investigation methods to be used;
f) Legal, regulatory, and other requirements keeping in mind jurisdictional variations;
g) Independence, impartiality, and avoidance of perceived or real conflict of interest;
h) Personal, cultural, social and language skills required to deal with a specific investigation;
i) Security, clearances, citizenship, and safety requirements of the organization;
j) Dynamics of the investigation team members and their ability to work together;
k) Availability of personnel; and
36
l) Leadership requirements and the need to oversee and train new investigators.
When considering the selection of investigators, the IUM should evaluate the qualifications, knowledge,
experience, personal skills, and traits of the investigators needed to achieve the investigation objectives.
The IUM should have a documented process for evaluating and selecting investigators. See Annex B for
additional details.
Technical experts may supplement the competence of an investigation team. At all times the technical
experts should operate under the direction of an investigator and not function as an investigator.
Technical experts are intended to supplement the overall expertise of an investigation team to provide
subject matter expertise.
Investigators-in-training may also be included in the investigation team. Investigators-in-training
should have knowledge of investigation methods. They should participate under the direction and
guidance of an experienced investigator.
The IUM and ITL may make adjustments to the investigation team during the course of the investigation
depending on the necessity for additional competencies.
5.5.4 Establishing Roles and Responsibilities of Investigation Team Leader

The IUM should assign an ITL to direct and monitor the team prior to commencing the investigations to
allow for sufficient preparation time. The ITL should be an experienced investigator familiar with the
specific nature of the case. Individual investigator assignments should be based on the competence of
the individual and reflect the complexity of the tasks. The ITL should assign and communicate
investigation responsibilities prior to commencing the investigation.
The ITL is responsible for:
a) Satisfactory performance of all phases and activities of the investigation;
b) Representing the investigation team with the organization;
c) Initiating and maintaining communication with the organization and top management;
d) Maintaining professional behavior and harmony amongst the investigation team;
e) Developing the investigation plan;
f) Managing risks during the investigation;
g) Organizing and directing investigation team members (particularly investigators-in-training);
h) Making effective use of resources during the investigation and time management;
i) Conducting opening and closing meetings;
j) Conducting regular meetings and briefings with the investigation team as well as the IUM;
k) Protecting the health, safety, and security of the investigation team;
l) Assuring the confidentiality and protection of sensitive and proprietary information;
m) Preventing and resolving conflicts;
n) Reviewing the evidence and observations of the investigators and leading the team in
determining the findings and conclusion; and
37
o) Preparing and submitting the investigation report.
5.5.5 Managing and Maintaining Program Documentation, Records, and Document Control
The IUM should identify the documentation needs of the investigation. Procedures should be
established by the IUM for the use and handling of documents and records created for the investigation
program. Clear procedures should be outlined for obtaining and handling client and other
organizational documentation. The client must explicitly approve copying of any information or
photography. Investigators should not remove, modify, delete, or destroy documents (including
electronic files) without explicit permission to do so.
The IUM should establish, implement, and maintain procedures to protect the sensitivity, confidentiality,
and integrity of documents and records including access to, identification, storage, protection, retrieval,
retention, and disposal of records. Documents should be clearly labelled as to their status and version
(e.g. draft or final, active or archival) as well as level of sensitivity and confidentiality. Records of access
to information and documents should be maintained.
In instances where reports are deemed confidential, the IUM should establish computer and network
controls over files and investigation information to prevent access by unauthorized users. When
confidential information is collected the IUM should establish procedures and provide technology to
investigation team members to use encrypted storage devices or laptops to secure this information.
Records and documentation should be created, maintained, and appropriately stored for both the overall
investigation program and individual investigations, including;
a) Program objectives, criteria, and scope;
b) Risk assessment and treatment measures;
c) Evaluation of achievement of investigation objectives; and
d) Investigation program effectiveness and opportunities for improvement.
For individual investigations, records should include:
a) Plans and reports;
b) Safety, security, and confidentiality requirements and conditions;
c) Agenda and minutes from opening and closing meetings;
d) Non-conformance reports;
e) Corrective action requests; and
f) Investigation follow-up reports.
Procedures should be established to create and maintain records of investigation performance.
Performance review records should be used to drive continual improvement of investigation process and
investigation team. Examples of performance records include:
a) Feedback from the client;
b) Selection criteria and competence of investigation team members;
c) Performance evaluations of the investigation team members and team leader;
38
d) Effectiveness of time management; and

e) Needs for continuing training and competence improvement of investigation team members.
5.5.5.1 Records and File Storage

Investigative files are highly sensitive or confidential and are subject to both practical and legal access
restrictions. In addition, files and records have widely varying retention requirements. Thus, it is
important to ensure that adequate secure storage is available for records and those records are organized
in such a way that they can easily be identified for retention and destruction (or disposition) at the
appropriate time. The investigative file should be retained separately from the personnel file, and should
be kept in a locked, secure location with access by only individuals with a business need. The IUM
should consult with the organization's top management and legal counsel to establish an appropriate
policy for retaining document and evidence in their original format consistent with the statute of
limitations for all legal or liability issues, as well as labor relations and organizational policy.
In some circumstances, records can more easily be stored electronically. Such storage requires less
physical space and often results in more efficient retrieval, but some precautions are in order. Secure
backup copies should be stored off-site and should be immediately accessible should the primary data,
the computer system, or the IU facility become unavailable (e.g., due to cyber-attack, natural disaster, or
other catastrophe). In addition, even if investigative records and associated information are digitized, the
original documents, photographs, and other items may need to be preserved in some instances. Items
that may be needed as evidence (such as photographs and original written statements) must not be
disposed of or destroyed.
Tip #18: Ownership of Information
Retention of records and files is professional practice and client preference. The client is the recipient of the final report
of the investigation and ownership of information is transferred when the report of the investigation is accepted.
Establishing a destruction of record routine at a set interval is recommended to protect the information obtained from
disclosure outside the client contract, unless required by jurisdictional law and regulations, policy, or other obligation
to maintain records for specified time periods.
5.5.5.2 Case Files

At the completion of the investigation, all case file documents, including original notes, reports, and
investigative summaries as well as any evidence should be retained. The person designated to maintain
and archive the closed case file is called the “custodian of record.”
The management and format of case files is largely a matter of preference by the ITL. However, the
system chosen should be simple and neat.
Electronic folders and files should be downloaded and safely stored. Digital images, spreadsheets, and
databases can also be safely stored. Although duplicate information and files can be deleted to save space
on servers, original documents and files should be retained.
5.5.6 Investigations and Operational Control

The IUM, in conjunction with the ITL, should identify the background documentation and information
necessary to conduct the investigation. The ITL should arrange with the organization to access the
availability of documents related to the investigation criteria within the scope of the investigation.
39
When conducting the initial document review, attention should be given to:
a) Nature and scope of the investigation;
b) Context of the risk environment;
c) Methodology and key outcomes of the investigation risk assessment;
d) Selection and effectiveness of risk treatment measures relative to the investigation;
e) Policies, procedures, and internal audits related to the issues addressed in the investigation; and
f) Availability of current documents and responsible duties.
The document review should provide input into planning the investigation and an indication of areas
needing additional focus and resources to conduct the investigation.
The document review will indicate the likelihood of achieving the investigation objectives and may
indicate the need for changes in the investigation approach and investigation team composition. Any
changes should be made in consultation with the IUM and client.
The next stage of the investigation consists of information and evidence gathering to substantiate
findings and draw conclusions. It should consider:
a) Are matters being investigated contrary to jurisdictional law and regulations, policy, or other
obligations?
b) Are issues defined in organizational policies and procedures effectively being addressed?
c) Are legal, regulatory, and contractual obligations being met?
d) Are infractions and deviations from expected outcomes due to deliberate or undeliberate actions?
e) Has the organization acted on identified non-conformances, internal audit findings, exercise
results, and lessons learned from events by implementing appropriate corrective and preventive
actions?
f) Are changes adequately addressed in a timely fashion?
5.5.7 Managing Outcomes of the Investigation Program

The organization should assign responsibility for review and approval of the investigation findings and
the investigation report. For credibility, any changes should come from the investigation team and re-
submitted for approval. In addition the assigned party is responsible for:
a) Appropriateness of corrective and preventive actions;
b) Ensuring the distribution of the investigation report to authorized parties only;
c) Maintaining the confidentiality of sensitive and proprietary information; and
d) Assuring proper investigation follow-up where necessary.
40
5.6 Monitoring the Investigation Program

5.6.1 Monitoring, Measurement, and Evaluation of Program Performance
The IUM should establish performance metrics and measure the effectiveness of the investigation
program. Performance metrics should be used to evaluate the performance of both the overall
investigation program as well as individual investigation. Performance monitoring and evaluations
should include:
a) Response and implementation of corrective actions;
b) Achievement of investigation objectives;
c) Value-added for the client;
d) Improved risk management and incident prevention;
e) Time management;
f) Resource management;
g) Ability to achieve objectives and implement individual investigation plans;
h) Competence and professionalism of investigation team members; and
i) Effectiveness of communication between all parties involved in the investigation.
5.6.2 Evaluating Program Outcomes

The integrity of the investigation program will be challenged by questions of investigator impartiality
and conflicts of interest, as well as the improper handling of sensitive information. The IUM and ITL
should revisit the risks identified during the risk assessment process of both the investigation program
and individual investigations to determine if the identified risks have been adequately controlled and if
any risks emerged that were not previously identified.
5.6.3 Nonconformity, Corrective, and Preventive Action

The IUM should establish, implement, and maintain procedures for dealing with nonconformities and
for taking corrective and preventive action for issues identified in the conduct of the investigation
program. The procedures should include:
a) Identifying and correcting nonconformities and taking actions to mitigate their consequences;
b) Evaluating the need for actions to prevent nonconformities and implementing appropriate
actions designed to avoid their occurrence;
c) Investigating nonconformities, determining their root causes and taking actions in order to avoid
their recurrence;
d) Recording the results of corrective and preventive actions taken; and
e) Reviewing the effectiveness of corrective and preventive actions taken.
41
5.6.4 Investigator Competence and Skills Improvement

Investigators should enhance their knowledge, skills and competence through continuing professional
development. The ITL should evaluate the performance of all the members of the investigation, with the
IUM evaluating the ITL. Evaluations should recognize both strengths and weakness to help with
investigator selection for future investigations.
The IUM and ITL should provide feedback to investigators, particularly investigators-in-training, to help
them enhance and maintain their proficiency. Evaluations should consider:
a) Personal behaviors and professionalism;
b) Communication skills;
c) Interactions with other team members and the persons in the investigation;
d) Ability to follow instructions;
e) Strengths and weaknesses at accomplishing specific investigation tasks and assignments;
f) Knowledge and evaluation skills related to the investigation;
g) Overall investigation knowledge;
h) Knowledge of relevant jurisdictional laws and regulations, or other obligations; and
i) Industry sector expertise.
Tip #19: Competence Improvement
The IUM, ITL, and members of the investigation team should pursue ongoing improvement of their investigation
competence. This may be accomplished by:
a) Skills training;
b) Mentoring and networking with industry peers;
c) Continuing education;
d) Pursuit and maintenance of certifications; and
e) Membership in professional organizations and societies.
5.7 Review and Improvement

5.7.1 Adequacy and Effectiveness
The IUM should review the investigation program to assess whether the investigation objectives are
being met and to ensure the program’s continuing suitability, adequacy, and effectiveness. Reviews
should include assessing opportunities for improvement and the need for changes in the investigation
program.
Investigation program review should include a review of:
a) Appropriateness of objectives, criteria, and scope;
b) Effectiveness of risk assessment and treatment process of the investigation program;
42
c) Conformity to investigation program procedures and jurisdictional laws and regulations, or other
obligations;
d) Effectiveness and accuracy of investigation methods;
e) Resource allocations (including human resources);
f) Maintenance of records and documentation; and
g) Protection and integrity of information.
5.7.2 Need for Changes

The IUM should monitor the context of the investigation program and manage change. Factors that may
trigger the need for changes in the investigation program include changes in the:
a) Needs, perceptions, and expectations of stakeholders and other interested parties;
b) Risk related to impartiality and conflict of interest (real and perceived);
c) Risk environment of the client and the investigators;
d) Organizational policy requirements;
e) Sector and industry trends, including identification of accepted industry practice;
f) Jurisdictional laws and regulations or other obligations;
g) Skills required for effective investigations; and
h) Availability of resources.
5.7.3 Opportunities for Improvement

The IUM should review the overall implementation of the investigation program to identify areas for
improvement. Continual improvement and investigation program maintenance should reflect changes
in the risks, activities, and operation of the program that will affect the achievement of objectives. The
IUM should ensure that any problems with the investigation program and their root causes have been
identified and that corrective measures have been initiated to prevent or minimize recurrence. Any
changes resulting from implementing improvements that will impact the on-going investigation
program should be identified by the IUM and communicated to the client, prior to implementation, to
ensure their understanding of potential benefits and any consequential process changes.
The IUM should address issues related to improvement of investigation program implementation and
the improvement of investigation competences. When appropriate, request for client feedback for
possible investigation process improvements may be considered.
43
6 PERFORMING INDIVIDUAL PROCESS DRIVEN

INVESTIGATIONS
6.1 General
This section focuses on individual investigations, both the preparation for and the execution of these
investigations. Depending on the scope of the investigation, not all provisions in this section are
applicable to all investigations.
An investigation can be conducted by an internal team, external team, or combination depending on the
resources of the organization and depth of expertise. An investigation often follows the order described
in this section; however this is not always the case depending on the circumstances of the investigation,
particularly the definition of investigation objectives.
6.2 Commencing the Investigation

6.2.1 Setting Objectives
Objectives of the individual investigation should be clearly understood and documented in order to focus
tasks, resources, and goals of the investigation activities. Investigations should include an analysis and
evaluation of the effectiveness of current risk treatment measures and opportunities for improvement.
Objectives are set within the context of achieving the organization’s overall business and risk
management objectives. Objectives should be anchored in key value drivers. In defining the objectives
for individual investigations, the following should be considered:
a) Nature of the organization’s objectives;
b) Events that could affect the achievement of enterprise-wide objectives (positively or negatively);
c) Clear outcomes to achieve from the investigation;
d) Use of the investigation outcomes;
e) Nature of investigations;
f) How the individual investigation relates to the overall investigation program;
g) Current control measures to manage risk and to protect tangible and intangible assets;
h) Metrics and indicators for measuring risk levels;
i) Timeframes for the investigation objectives; and
j) Resources needed to achieve the investigation objectives;
Objectives of individual investigations may be broadly defined to consider enterprise-wide strategic or
operational requirements; or more narrowly focused to consider issues and incidents related to specific
risks, products, activities, processes, or functions. The objectives can consider issues related to the
organization and/or all or part of its supply chain including jurisdictional laws and regulations or other
obligations, organizational policies, and managing risks.
Individual investigations may identify, analyze and evaluate risks related to one or more issues
44
contributing to uncertainty in achieving the organization’s objectives. Examples of individual

investigation types that will set the objectives for individual investigations may include, but are not
limited to investigating:
a) Adequacy and concurrence with organizational policies and procedures;
b) Incident or accident;
c) Employee misconduct;
d) Misuse or abuse of computer or IT system;
e) Substance abuse;
f) Due diligence;
g) Regulatory compliance violation;
h) Lifestyle or financial inquiries for the organization’s executives and personnel;
i) Personnel security or background;
j) Theft, pilferage, skimming, or misappropriation;
k) Assaults and crimes against persons;
l) Property damage and vandalism;
m) Inventory discrepancies or unexplained shrinkage;
n) Sabotage;
o) Industrial espionage;
p) Copyright and proprietary information violations;
q) Embezzlement or defalcation (appropriation of property by a person to whom it has been
entrusted);
r) Fraud (general, procurement, insurance, travel, accounting, etc.);
s) Product tampering (actual and hoax);
t) Diverted or counterfeit product;
u) Communicating threats;
v) Harassment, discrimination, and retaliation (e.g., gender, racial, religious, sexual);
w) Workplace violence, (actual or potential) and stalking; and
x) Litigation support (varying according to whether the organization is the complainant or
respondent in a particular case).
Once defined, the objective(s) of the individual investigation should be written in a concise statement
and referred to in defining the scope, assumptions, procedures, and outcomes.
45
Tip #20: Dynamic Objectives
In order to be successful, the process of investigation must be fluid and dynamic. Because facts can alter outcomes, the
objectives of the investigation must be flexible. Situations change and the investigator must be able to adapt. As
information and facts are developed, the true nature of the problem becomes increasingly clear. It is logical therefore,
that if the nature of the problem under investigation is not what it was thought to be, then the objectives of the
investigation must change accordingly. Steering a rigid course, no matter how well planned in advance will not
typically get one to his desired destination when the destination has changed. In other words, the investigative process
cannot be so rigid and single-purposed that it cannot be altered when necessary.
6.2.2 Identification of Stakeholders

A stakeholder is any individual or organization that is directly or indirectly involved with or affected by
an organization’s decisions and activities. Internal and external stakeholders may be directly involved
in the investigation, impacted by the outcomes, influence the perception of the investigation, or be
individuals who should be considered when determining how to handle the actions driven by issues
addressed by the investigation.
Examples of stakeholders include (but are not limited to):
a) Internal
i. Persons working on behalf of the organization, such as employees (and their families)
ii. Business owners/partners
iii. Boards of Directors
iv. Trustees
v. Management
vi. Labor unions and workers’ associations
vii. Onsite contractors/vendors
b) External
i. Customers/clients, present and potential
ii. Contractors/vendors/distributors
iii. Investors/shareholders/donors/venture capitalists
iv. Competition
v. Bankers and creditors
vi. Trade associations
vii. Lobbyists
viii. Civil society and non-governmental organizations (NGOs)
ix. Media
x. Government and regulatory agencies
xi. Law enforcement personnel
46
xii. Emergency responders

xiii. Surrounding communities and community leaders
Tip #21: Stakeholder Influence
Care should be taken to not be influenced by the needs of stakeholders who may have a bias or agenda regarding the
outcome of the investigation. The investigation should be as confidential as possible and involving stakeholders may
impede efforts at confidentiality. Many employers have obligations under jurisdictional law and the impact on
stakeholders as part of the investigation may be irrelevant. Certainly care should be given to contractual relationships,
working relationships between complainants and subjects, co-workers, and third parties.
6.2.3 Identification of Internal Context and Variables

In setting the parameters of an investigation, consider the interrelated conditions in which objective(s)
exist or occur, as well as what the variables might be. Establishing the internal context involves
understanding how the following interrelated conditions apply to the investigation:
a) Capabilities of the organization in terms of resources and knowledge;
b) Information flows and decision-making processes;
c) Internal stakeholders;
d) Objectives and the strategies that are in place to achieve them;
e) Perceptions, values, and culture;
f) Policies and processes;
g) Standards and reference models adopted by the organization; and
h) Structures (e.g., governance, roles, and accountabilities).
6.2.4 Assumptions
Assumptions are frequently part of fact-finding and problem-solving and often linked to an individual’s
perspective and point of view. Investigators should be aware of assumptions and potential bias that can
occur. An investigator can potentially misinterpret information if the assumptions are not clearly
identified.
Persons conducting the investigation should consider:
a) What are the assumptions based on?
b) How are the underlying assumptions impacting the outcomes?
c) How is the assumption affected by the level of uncertainty?
d) Are the assumptions a reflection of investigator biases?
e) Are assumptions that something is a “given” based on opinions or evidence?
f) How do the assumptions affect the confidence in the interpretation of evidence?
g) Are assumptions about likelihood balanced by potential consequences in achieving objectives?
h) Could the assumptions be different if made by another individual?
47
i) Would the outcomes be different if they were based on different assumptions?

j) Were the assumptions made when setting the investigation criteria still valid in light of the
evidence and data gathered?
6.2.5 Defining Scope and Statement of Work

The scope may be enterprise-wide or limited to an organizational unit, geographic location, product flow,
or a particular activity or function. The scope defines the boundary conditions of the individual
investigation (what is in and out of the investigation). As with any project, scope is a function of
resources, authorities, and time.
Care should be taken not to over-scope or under-scope the investigation. When defining the boundaries
of the investigation, the scope should be synchronized with the objectives and needs of the client, as well
as the objectives and scope of the overall investigation program. Under-scoping may result in some
organizational objectives, assets, stakeholders, or threats being overlooked. Under-scoping may result
in tunnel vision with regard to the interaction of factors in the investigation. Over-scoping may result in
a waste of time and resources without being able to provide enough focus to the needs of the client.
A scope statement should be prepared clearly defining the boundaries of the investigation. This should
include a statement of work highlighting what are the organizational, physical, operational, logical, and
logistical parameters included in the boundaries so to explicitly delineate what is in and what is out of
the investigation. The ITL should obtain from the client verification or permission and access to conduct
the investigation within the stated scope. Changes in the scope of the investigation should be reviewed
and approved in writing by the authorized client representative.
6.2.6 Policy and Management Commitment

Prior to commencing the investigation on-site activities, the ITL should obtain the appropriate
authorization and support of the client and/or top management in the form of a policy statement. The
policy statement may include statements of:
a) Investigation objectives;
b) Importance of investigation to the organization being assessed;
c) Clear authorization to conduct the investigation within the stated scope;
d) Need for confidentiality and information integrity;
e) Client and/or top management commitment to engage in setting criteria and reviewing output;
f) Commitment of persons working on behalf of the organization to share information with
investigators; and
g) Commitment of the client to communicate the importance of participation in the investigation
to persons working on their behalf within the scope.
6.2.7 Commitment of Resources

The ITL should obtain the appropriate commitment of resources from the client and/or top management
to conduct the investigation activities. If the ITL determines that there is insufficient time and resources
allocated to conduct the investigation, the client should be notified. If additional resources cannot be
48
secured then the objectives and scope of the investigation should be modified accordingly with the
agreement of the client.
6.3 Planning Investigation Activities

The investigation is an iterative process consisting of the steps described in the following sections and
based on the PDCA model.
6.3.1 Assessment Phase Analysis

The assessment phase of the investigation involves examination and evaluation of the fundamental facts
regarding the allegation or problem and generally involves some type of initial inquiry or assessment.
For example, in the case of workplace investigations, considerations in this phase include:
a) Determining if the parties suspected have a relationship with the organization and were working
on the date and time in question (including off-duty or off-site);
b) Determining what policies, practices, and precedents exist which may impact the intended
investigation and the manner in which it is to be conducted;
c) Who else in the organization should be notified prior to the initiation of the fact-finding or before
investigatory interviews take place;
d) Is there a concern about bias, reporting or other relationships that would warrant looking to retain
an outside investigator; and
e) Are there any parties external to the organization that should be notified and if so, who.
Other factors that may be considered during the initial inquiry or assessment to determine if the matter
warrants an investigation include (but are not limited to):
a) Are the allegations, accusations, or suspicions credible?
b) Does the allegation require an investigation consistent with jurisdictional laws and regulations
or other obligations?
c) Does the investigation fall within either the grievance or whistle-blower policies of the
organization?
d) What might happen if the matter is simply ignored?
e) What does a successful investigation look like?
f) How might the results be used?
g) Could result include prosecution, restitution or discipline?
h) Can the investigation drive a reduction of risk and identify opportunities for improvement?
6.3.2 Jurisdictional laws and regulations or other obligations

When conducting an individual investigation, the ITL should revisit the jurisdictional laws and
regulations, or other obligations discussed in Section 5.4.2 relative to the objective and scope of the
individual investigation.
49
Tip #22: Legal Privilege
Legal privilege can be invoked in certain cases to protect legal work, thought process and legal communication by the
organization's attorneys from disclosure. Legal privilege can extend to investigations, particularly if those
investigations are conducted in anticipation of litigation and directed by an attorney. Litigation can result from most
circumstances that warrant investigations. Therefore, an investigator should consult with the legal counsel to
determine whether and how to preserve privilege protections for an investigation. In general, the privilege is protected
by demonstrating an intent to protect the privilege nature of the documents and keeping the investigation confidential.
Common strategies to protect legal privilege include marking documents with statements such as "Confidential:
Privileged Communication" and limiting the investigation results to those who have a reason to know related to the
litigation. The investigator is encouraged to obtain advice from the organization's attorney on when to use the
statement "Confidential: Privileged Communication" and on which types of documentation. Be mindful that
communication or distribution of privileged documentation, including e-mails, may result in the loss of privilege and
should be avoided.
6.3.3 Process, Scope, and Structure

The ITL should clearly define the process, scope, and structure of the investigation to ensure efficiency
and to make certain the goals are clear to all involved. This provides a basis for analyzing the results of
the investigation. A clearly defined process demonstrate its integrity and credibility.
Considerations in defining process and structure include (but are not limited to):
a) Credibility of the allegation;
b) Identity of those involved;
c) Location;
d) Jurisdictional laws and regulations, or other obligations;
e) Resources and logistics;
f) Precedent;
g) Past practices; and
h) External notification requirements.
The challenge in conducting investigations in order to achieve the objectives is time. The ITL needs to
develop an investigation strategy, or “path”, to collect data in a representative, logical, and methodical
manner. Effective planning is necessary to make efficient use of time to ensure an informative
investigation. Depending on the desired outcomes for the investigation and whether the scope is
enterprise-wide or limited to a specific area, process or project, reasonable targets and timelines should
be established within the constraints of available resources and funding.
6.3.4 Information Gathering

It is the investigation team’s responsibility to collect factual information within the defined scope and
criteria. The investigation team will determine its findings based on the evidence obtained. The
investigation team should have a well-developed information collection strategy and sampling plan.
Information can be gathered from various sources, including (but not limited to):
a) Review of documents, performance indicators, and records;
50
b) Websites and databases;

c) External reports (e.g., industry publications, crime statistics, and government reports);
d) Interviews with persons (internal and external);
e) Physical, documentary, and electronic evidence; and
f) Observation of operational processes.
The ITL, in consultation with investigation team members, should determine how much information
needs to be gathered. Some investigations are designed to find systemic weakness and opportunities for
process improvements. For those investigation it may be necessary to develop a sampling plan to select
representative items and elements from the overall population. Sampling examines selected items and
elements from the overall population. The method of sampling should be defined and documented using
sampling practice and procedures appropriate for the data collection objectives. If contradictory data is
collected or possible systemic problems are identified, the sampling size may be increased to determine
if there is a trend or pattern.
6.3.5 Review of Documentation

Before performing the investigation, the ITL should obtain initial documentation about the organization,
the incident, and/or individuals to be investigated in order to prepare for the investigation activities. The
ITL and investigation team should review relevant documents to determine the investigation activities
and better understand the client and organization. This includes organizational policy documents,
mission statements, organization profiles, organizational structure, management system, and industry
practices. It also includes information related to products, services, processes, and activities, as well as
understanding the geographic extent, interactions, and dependencies.
The ITL should consider obtaining previous investigation reports but should exercise care not to bias
current investigation efforts. Proprietary concerns and non-disclosure agreements may need attention.
Sufficient documentation should be obtained in preparation of the investigation to determine if the
investigation is properly designed and if there are any significant gaps.
6.3.6 Preparing the Investigation Plan

The ITL prepares an investigation plan based on objectives, scope, and criteria in the investigation
program and the documentation and information provided by the client. The investigation plan may be
reviewed and accepted by the client according to the stipulations of the investigation program. The
investigation plan should be presented to the client prior to beginning activities. Any issues raised by the
client should be resolved between the ITL and the client.
The investigation plan may identify, where relevant:
a) Objectives and scope of the investigation;
b) Investigation criteria such as risk criteria, standards, contracts, regulations, manuals, and
reference documents to be used in the investigation;
c) Follow-up activities from previous investigations;
51
d) The client, management representative, guides, and the divisions, facilities and functions
related to the investigation;
e) Investigation team members (e.g., ITL, investigators, technical experts, observers), their roles
and responsibilities;
f) Identifying the standard (or burden) of proof;
g) Allocation of appropriate resources and any limitations;
h) Investigation logistics including date and place of the investigation, travel, lodging, and
facilities;
i) Timeframe and overall schedule of investigation activities;
j) Communication procedures including meetings with client and investigation team;
k) Investigation methods including evidence collection and sampling methods;
l) Issues identified related to the investigation, the client, organization, and investigation team;
m) Confidentiality, safety, health, and security measures;
n) Conditions that warrant stopping the investigation;
o) Language of the investigation and report;
p) Investigation report topics; and
q) Specific exclusions.
The investigation plan should:

a) Provide the basis for the agreement with the client for the conduct of the investigation;
b) Consider the effect that the investigation activities may have on the client and its functions;
c) Facilitate efficient communication, coordination and scheduling of the investigation activities to

most efficiently and effectively achieve the objectives;
d) Take into consideration the competence and composition of the investigation team (including
whether technical or security experts are needed);
e) Outline appropriate investigation methods and practices (e.g., sampling and interview
techniques); and
f) Provide for scope and mission change approval procedures.
The complexity and scope of the investigation and the confidence level of achieving the investigation
objective determines the amount of detail needed in the investigation plan. The scope of the investigation
may be dynamic. The investigation plan should include appropriate flexibility to allow for changes as
the investigation progresses. Significant changes should be reviewed and approved by the client.
52
6.3.7 Identifying the Investigation Team

The ITL delegates responsibility to each team member regarding the specific processes, activities,
locations, and functions of the investigation. When delegating the roles and responsibilities, the
individual investigation team members’ competencies, strengths, and weaknesses are taken into
consideration, as well as the effective use of resources.
The ITL should decide on the frequency of the team briefings that are held to ensure the investigation
objectives are met, work assignments are correctly allocated and decisions regarding possible
amendments are made.
Throughout the investigation, the investigation team should be aware of changing circumstances or risks.
Investigators and the ITL should work collaboratively to address these changes in order to achieve
investigation objectives. The ITL should communicate to the client representative any identified
significant risks (particularly threats to health, safety and security of the investigation team or client’s
organization) as well as recommended changes to the investigation plan.
6.3.8 Determining Feasibility

The ITL should determine the feasibility of achieving the investigation objectives. If the investigation is
considered feasible there should be reasonable confidence that the investigation objectives can be
realized. If the investigation is not feasible, the ITL should promptly notify the IUM and client.
Investigation preparation should be suspended until all parties agree to subsequent changes.
Factors that contribute to the feasibility of the investigation include:
a) Adequate resources committed to the investigation;
b) Adequate time within scheduling constraints;
c) Availability of investigation team personnel with the mix of characteristics, competences, and
necessary clearances;
d) Cooperation with the client and conducive work environment;
e) Availability of interviewees (including complainant and respondent);
f) Access to adequate and relevant information for preparing and conducting the investigation;
g) Logistics;
h) Language requirements; and
i) Constraints imposed by jurisdictional laws and regulations, as well as organizational policies.
6.3.9 Documentation and Document Control

The ITL should maintain records to support the investigation activities. The ITL should establish,
implement, and maintain procedures to protect the sensitivity, confidentiality, and integrity of records
including access to, identification, storage, protection, retrieval, retention, and disposal of records.
Record retention should be consistent with required or limited by law.
The IUM and ITL should establish, implement, and maintain procedures to:
a) Ensure an appropriate location for the storage of documents;
53
b) Approve documents prior to issue;

c) Protect sensitivity and confidentiality of information;
d) Review, update as necessary, and document revisions;
e) Record amendments to documents;
f) Make updated and approved documents readily available;
g) Ensure that documents remain legible and readily identifiable;
h) Ensure that documents of external origin are identified and their distribution controlled
pursuant to originator requirements;
i) Prevent the unintended use of obsolete documents; and
j) Ensure the appropriate, lawful, and transparent destruction of obsolete documents.
The ITL should ensure the integrity of documents by rendering them securely backed-up, accessible only
to authorized personnel, and protected from unauthorized disclosure, modification, deletion, damage,
deterioration, or loss.
6.4 Conducting Investigation Activities

6.4.1 Preparing Work Documents
Investigation team members prepare work documents to facilitate and record their investigation and
report its results. Working documents both provide a flexible roadmap for conducting the investigation
activities and record observations for investigation evidence. Work documents should show what was
evaluated, how it was evaluated, what was examined and what was observed. Work documents can
include checklists, investigation sampling plans, and forms for recording information including
investigation findings and records of meetings.
Well-prepared work documents can help improve investigation time management. The use of checklists,
forms, process maps and log sheets should provide structure for the various investigation activities.
However, the use of checklists should not restrict what an investigator needs to do and should be flexible
enough to consider changes that take place throughout the investigation.
When developing the work documents, procedures should be specified for their retention, access and
the needs to protect confidential and proprietary information. The integrity of the information should
be ensured at all times.
Effective work documents should:
a) Be tailored to the purpose;
b) Indicate background information needed;
c) Guide the investigator about what objective evidence needs to be examined;
d) Record the process of evidence collection;
e) Outline the types of questions to ask;
f) Clearly identify and explain sampling techniques;
54
g) Include space to document samples taken, documents reviewed, as well as record comments and
observations;
h) Provide evidence of the thoroughness of the investigation; and
i) Be reviewed at the end of the investigation for effectiveness and improvement.
Checklists should be reviewed before each investigation to determine if they are still relevant and
appropriate. When preparing checklists they should be designed to:
a) Maintain clarity of investigation’s objectives;
b) Provide structure;
c) Help ensure thoroughness;
d) Maintain the rhythm and continuity of investigation;
e) Reduce the investigator’s bias thereby increasing objectivity in evidence;
f) Reduce the workload during investigating and provides formatted evidence collection; and
g) Provide a record of the investigation and evidence collection.
6.4.2 Assigning Roles and Facilitating Communication among Team Members

The ITL should make specific investigation assignments based on the competence of the individual
investigators and reflect the complexity of the investigation tasks. There should be a balance in the
investigation team between technical, legal, industry, administrative, and risk management knowledge.
The ITL should assign and communicate investigation responsibilities prior to commencing the
investigation.
Formal channels of communication between the investigation team, client, and external bodies (where
applicable) may be necessary during the investigation. This may be especially necessary where
jurisdictional laws and regulations or other obligations require the mandatory reporting of certain risk,
contractual, and regulatory violations.
Communication within the investigation team should occur regularly to assess the progress of the
investigation, reassign work among the investigation teams, and exchange information as needed.
Frequency of the communication should be as often as necessary based on the complexity of the
investigation and the needs of the investigation team. Team briefings confirm the updated information
of the investigation and provide the ITL the opportunity to clarify the investigation team member’s
evidence and their interpretation. This is particularly important in cases where team members will not
be on-site through the end of the investigation. If there is a concern about an issue outside the
investigation scope, it should be noted and reported to the ITL. It is up to the discretion of the ITL to
communicate the concerns with the client.
The progress of the investigation and any concerns regarding the investigation should be communicated
by the ITL to the client on a regular basis, as needed.
If evidence collected during the investigation suggests or indicates an immediate and significant risk to
the organization, client, or investigation team, the client should be informed of the risk without delay.
55
The ITL should report and provide an explanation to the client if the available investigation evidence
suggests that the investigation objectives are unattainable. The ITL and client should determine the
appropriate action (e.g. modify the investigation plan, change the investigation scope or objective, and
terminate the investigation). The need for a change in the investigation plan may become apparent
through the progression of the investigation and should be reviewed and approved by the client and
IUM, where appropriate.
6.4.3 Conducting a Pre-Investigation Meeting

The pre-investigation meeting (sometimes called the “kick-off meeting”) with the client typically initiates
the information collection phase of the investigation. Pre-investigation meetings will vary from formal
face-to-face meetings to informal verification of the investigation’s objectives and methodologies. The
purpose of the pre-investigation meeting is to:
a) Confirm the investigation plan – review the purpose, scope and outline of the investigation
process;
b) Introduce the investigation team and meet counterparts of the organization or client
participating in the investigation;
c) Confirm communication channels;
d) Verify clearances and approval to conduct the investigation;
e) Verify the feasibility of investigation activities; and
f) Provide an opportunity for the client to ask questions about the investigation.
The ITL chairs the pre-investigation meeting. A designated investigation team member should record
attendance and minutes. It may be held with the client’s management who are responsible for the
services, functions, or processes being investigated.
The pre-investigation meeting should be as detailed as necessary to ensure everyone present
understands the investigation process. The pre-investigation meeting is where, at a minimum, the nature
of the investigation is explained. The formality of the meeting is dependent on the type of investigation
being conducted.
The following items are appropriate for the pre-investigation meeting (where applicable):
a) Identification of members of the investigation team to client representatives, including experts,
observers, and guides. Each of their roles should also be explained;
b) Confirm the investigation plan - scope, criteria, reference standards, objectives, and methods
used in the investigation;
c) Confirm the logistics of the investigation including:
i. Schedules – especially site visits and meetings;
ii. Communication channels between the client and the investigation team;
iii. Language to be used during the investigation;
iv. Issues of health and safety, as well as accommodation(s) for persons with disabilities;
v. Review security and emergency procedures for the investigation team;
56
vi. Any issues related to information security and confidentiality; and

vii. An overall investigation schedule, showing topics, investigators, and approximate times
to complete.
d) Discuss with the client how the investigation findings will be reported including the method of
presenting investigation findings;
e) Confirm how the client will be informed of the progress of the investigation;
f) Confirm what resources and facilities will be made available to the investigation team;
g) Express the conditions in which the investigation may be terminated;
h) Explain how findings of the investigation will be delivered; and
i) Give information regarding the systems for feedback from the client on the results of the
investigation, as well as the system for complaints and appeals.
The pre-investigation meeting sets the tone for the investigation and establishes the communications
channel between the client and the investigation team. The ITL should prepare an agenda for the pre-
investigation meeting and project both knowledge and confidence in the investigation activities.
Investigation team members should participate in the pre-investigation meeting only if called upon by
the ITL.
6.4.4 Information Collection and Analysis
6.4.4.1 General
The investigation team's responsibility is to collect, analyze, and document information which is relevant,
credible, and supportable. It is the investigator's role to assess the information and determine by a
preponderance of the evidence whether it is sufficient to draw conclusions. The investigation team
should have a well-developed data collection strategy and sampling plan to ensure the gathering of
comprehensive information. Avoid collecting information unless specifically required to achieve the
objectives of the investigation.
Information can be gathered from various sources, including (but not limited to):
a) Review of documents, performance indicators, and records;
b) Digital evidence (e.g., websites, email accounts, mobile phones, social media, and databases);
c) External reports;
d) Interviews with persons;
e) Physical evidence; and
f) Observation of operational processes.
The ITL, in consultation with investigation team members, should determine how much evidence needs
to be gathered in order to achieve credible findings and conclusions. When developing a sampling plan
it is important to keep in mind that the investigation can provide added value to the client if systemic
weaknesses and opportunities for improvement are identified. Sampling examines selected items and
elements from the overall population. The method of sampling should be defined and documented using
57
sampling practice and procedures appropriate for the data collection objectives. If contradictory data is
collected or possible systemic problems are identified, the sampling size may be increased to determine
if there is a trend or pattern of problems.
Evidence is collected by appropriate sampling techniques from multiple sources of information (e.g.,
documents, records, interviews, and observations). The evidence is then evaluated against the
investigation criteria to produce investigation findings. Findings are then discussed and evaluated to
form the conclusions of the investigation.
Tip #23: Types of Evidence
a) Testimonial evidence: Most, if not all, investigations will involve collecting this type of evidence. Testimonial
evidence is derived from interviews with subjects or interviewees, stakeholders and affected parties, and
subject matter experts.
b) Documentary evidence: As the name implies, is derived from documents and other writings (hard copy or
electronic). Documents could include but are not limited to: invoices, forged or altered company records,
sales records, etc.
c) Physical evidence: Physical evidence is derived from physical objects, such as computers, smartphones,
equipment, tools, process equipment, company vehicle, etc.
6.4.4.2 Collecting and Verifying Evidence

Collecting and verifying evidence necessitates the investigator to combine the various methods of
investigation available and deploy them in a precise sequence and measure. Tactically, the investigator
mixes and matches the methods to determine what is appropriate at the appropriate time. This mix is
largely predetermined during the planning phase. The investigation team, ITL and client should
together, determine the investigative tools to be used and when they should be used. By front-ending
the process with sufficient planning and sequencing the investigative tools to be used, the objectives are
usually easier to achieve and the investment necessary to achieve them is diminished.
The information and evidence gathered is what drives the findings and conclusions. The purpose is to
gather the information and evidence to support the findings and conclusions. This point is missed all too
often by many investigators. Many practitioners fail to appreciate that the successful gathering of
information does not mark the end of the investigation. The successful gathering of information provides
the foundation from which to move forward.
Interviews, observations, and physical evidence are collected during the investigation. Physical
examination of processes, equipment, IT systems, and products is a reliable source of objective
information. Observing work activities to determine if they are being conducted according to defined
requirements is also a reliable source of objective evidence.
Information obtained by interview should be assessed for reliability and may need to be corroborated.
It is important that investigators develop good interviewing techniques to maximize reliability and
minimize pitfalls, and to establish a rapport with the interviewee to promote the sharing of information.
Where feasible, the interview should take place during normal operating hours, at a location respecting
the individual’s privacy and personal space (be sensitive of language, cultural, gender, disability, and
authority issues). Interviews are conducted to obtain factual information and should not be used for
intimidation. When conducting an interview the investigator should:
58
a) Establish rapport by providing a personal introduction and exchange business cards where
appropriate;
b) Explain the purpose of the interview emphasizing that the interviewee will provide important
and useful information;
c) Explain, consistent with the organization's practices and any legal limitations, that the
interviewee should treat the substance of the interview as a confidential matter, or one
warranting a high degree of discretion;
d) Inform the interviewee about non-retaliation policies for raising issues or participating in the
investigation;
e) Explain reasons for note-taking during the interview and explain that the information elicited is
to be handled with appropriate confidentiality;
f) Use a funneling technique during the interview process;
i. Start with an open-ended question to get the interviewee to describe their work and
activities related to the investigation (this may include asking the interviewee to provide
free associations regarding investigation topics);
ii. Use clarifying or probing questions to fill gaps and obtain additional information; and
iii. Closed-ended questions may be used to obtain additional information on specific points.
g) Analyze the major issues raised during the interview to determine if additional information is
needed;
h) Summarize and review the salient points of the interview with the interviewee;
i) Where appropriate, obtain a written, signed statement from the interviewee that incorporates
the important information provided during the interview;
j) Explain any next steps that may be necessary with regard to the interviewee; and
k) Thank the interviewee for their contribution and sharing their time.
See Annex F for additional information on types of questions.
59
Tip #24: Considerations when Conducting Interviews.

A cooperative interviewee can provide information about their immediate and past actions, as well as provide
information regarding others. Information provided about cohorts is corroborative only. However the accumulation
of enough corroboration could justify the interview of an individual not identified during the information-gathering
phase of the investigation. The resultant expansion of information and intelligence and ultimate identification of many
more additional offenders significantly enhances the ROI.
Interviews may also yield admissions. Depending on jurisdictional laws and regulations or other obligations, a
properly obtained admission constitutes the best evidence obtainable. Unlike criminal law, where admissions and even
confessions often only have corroborative value, private investigations need only to proffer an admission to make a
case and may be used even when other information may be in conflict. However, the investigator should exercise
caution and assess if an admission is consistent with other facts in the case or is it being used to mask other factors.
If there are any inconsistencies within one person's response, the interviewer should note and attempt to resolve those
inconsistencies by giving the interviewee the opportunity to explain, reposing the question, or through other
investigative methods. The investigator should attempt to determine the reasons for inconsistencies (e.g., cognitive
processes, questioning techniques, external influences, or untruthfulness).
6.4.4.2 Evidence and Evidence Management
6.4.4.2.1 The Definition of Evidence

Evidence is any type of proof that when presented, is materially capable of proving or disproving an
assertion or fact. In order to be used or be admissible, the evidence should be:
a) Competent;
b) Relevant; and
c) Material.
60
Tip #25: Types of Evidence

Admissibility of evidence is determined by jurisdictional laws. It is important to understand the categories of evidence
and their potential for use in legal actions: Factors affecting the type of evidence include (but are not limited to):
a) Direct evidence: Is information that is based on personal knowledge or observation. Direct evident may also
include documentary or electronic evidence, a documented event, recorded conversations, or an original
contract. It directly proves or disproves a disputed fact without inference or presumption. Direct evidence, if
true, conclusively establishes that fact. Testimony from an interviewee who actually experienced an event is
an example of direct evidence.
b) Circumstantial or indirect evidence: Is information that is associated with the fact being investigated and that
the fact to be proved may be inferred from the existence of the indirect evidence. Inference drawn from one
piece of indirect evidence may not guarantee accuracy of the association. Presence at an event is an example
of circumstantial evidence.
c) Forensic evidence: Is information obtained by scientific methods that are based on scientific theories are
established and accepted in the scientific community. Examples of forensic evidence include ballistics, and
blood and DNA testing.
d) Hearsay evidence: Is information provided by a person who does not have direct knowledge of the fact
asserted, but knows it only from being told by someone else or from a secondary source (e.g., media, online
research and resources). Hearsay evidence may be useful in the investigative process and may identify other
sources of information. The admissibility of hearsay evidence varies by jurisdiction.
e) Admissibility of evidence: Is information which the adjudicator finds is useful in establishing the facts of an
event that are considered relevant and material. Depending on the type of proceedings the adjudicator will
establish “rules of evidence” to determine what is admissible and what may prejudice the objectives of
determining the truth.
f) Materiality of evidence: Information that relates to specific issues necessary for proving or disproving a case
is considered material. Materiality of the evidence is based on the relevance of evidence associated with the
facts being investigated.
6.4.4.2.2 Hearsay Evidence

Hearsay evidence is evidence that does not come from an interviewee’s or other individual's first hand
personal knowledge but rather from what the witness has heard others say or from a secondary source
(e.g., media, online research and resources). The investigator should determine the credibility of hearsay
evidence. Hearsay evidence can provide context of the events and identify additional sources of
information. The investigator should determine the relevance of the information.
6.4.4.2.3 Admissibility and Materiality

Unlike court or an administrative hearing, investigations are not subject to the rules of evidence. Thus
the investigator will need to gather evidence and determine whether the evidence is both material (that
is, whether it is relevant to the matter being investigated) and reliable (that is, that the investigator
understands the difference between direct, indirect, and hearsay evidence and can properly weigh
evidence based on its reliability). While all information gathered might be considered, the investigator
should be able to differentiate between information that is more or less reliable and explain why they
relied on certain information or discounted other information.
61
6.4.4.2.4 Spoliation of Evidence

Spoliation is the intentional or negligent destruction of evidence, and may constitute an obstruction of
justice. Spoliation is also the destruction, or significant and meaningful alteration of a document or
instrument. Under jurisdictional laws, regulations or other obligations, the rules of evidence impose an
obligation to retain and produce evidence deemed admissible and relevant in criminal and civil matters.
The intentional and sometimes unintentional destruction of evidence may be unlawful and/or civilly
actionable. Litigation and criminal indictments of both the organization and the responsible parties are
not uncommon in cases of spoliation of evidence. Claims of spoliation may later arise if items such as e-
mails, notes, and apparently extraneous documents are discarded. As such, it is recommended that in
the course of investigation, nothing should be destroyed that may later be considered evidence. The
investigator should consider informing the client of spoliation issues and recommend the client seek
advice to ensure evidence is not tampered with or destroyed.
6.4.4.2.5 Evidence Retention

Evidence retention and preservation are critical. The mishandling and misplacement of evidence can
lead to faulty conclusions, wrongful terminations, claims of spoliation, and civil or criminal liability. The
reconstruction of evidence is time consuming, expensive and likely inadmissible as evidence.
An evidence file may be nothing more than a folder in which evidentiary documents are placed for
safekeeping. Accordion folders, corrugated boxes, file cabinets or safes may also be used to store
evidence. When necessary, consideration should be given to an evidence locker or storage vault.
Regardless of its form or construction, the safe storage of evidence is essential to assure the integrity of
the investigation.
6.4.4.2.6 Evidence Custody and Transfer

If there is a transfer of evidence from one party to another, it should be carefully documented. Each
person who handles or takes control of evidence must be recorded, creating what is called the chain-of-
custody. A chain-of-custody document at a minimum identifies each custodian, when they received it,
and to whom it was transferred. There should be no gaps during which the evidence was unaccounted
for or out of the control of a custodian-of-record. A chain-of-custody which is broken exposes it to
challenge and jeopardizes the admissibility of the evidence.
62
Tip #26: Sample Evidence Chain-of-Custody Form
Improper handling of evidence exposes both the investigator and the evidence to credibility challenges.
Claims of evidence tampering, alteration or contamination are possible when evidence is mishandled.
Therefore, the transport and storage of evidence should have clearly defined procedures to assure the
integrity of the information.
6.4.7 Generating Investigation Findings

Investigative findings should be determined by carefully evaluating the information gathered and then
deciding, based on the evidentiary standard being utilized, whether the information is sufficient to
meet the applicable burden of proof. Findings should be based on substantial and credible information.
This could be one credible direct witness or it could be based on indirect information that tends to
corroborate that an event or allegation did or did not occur. Sometimes a finding can be made based on
a credible account by a complainant, without any corroborating witness.
In some cases, the investigator will also discuss in the findings opportunities for improvement and
current accepted industry practices. This will help the client understand the effect of issues under
investigation on the organization.
When creating findings, the investigation team should identify the investigation criteria being assessed,
and evaluate the information gathered to support the findings. Every finding should be traceable back
to the information gathered.
63
The investigators should understand the standard of proof to be used. Most civil cases utilize the
standard of proof of “preponderance of the evidence," which is, whether it is more likely than not that
the event occurred.
6.4.8 Preparing Investigation Conclusions

The ITL, in conjunction with the investigation team should prepare the investigation conclusions in a
team meeting prior to the closing meeting. There should be consensus among the investigation team on
the findings and conclusions. Disputes should be resolved by the ITL and unresolved issues should be
recorded.
During this meeting the investigation team should:
a) Review the evidence, information collected during the investigation, and its findings against the
investigation objectives;
b) Prepare recommendations, where applicable (this can include recommendations for
improvement and/or future investigation activities); and
c) Discuss follow up to the investigation, where applicable.
The investigation report should be clear and actionable. For the conclusions of the investigation to be
useful, any findings should indicate the criteria and reason for the findings. The client should
understand both what was found and what they need to consider in developing an action plan to correct
any deficiencies, or implement any opportunities for improvement or accepted industry practices. The
investigation report will provide the script and documentation for the closing meeting.
Tip #27: Decision-Making and Discipline
It should be emphasized that decision-making regarding discipline is the responsibility of the client organization’s
decision-makers. It is often better that the investigator is not involved in the decision-making or discipline
disbursement phase of the investigation. To do otherwise may create the appearance of bias or prejudice. Similarly,
those who are not investigators should not become part of the fact-finding process. Segregating these duties enhances
the independence and impartiality of the investigation.
6.5 Post Investigation Activities

6.5.1 Conducting Post-Investigation Debriefing
The post-investigation meeting ends the on-site activities of the investigation and presents an
investigation summation, draft, or preliminary investigation report to the client. Depending on the
organizational structure, the post-investigation meeting should be facilitated by the ITL or IUM. The
purpose is to present the investigation team’s conclusions and findings to the management of the
organization, and those responsible for the areas being investigated, where applicable. The post-
investigation meeting may present areas of both upside and downside risks, as well as strengths and
weaknesses in the risk management system and opportunities for improvements. A designated
investigation team member should record attendance and minutes.
The level of detail is dependent on the level of familiarity the client has with the investigation process.
Also the formality of the meeting is dependent on the type of investigation. In some cases, a formal
meeting is necessary with records of attendance and minutes, while in others the meeting may be a less
64
formal communication of the investigation findings. The formality of the meeting is dependent on the
type of investigation.
If situations arose during the investigation that might call the results of the investigation into question,
the investigation team should advise those present of the situation. Furthermore, any differences in
opinion regarding the investigation conclusions or findings within the investigation team should be
discussed. The parties should try to resolve any disagreements. If the parties cannot resolve their
differing views, it should be recorded.
Participants may discuss an action plan to address investigation findings and adapt the risk management
system, where needed. Recommendations for improvements may be presented if specified by the
investigation objectives. It should be clear that any recommendations are non-binding, and should be
noted that in subsequent investigations these may bias an impartial evaluation.
The following points should be addressed with the organization’s management so that they are
acknowledged and understood at the post-investigation meeting (where appropriate):
a) The investigation findings and conclusions;
b) The method of reporting;
c) The handling of investigation findings and possible consequences;
d) Implications for improved management of risk; and
e) Post-investigation activities, including recommendations for risk treatments and corrective
action (where applicable).
Tip #28: Recommendations for Improved Risk Management
Some investigations provide opportunities to improve the organization’s policies, practices and system for managing
risk. The client and investigation team critique the effort, benchmark, identify best practices and analyze their
performance. Additionally, the client and investigation team may assess the damage and identify root causes. What
was it that allowed the problem to occur and how can it be prevented in the future? This evaluation provides ROI to
the organization. Clearly, if the organization continues the same practices, it is likely to get the same result again in the
future. Such behavior is worse than pointless, it may also be negligent. Under the legal theory of foreseeability,
negligence is compounded when a party should have reasonably foreseen an event that could have been prevented
had it taken corrective or preventative action. Organizations make the mistake often and in doing so incur unnecessary
additional liability.
6.5.2 Reports and Records

The investigation report communicates the results of the investigation to the client and organization, as
well as provides a complete and concise record of the investigation.
6.5.2.1 Overview
The investigation report is prepared by the ITL, with input from the investigation team, and is provided
to the IUM as soon as possible after the post-investigation meeting. The investigation report is approved
and reviewed by the IUM prior to distribution. For credibility, any changes to the report, including
findings, should be made by the ITL. The client determines who will receive copies of the investigation
report. The purpose of the investigation report is to:
a) Provide information about the objectives, scope, and criteria of the investigation;
65
b) Provide information about the investigation findings and conclusions;

c) Provide a basis for top management and decision-makers to determine any disciplinary actions;
d) Identify needs for corrective actions to reduce significant risks requiring immediate attention, if
applicable and part of investigation objectives;
e) Serve as a basis for identifying opportunities for improvement of the risk management system,
if applicable and part of investigation objectives; and
f) Provide a record of the investigation.
6.5.2.2 Contents of the Investigation Report

The investigation report should include the following:
a) Identification of the organization and IUM conducting the investigation;
b) The name and address of the organization (including client, and the client’s management
representative) authorizing the investigation;
c) The type of investigation;
d) The investigation objectives;
e) The investigation criteria (including any specific inclusions or exclusions);
f) The investigation scope, specifically identification of the organizational or functional units or
processes investigated;
g) Identification of the ITL, investigation team members and any accompanying persons;
h) The dates and places where the investigation activities (on-site or off-site) were conducted;
i) Investigation findings, evidence and conclusions (if applicable, opportunities and down-side
risks), consistent with the requirements of the type of investigation; and
j) Any unresolved issues, if identified.
The following may be included or referenced in the investigation report:
a) An executive summary for lengthy investigation reports;
b) Areas within the investigation scope which were not covered;
c) Investigation plan;
d) Time schedule of the investigation plan;
e) Summary of the investigation process;
f) Identified accepted industry practices;
g) Opportunities for improvement;
h) Follow up action plans;
i) Reiterate the confidential nature of the contents;
j) Subsequent investigation;
66
k) Implications for the risk management program;

l) Distribution list of the investigation report; and
m) List of relevant reference materials.
6.5.2.3 Distributing the Investigation Report

The investigation report should be issued without delay within an agreed timeframe. If the investigation
team is unable to do this, the reasons should be promptly communicated to the client, organization, and
the person(s) responsible for the risk management program. In compliance with the good project
management procedures, the investigation report should be reviewed, approved, and dated.
Distribution of the investigation report is at the discretion of the client and organization. The IUM should
not send a copy of the investigation report to anyone unless explicitly approved in writing to do so by
the client and organization. The organization conducting the investigation maintains a copy for its
records only as per agreement with the client and organization.
In some instances, reports may be required to be submitted digitally. In these instances, the IUM should
make good-faith efforts to control the release of this information by encrypting and password protecting
this data. Passwords and encryption keys should be communicated via a secondary medium than that
of the method being used to transmit the digital information. Passwords and encryption should comply
with accepted industry practices/methods for securing this type of information.
6.5.3 Follow-up and Monitoring

It is the responsibility and prerogative of the organization and client, not the investigative team, to apply
disciplinary, corrective, preventive, or improvement actions indicated in the investigation report. If the
client chooses to implement these actions, they should be implemented in a timely manner. These actions
should be documented and verifiable so they may be included in a future investigation. Verification if
the corrective, preventive, or improvement actions have been conducted and are effective should be
documented before any follow-up investigation commences.
6.5.4 Checking and Reviewing the Investigation Activities

The ITL should establish, implement, and maintain performance metrics and procedures to monitor and
measure, on a regular basis, those characteristics of the investigation that have material impact on its
performance. The procedures should include the documenting of information to monitor performance,
applicable operational controls, and conformity with the organization’s investigation program objectives
and targets.
6.5.5 Identifying Opportunities for Improvement of Investigations

The organization should continually strive to improve the effectiveness of the investigation activities.
The ITL should monitor, evaluate, and exploit opportunities for improvement in investigation
performance and eliminate the causes of potential problems, including:
a) Ongoing monitoring of the operational landscape to identify potential problems and
opportunities for improvement;
b) Determining and implementing actions needed to improve investigation performance; and
c) Reviewing the effectiveness of any actions taken to improve performance.
67
Actions taken should be appropriate to the impact of the potential problems, and resource realities.
The IUM and ITL should ensure that timely actions are taken to exploit opportunities for improvement.
Where existing arrangements are revised and new arrangements are introduced that could impact on the
overall investigation program, the ITL should consider the associated outcomes before their
implementation.
The results of the reviews and actions taken should be clearly documented and records should be
maintained. Follow-up activities should include the verification of the actions taken and the reporting
of verification results.
7 CONFIRMING THE COMPETENCE OF INVESTIGATORS
7.1 General
The credibility of any investigation program is a reflection of the competence of the investigators. All
persons involved in the investigation should be competent to perform their roles and assigned tasks.
Investigators should possess the technical expertise and interpersonal skills to effectively evaluate the
criteria of the investigation. Investigators should provide value to the organization by being able to also
evaluate the effectiveness of the risk management measures, not merely checking a box indicating
measures exist. Therefore, to add value to the client and organization, the investigators should
understand the management and risk approaches from the client’s business and risk environment.
Investigators should have a clear understanding of how to apply the investigation criteria. Investigator
competence is comprised of several elements:
a) Personal traits and interpersonal skills;
b) Investigation skills;
c) Communication skills;
d) Education, training, and knowledge;
e) Work experience; and
f) Professional credentialing and licensing.
It is not sufficient to be a generalist. Investigators should have a proficient understanding of the business,
types of investigations, and disciplines they are assessing. The investigation team should project an
image to the client and organization that they have the competence relevant to the appropriate technical
area of the investigation, risk-related disciplines, industry sector, and geographic location.
See Annex A for additional information on investigator qualifications and personal traits.
7.2 Competence
7.2.1 General
The IUM and ITL should determine and document the competence required to evaluate each technical
area and function in the investigation activity. When identifying competence requirements, the IUM and
68
ITL should tailor the competence requirements for the types of investigations required by the client and
organization, and locations of operations, in order to:
a) Define the scope of the activities that it undertakes;
b) Identify any technical qualification of its investigators necessary for that particular type of
investigation, services, and location of operation;
c) Ensure that personnel have appropriate knowledge, skills, and experience relevant to types of
services provided, organizational and cultural requirements, and geographic areas of operation;
and
d) Recruit and select a suitably qualified investigation team.
The IUM and ITL should determine the means for the demonstration of competence prior to carrying out
specific functions. Records of the determination should be maintained and made available upon request
by the client and/or organization.
7.2.2 Determination of Competence Criteria

The IUM and ITL should have a documented process for determining the competence criteria for
personnel with a demonstrated capacity for the management and performance of the investigation.
Measurable criteria should be determined to demonstrate competence with regard to:
a) The requirements of the investigation;
b) Investigation methodologies and management consistent with jurisdictional laws and regulations
or other obligations and accepted industry practices related to operations;
c) The legal, cultural and operational context of the location of operation; and
d) Functions in the risk assessment process.
The output of the process should be the documented criteria of required knowledge, skills, and
experience necessary to effectively perform investigation tasks to achieve the intended results and
provide a basis for:
a) Selection of investigation team members to cover all areas of required competence;
b) Ascertaining requirements for continual improvement of investigator competence; and
c) Determining performance indicators for investigators.
To determine the appropriate investigator competence, the following points may be considered:
a) Risk associated with the organization’s operations and activities;
b) Nature and complexity of the client’s risk management system;
c) Investigation types and disciplines to be considered;
d) Objectives and extent of the investigation program;
e) Jurisdictional laws and regulations or other obligations, such as those imposed by internal or
external bodies, where appropriate;
f) Role of the risk management process in the business management system of the organization;
69
g) The need for balance and avoidance of bias in the investigation process;
h) Complexity of the business and risk management environment to be assessed; and
i) Risk related to achieving investigation objectives.
When determining the competence criteria the IUM and ITL should establish performance based
evaluation criteria and a consistent documented method for evaluating competence. Examples of
evaluation methods include (but are not limited to):
a) Verifying the background, education, and experience;
b) Psychometric (quantitative) testing of knowledge and skills (may include variables such as
abilities, attitudes, personality traits, and educational achievement);
c) Reviewing written samples of work;
d) Interviews to evaluate knowledge, communications skills, and personal behavior;
e) Observation of investigation skills;
f) Certifications and professional credentialing; and
g) Feedback and post-investigation review.
7.2.3 Training and Competence Evaluation

Persons conducting investigations should have successfully completed training and be able to
demonstrate competence in the understanding and application of:
a) Investigation types and risk disciplines being assessed;
b) Investigation methodologies;
c) Investigation and management principles;
d) Risk management principles;
e) Legal, regulatory, and other relevant jurisdictional law;
f) Liability and tort law associated with industry and risk profile; and
g) Managing the risks of undesirable and disruptive events.
The IUM and ITL should ensure persons conducting investigation have a working knowledge of this
Standard. Investigators should have the knowledge and skills corresponding to a post-secondary
education that includes language and communications skills.
The IUM and ITL should ensure that investigation team members have the necessary specialized
knowledge, experience, and training for the type of investigation being conducted. For example, one
typical criteria used is work experience in a risk-related industry discipline or sector. Experience may be
supplemented by appropriate and relevant education or specialized training. The organization may
establish investigator-in-training and mentoring programs to enhance the specialized knowledge and
skills needed for the investigations.
70
The IUM and ITL should establish, document, and maintain a process to evaluate and verify the training
and competence of persons conducting investigations, including appropriate continual training
according to their specific qualification requirements to maintain competence.
7.2.4 Personal Attributes

A minimum level of interpersonal skills are essential to conduct a successful investigation. Therefore the
investigator should demonstrate good communication skills including, but not limited to:
a) Good oral and written language skills;
b) Being a good listener;
c) Ability to handle stress and conflict to manage an adversarial environment;
d) Cultural sensitivity, including appropriate body language;
e) Ability to conduct unbiased questioning, analysis, and problem-solving; and
f) Tact and diplomacy.
Personal attributes are discussed in detail in Annex A.2.
The ITL should also be able to display leadership, manage time, understand communication formalities,
handle conflict, and provide mentoring to less experienced investigator.
7.2.5 Monitoring of Competence

The IUM and ITL should ensure the acceptable performance of all personnel involved in its investigation
activities. The IUM and ITL should establish documented procedures, metrics, and criteria for
monitoring and measurement of the performance of all persons involved based on the frequency of their
usage and the level of investigation knowledge linked to their activities. The IUM and ITL should review,
at least annually, the competence of its personnel based on their performance in order to identify training
needs.
The monitoring procedures should include a combination of on-site observation, investigation report
review, and feedback from clients or other affected parties. Monitoring should be designed in such a way
as to minimize the disturbance of the normal operations, especially from the client’s viewpoint.
7.2.6 Improvement of Competence

Investigators should increase and improve their skills through continuing education and experience.
Risks, organizational management practices, technologies, accepted industry practices, and standards
change with time. Investigators should continually improve their knowledge and skill sets with
changing risk management and investigation conditions. Examples of continuing education and skills
improvement methods include:
a) Participation in investigations;
b) Professional society and technical literature;
c) Participation in professional associations and their workshops and conferences;
d) Mentoring and peer review programs;
e) Reading case studies; and
71
f) Formal education programs.

7.3 Validation and Personnel Records
The IUM and ITL should maintain up to date records of relevant licensing, qualifications, training,
experience, professional affiliations and memberships, professional status and competence of all
personnel involved in its investigation activities.
The IUM and ITL should ensure all persons working on its behalf assigned to perform investigations, as
well as technical experts, can be trusted to maintain confidential information obtained during
investigative work. These personnel must not create a security risk by betraying confidentiality or
adversely impacting operations (evidenced by an executed non-disclosure/confidentiality agreement).
This should be validated by appropriate background screening of persons involved in investigation
activities (see: ASIS GDL PBS-2009, Preemployment Background Screening Guideline).
7.3.1 Background Screening and Clearances

The IUM and ITL should establish, document, and maintain a procedure for screening and vetting of all
personnel involved in its investigation activities. Background screening and clearances should be
aligned with jurisdictional laws and regulations, including information access and privacy regulations.
The IUM and ITL should also ensure that all personnel involved in its investigation activities meet these
requirements.
The process for security vetting and review of personnel involved in its investigation activities should
be documented in a way that can be accessed by the client and/or organization and, where applicable,
other relevant stakeholder organizations.
(For additional information, see: ASIS GDL PBS-2009, Preemployment Background Screening Guideline.)
7.3.1.1 Background Checks

Some investigations may necessitate criminal and other relevant background checks of persons assigned
to perform investigations, in accordance with data protection and privacy legislation. These checks may
include:
a) Work and education background check;
b) Criminal records check;
c) Personal and previous work references check;
d) Posing ethical dilemmas as part of the job interview process; and
e) Military background check for ex-services personnel.
Where practicable, background checks may be conducted through national agencies or authorities.
Where this is not practicable, the IUM and ITL should establish, document, and maintain a procedure to
check suitability and integrity by an internal vetting process including records checks and interviews,
overseen by the organization’s top management. The vetting process should include review of
documented submissions by the candidate, interviews and reviews of documents such as identity cards,
work permits, driving licenses, and work place references.
72
7.3.1.2 Interviews
The IUM and ITL should establish an interview procedure, including the hierarchy of interviewers,
which should be overseen by the IUM. Top management should appoint an IUM who has been verified
by interview and vetting as trustworthy and having the necessary competence and judgment to vet
personnel involved in its investigation activities. The responsible manager should assess through review
of documentation, submitted by candidates, and interviews and on-going monitoring, the
trustworthiness and appropriate behavioral characteristics of personnel involved in its investigation
activities.
7.3.1.3 Work History

All personnel involved in the investigation activities should provide evidence of relevant work history
which should be verified with current or previous employers. Self-employed candidates should provide
other appropriate documentation that demonstrates the same level of confidence and trustworthiness as
employment records.
Candidates should provide two work-related references, as well as one probity reference relevant to their
work or local jurisdiction.
7.3.2 Identification Credentials

All personnel involved in the investigation activities should possess an identification credential
(consistent with their duties and need for confidentiality). Identification credentials should show the
following:
a) Photograph;
b) Full legal name;
c) Period of validity; and
d) Name of the issuing body.
7.3.3 Non-disclosure Agreements

All persons assigned to perform investigations should sign confidentiality and non-disclosure
agreements and a code of ethics. The IUM and ITL should establish, document, and maintain procedures
on how to respect and protect the integrity of sensitive, confidential, and proprietary information. The
IUM and ITL should periodically review, as part of its own quality management system, the performance
of its personnel with respect to taking appropriate steps to protect the sensitive, confidential or
proprietary information.
When requested, confidentiality and non-disclosure agreements signed by personnel involved in its
investigation activities should be made available to the client.
7.3.4 Accountability
The IUM and ITL should establish, document and maintain procedures to make personnel involved in
its investigation activities aware of infractions that could subject them to disciplinary actions, civil
liability, and criminal prosecutions. The procedures may include a process to address infractions or
procedures including investigative procedure and disciplinary actions, the code of ethics, and
73
confidentiality and non-disclosure agreements.. Records should be kept of infractions, investigations,

and any subsequent disciplinary actions. If, at any time, investigative team members become subject to
arrest, charge, or litigation they should promptly disclose this information to the IUM or ITL.
7.3.5 Records
The IUM and ITL should establish, document, and maintain procedures to maintain records of personnel
involved in its investigation activities. Records should be retained for periods that the IUM and ITL
deem appropriate and according to retention periods designated by the organization’s policies, as well
as jurisdictional law and regulations, or other obligations.
7.4 Use of External Investigators and Technical Experts

The IUM and ITL should develop a documented process for outsourcing any investigation activities to
ensure compliance with investigation policies, procedures, and services, as well as respect for
confidentiality and non-disclosure of client or organization information. Outsourcing agreements
should be enforceable and reviewed by appropriate legal counsel.
74
Annex A
(informative)
A QUALIFICATIONS AND PERSONAL TRAITS OF

INVESTIGATORS
Investigator competence criteria should include both the professional qualifications and the personal
traits of the individual2.
A.1 Professional Qualifications

a) Education. Formal education is a point to consider. Many investigative positions require at
least a bachelor’s degree. Although the formal education may not be specific to the
investigative field, it does connote a general level of intelligence, maturity and discipline as
well as knowledge of a breadth of topic areas. A college education familiarizes people with
structures and processes of culture and society that foster insights in the events and
circumstances that real-world investigators encounter in the course of their professional work.
Education also demonstrates an investigator’s ability to continue learning because specialists
and experts will require specialized education—often including advanced degrees—in their
particular field (e.g., forensic science, behavioral psychology, etc.).
b) Training. An important factor in evaluating candidates is the training they have received. A
wide variety of courses are available in general investigative techniques and specific aspects
of investigations. Sources range from public sector law enforcement agencies to colleges and
commercial vendors. The level of training, currency of the training and the training source
(i.e., agency or school) should be carefully considered.
c) Association Memberships. An investigator’s networking ability to integrate training,
experience, and skills with industry professionals and peers becomes a force multiplier. The
membership in local, state, national, and global organizations is key to ongoing development
and maintenance of changes in the profession. Association memberships provide mentorships
and resources that may be unavailable in a single organization.
d) Certification. Related certifications such as PCI (Professional Certified Investigator; ASIS
International, www.asisonline.org/certification/pci/pciabout.xml) or CFE (Certified Fraud
Examiner; Association of Certified Fraud Examiners, www.cfenet.com/cfe/) or CFI (Certified
Forensic Interviewer http://iaofi.org/CFI-Certification) indicate a demonstrated level of
knowledge as well as an individual’s commitment to the field and effort to maintain currency.
Professional certifications should be given significant weight in recruiting and considering
applicants, and for advancement.
e) Experience (General). Actual investigative experience is frequently the most important
2 ASIS International, Professional Investigators Manual, 2010
75
qualification, and should be carefully considered. As a rule of thumb, candidates should

possess two years’ experience actually conducting investigations, preferably a variety of types
of investigations. General experience should be relevant to investigative processes and may
include interviews, evidence handling, liaison, surveillance, record searches, photography,
reporting and presentation of cases.
f) Experience (Specialized). The type of experience should be related to the type of investigation
to be performed. Some of the experience needed in one type of investigation would not be
relevant to another type of investigation. Furthermore, specific experience in the relevant
industry, in the business environment or in an investigative specialty is generally a plus—
sometimes a significant one. This allows the investigator to bring not only expertise to the
new position, but also a valuable suite of lessons learned and best practices, many of which
can be transferred to enhance the effectiveness of the unit. Of course some “specialist”
positions will require specialized experience as well. Fairly detailed information about
specialized experience should be requested from applicants for positions which require those
skills.
g) Communications Skills. This is one of the most critical skills needed by an investigator. The
ability to elicit information (the core of any investigation) from all sorts of people, both
cooperative and uncooperative, with many different perspectives and at different levels is
absolutely essential. In addition, the investigator must be highly effective at presenting
information orally and in writing to senior executives, attorneys, prosecutors, law
enforcement personnel, security professionals. They must be simultaneously concise and
convincing, balancing facts with conclusions. Although communication skills are to some
degree, a personal trait, they should more correctly be considered a professional qualification.
A.2 Personal Traits

High Ethical Standards. Personal suitability for the position is key. Candidates must have a
demonstrated background of trustworthiness and professional ethics. This trait will permeate
every aspect of the individual’s relationship with the unit and everyone he/she comes in contact
with as a representative of the organization.
Persistence. An important trait of the successful investigator is an appropriate level of persistence.

The investigative process often leads to apparent dead ends or other frustrations. The ability to
forge ahead toward a successful case resolution or objective despite obstacles proves to be of
significant value.
Balance. At the same time, however, the individual must be able to draw an appropriate balance
between aggressively pursuing a successful outcome and following established rules and
protocols (so as not to threaten the legal basis of the case or unduly raise the liability risk to the
organization).
Maturity. A mature and realistic view of self and surroundings is an important trait for anyone
who deals with investigative matters, private information, legal issues and activities that can
affect people’s lives and careers—and the organization itself. It allows an individual to keep their
activities in perspective and place information, events and situations within the appropriate
context.
76
Ability to Deal Effectively with People. Despite our techno-centric society, people form the core of
almost every investigation worldwide. The ability to deal with all types of people, in every role,
in a highly effective manner is absolutely essential to an investigator.
Self-Motivating and Self-Starting. In most environments, investigators operate with very little
direct management oversight (other than from a legal and regulatory perspective) and are
expected to perform independently. The ability to motivate oneself in combination with an
inherent inner drive is of extreme value.
Ability to Multitask. The ability to manage several activities simultaneously is an extremely useful
attribute for an investigator. Each investigation has numerous elements—and often a large
number of information inputs. In addition, most investigators are assigned several investigations
at any given time.
Professional Demeanor. In all aspects of the investigative function including dealing with people,
collecting and analyzing information and presenting facts and conclusions, the investigator must
maintain a professional demeanor. To do otherwise will threaten his or her effectiveness as well
as the unit’s (and the organization’s) credibility.
Good Observational Skills. Skill-in-observation (curiosity is most important) of people, places,

activities and situations is a key element of any investigation and feeds the information base
for a particular case as well as helping direct future investigative steps and direction. People with
excellent observation, interpretation and correlation skills often make good investigators.
Flexibility. An individual who can operate smoothly in a wide variety of environments, is

comfortable in a range of situations and can distinguish between when to yield and when to persist
will be a far more effective investigator than an inflexible person.
A.3 Unacceptable Behaviors

The following examples of unethical or dishonest behavior are unacceptable in professional
investigations:
a) Selectively opening, closing, rushing, or stalling investigations based on a relationship between
the investigator or unit and the parties to the investigation, or other key player or based on a
desire for personal gain;
b) Inappropriately or improperly selecting interviewees to influence outcomes;
c) Improper handling of evidence in order to influence the outcome of an investigation;
d) Improper handling of evidence or investigative information through incompetence;
e) Fabricating evidence or investigative information;
f) Making threats or promises during an interview or interrogation;
g) Compromising sensitive investigative information;
h) Using scientifically unproven, unreliable, or inappropriate investigative techniques;
77
i) Mistreating liaison contacts (e.g., providing misleading or false information or inappropriately

exploiting the relationship); and
j) Lying during judicial or administrative proceedings.
Besides diminishing effectiveness, unethical behavior can leave an organization open to civil or criminal
liability. The IUM and ITL must make ethics an underlying pillar of their operations, procedures, and
relationships, as well as instilling the importance of ethical behavior in investigative personnel.
78
Annex B
(informative)
B USE OF EXTERNAL RESOURCES
B.1 General
Using outside resources to assist with or conduct one’s internal workplace investigation is an acceptable
practice. Some investigations are too complex to be conducted by resources internal to the organization.
At times, the use of an external, independent investigator is necessary to ensure fairness, objectivity, and
confidentiality, in order to produce a credible investigation. When top management are the subject of
allegations the use of an external investigator may be preferable. High profile sexual harassment
investigations would fall into this category. Another example would be employee substance abuse where
the only investigative solution might be an undercover investigator. Regardless of the issue, sometimes
it makes more sense to have someone external to the organization perform the investigation than
expending the time and resources to do it internally. In addition to a cost-benefit analysis, the most
important consideration should be whether or not the organization has the skill and experience necessary
to do the job properly.
Investigative firms contemplating undertaking a complex investigation should consider:
a) If they have the necessary skills and experience to do the job properly;
b) If they have the equipment and technology to do the job properly;
c) If they have an investigative plan that is committed to writing;
d) If undertaking an investigation is the best use of the firm’s time and resources right now;
e) Is a contingency plan in place if something goes wrong?
f) If someone else is more qualified or better suited for the job; and
g) If the firm is prepared to handle the matter if it turns out to be more complicated or dangerous
than anticipated.
B.2 Use of External Investigators and Technical Experts

The IU and their investigators should consider the following issues when selecting a vendor for
investigative support or technical experts.
B.2.1 Licensing
In many jurisdictions, licensing is required for persons participating in the investigation and their
agencies. Where licensing exists, a failure to be licensed can result in criminal charges against the
investigation team and in some cases their investigative results rendered inadmissible. In some
jurisdictions, attorneys may be allowed to conduct investigations if acting in their capacity as an attorney.
79
B.2.2 Training
The organization may provide orientation or training to assure an appropriate level of competence.
B.2.3 Experience
Ensure the investigative firm as well as the employees they assign to the investigation have the
experience necessary to do the job properly. If possible, interview them and demand answers to difficult
questions regarding their knowledge and experience with investigations of the type under consideration.
B.2.4 Reputation
Reputations vary widely in the industry. Qualified investigative firms are well known in the business
community and are active in their professional associations. Request references and check them
thoroughly. Inquire about the firm’s litigation and claims experience. A reputation of sloppy work, high
profile lawsuits, and big settlements is undesirable and possibly indicates process deficiencies.
B.2.5 Willingness to Testify

All investigators must be willing to testify and see their cases through to their fullest completion
regardless of the circumstances. Sometimes that means testifying in court or before an arbitrator. An
unwillingness to testify could be nothing more than fear and inexperience. Less experienced investigative
firms sometimes claim they don’t want to compromise the identity of their undercover investigators;
others claim it is too dangerous. Both claims demonstrate a lack of experience and professional
sophistication.
B.2.6 Reports
Reports are an important part of every investigation. The information provided in a report should be
complete, concise and correct. Samples should be examined thoroughly before selecting a vendor.
B.2.7 Insurance
Most quality investigative firms carry general liability, errors, omissions, and other types of professional
insurance. In many jurisdictions licensed investigators are required to carry insurance in some form.
However, bonding, allowed in some jurisdictions, may not provide enough protection. In order to be
safe and protect the organization, require the investigative firm under consideration to provide a
Certificate of Insurance naming the organization as an additional insured.
B.2.8 Willingness to Involve the Police

Employee prosecution is not always necessary and is complicated and often expensive. As such, the
decision to prosecute should be made for business reasons only. However, a good investigative firm
knows its limitations and when to involve law enforcement. Investigations involving illegal drugs, for
example, cannot be done without the assistance of the police. Ask the investigative firm to provide law
enforcement references. Also, ask the investigative firm about their success with criminal prosecution.
The answers will provide some idea as to how many cases the investigative firm has conducted and
where problems arose. Evaluate the organization in its totality before making your selection and making
a contractual commitment.
80
B.2.9 Attorney Involvement

Investigative firms often prefer the involvement of their client’s attorneys. This applies even when the
client hires an attorney to conduct the investigation. That is, in-house or outside counsel still should be
involved. The attorney’s role is an important one and the attorney should play an active role during
most of the investigation. Sophisticated providers of investigative services know that an attorney will
contribute to the smooth running of the investigation and coincidentally protect its interests as well as
the interests of client.
B.2.10 Additional Considerations, Depending on the Type of Investigation:

a) Does the organization provide information to the client (the security manager’s organization) and
the subjects in compliance with applicable laws?
b) Can the organization provide the client with regulatory guidance?
c) Is the information supplied the most current and accurate available?
d) Does the organization provide all the screening services needed by the client, or will the client
need to use more than one vendor?
e) Does the organization provide ease of access to their services?
f) How long does it take to receive the information requested?
g) What is the price for the services provided? How does the price compare to the price for similar
services of competing organizations?
h) What steps does the organization take to establish an applicant’s true identity?
i) What quality control procedures does the organization follow to ensure accuracy?
j) Does the organization have appropriate insurance or other applicable coverage?
k) Does the organization have adequate procedures to ensure the security and confidentiality of the
information?
l) Has the organization provided similar services to organizations in the client’s industry?
m) Will the organization provide references that the client can contact?
n) What client satisfaction guarantees does the organization provide?
o) Does the organization provide its clients with resource materials or updates relating to
jurisdictional laws and regulations or other obligations and practical issues in preemployment
screening?
p) Will the organization provide a sample report?
81
Annex C
(informative)
C LEGAL ISSUES AND LITIGATION AVOIDANCE

A benefit of a fair and thorough workplace investigation is the potential for litigation avoidance.
Workplace complaints can give rise to a whole host of legal issues, both civil and criminal. The
investigation itself can lead to legal action, especially if it is not done correctly. The potential legal
issues which could result from improper investigation include, but are not limited to:
a) Assault and battery;
b) False Imprisonment;
c) Invasion of privacy;
d) Defamation, slander, libel;
e) Extortion;
f) Negligent hiring, supervision, retention, and investigation;
g) Violation of statutory or constitutional civil rights;
h) Discrimination and harassment ;
i) Retaliation for bringing a complaint or legal claim;
j) Bullying; and
k) Interfering with legal rights such as free speech and collective bargaining.
Conducting a fair and thorough investigation, and taking reasonable, fair and consistent action as a
result of the findings of the investigation minimizes the likelihood of litigation that could arise from
those facts and allegations. Acting on early notice of issues provides an opportunity to properly
address the issues, perhaps before they become more severe. A thorough investigation gathers
sufficient information to take appropriate action and avoid missteps that may lead to litigation. Even
when litigation is not avoided, it is often easier to resolve that litigation when there has been a fair and
thorough investigation since the relevant facts should have been uncovered in the course of that
investigation, enabling the parties to evaluate the legal claims and come to a fair settlement.
82
Annex D
(informative)
D TYPES OF INVESTIGATIONS
D.1 General
Most IUs focus on a particular function or set of functions. They may range from relatively simple
activities such as documenting facts surrounding a security force response to a workplace incident to
complex procurement fraud investigations. These functions are generally referred to as types of
investigations, and frequently the unit’s incident management system is organized according to incident
types. The following are examples of typical types of investigations in the organizational arena:
a) Incident or accident;
b) Employee misconduct;
c) Misuse or abuse of computer or IT system;
d) Substance abuse;
e) Due diligence;
f) Regulatory compliance violation;
g) Lifestyle or financial inquiries for organizational executives and personnel;
h) Personnel security or background;
i) Theft, pilferage, or misappropriation;
j) Lapping (crediting one account with money from another account);
k) Assaults and crimes against persons;
l) Property damage and vandalism;
m) Inventory discrepancies or unexplained shrinkage;
n) Sabotage;
o) Industrial espionage;
p) Copyright and proprietary information violations;
q) Embezzlement or defalcation (appropriation of property by a person to whom it has been
entrusted);
r) Fraud (general, procurement, insurance, travel, accounting, etc.);
s) Product tampering (actual and hoax);
t) Diverted, counterfeit, adulterated product;
83
u) Skimming (keeping some of the cash);

v) Communicating threats;
w) Discrimination and harassment, including retaliation (e.g., sexual, race, religious, national
original, age, disability, gender);
x) Workplace violence (actual or potential); and
y) Litigation support (varying according to whether the organization is the complainant or
respondent in a particular case).
Other types of investigations are conducted in various industries and environments. In some sectors an
IU may be employed to directly support the core mission of the organization. For example, a real estate
organization may use its unit to determine the whereabouts of unknown property owners or conduct
difficult title searches. Similarly, IUs are sometimes used to support market research, competitive
intelligence, and other organizational functions. The bottom line in many organizations is that the IU is
seen as a resource and is employed in ways that support overall business objectives.
IU managers (and security directors where applicable) must understand how the investigative capability
fits into the organization and how the executive leadership envisions its application. Optimally, the
investigations unit manager or security director plays a key role in defining that fit and the nature of the
investigative functions. This role may vary from direct to subtle depending on the environment and
leadership style, but wherever possible, investigations and security professionals should exert as strong
an influence as possible, recognizing the overall business objective.
84
Annex E
(informative)
E DETERMINING THE NEED FOR AN INVESTIGATION
E.1 General
Investigations are not considered part of the core activities of most organizations in the public, not-for-
profit and private sectors. However many organizations encounter events and situations that have a
real, or perceived, negative effect on the achievement of objectives which may require an investigation.
This annex provides guidance for organizations to establish criteria to assess the need for an investigation
and determine the objectives, scope, timing, and criteria defining the conduct and resolution of
investigations, whether conducted by the organization itself, contracted to an external organization or is
the responsibility of law enforcement.
This Annex provides a basis for organizations to develop and implement an Organizational
Investigations Policy (OIP), in order to:
a) Identify internal and/or external events and situations requiring an investigation;
b) Know what actions are necessary, appropriate and adequate;
c) Consider if the events and situations address issues in the civil, administrative or criminal
domain or any combination of the three; and
d) Define the parameters of the investigation that best support the interests of the organization.
By establishing an OIP, the organization will proactively prepare for events that may require
investigation. This will facilitate the decision-making process as to whether, how, and when to establish
and conduct an investigation and what constitutes resolution. The OIP will assist the organization in
understanding key parameters for a successful investigation, including, but not limited to:
a) Legal, regulatory, and litigation considerations;
b) Internal and external relations; and
c) Logistics of managing the investigation and the persons who conduct it.
Through the process of identifying the triggers and parameters for an investigation the organization
will assess whether its policies are adequate to avoid undesirable and disruptive events, mitigate or
resolve such events, identify needs for new or modified policies and procedures, elucidate information
management needs, and review documentation requirements.
An OIP will also help both the organization and the persons conducting the investigation to better
understand the needs and expectations of the organization itself.
85
E.2 Identify Events and Situations Requiring an Investigation

If the organization has implemented an enterprise-wide risk assessment and management program it
should include an evaluation of the factors that may lead to conducting an investigation. ISO 31000:2009
Risk management — Principles and guidelines provides a process for conducting risk assessments that may
be used in assessing the need for an organization to conduct an investigation.
E.3 Establishing the Context

In order to establish an OIP it is important to understand how the organization operates and what
internal and external factors may impact the achievement of its objectives and desired outcomes.
Factors that should be considered include:
a) Operational and decision-making structure of the organization;
b) Legal, regulatory, and contractual obligations, as well as organizational policies that impact the
parameters of an investigation (including jurisdictional triggers for requiring an investigation);
c) Identify and characterize potential actions that may be required by law or policy to address the
outcomes of an investigation;
d) Consult legal counsel to determine what actions can and cannot be taken, potential liability
issues; and impacts on reputation due to different courses of action;
e) Identify internal and external stakeholders and organizational structures that need to be
considered in an investigative process;
f) Identify information and communication needs needed to support an investigation;
g) Assess internal and external resource needs for the conduct of investigations;
h) Conduct asset identification, valuation and characterization to identify tangible and intangible
assets, human resources, programs, services, and activities that would be potential targets for
intentional and unintentional actions that may result in an event requiring an investigation; and
i) Define criteria for risk appetite related to potential risk events requiring an investigation and
establish the structure of the investigative process.
E.4 Conducting the Risk Assessment

A risk assessment provides a basis for decision-making to determine the needs and parameters for
conducting an investigation. Risk assessments are comprised of:
a) Risk identification: The organization should consider what events may require investigations.
This involves the identifying of sources of risk and understanding potential impacts. The
organization should:
i. Identify the threats that may result in a risk event requiring an investigation. Scenario-
based threat analysis may be used for each identified asset, program, service, and
activity to determine the likelihood and consequences of a risk event impacting the
organization and the potential need for an investigation. Threat analysis should
86
consider both the capability and intent of any threat actors to better understand the
potential for the threat to successfully materialize;
ii. Identify and analyze its vulnerability to a risk event and evaluate the efficacy of existing
technical, operational and administrative controls; and
iii. Identify and analyze the range of impacts that may be a consequence of a risk event
materializing and the need for an investigation.
b) Risk analysis: Based on the threat, vulnerability, and impact analysis the organization should
determine the likelihood and consequences of each identified risk. Based on the likelihood and
consequence analysis the organization should:
i. Determine the level of risk; and
ii. Rank the risks that may require investigative actions.
c) Risk Evaluation: Based on the risk ranking the organization should evaluate which risks fall
within its risk appetite and which risks require treatment. The organization should evaluate:
i. Positive and negative internal and external implications of conducting or not conducting
the investigation;
ii. The need to proactively modify operations, functions and activities to minimize the
likelihood of a risk event occurring that may require an investigation and bring the risk
level into a range that is as low as reasonably practical;
iii. The physical, operational, human, and financial resources needed to manage risk; and
iv. The triggers for initiating an investigation and identify the investigative processes that
may be needed.
The output of the risk assessment is typically summarized in a risk register which catalogues information
including but not limited to: asset owners, risk events and their potential impacts, level of risk, line
management of the persons who could be involved in the activity, and potential in-place information
resources (e.g., cameras, access control records, paper files, trusted witnesses and knowledgeable
individuals, and internal data bases/computer programs), trigger levels for a response, timeframe for
managing the risk, and resources needed to manage the risk.
E.5 Treating the Risk

The organization should establish procedures and guidelines to set the parameters for initiating an
investigation. When establishing the procedures the organization should consider:
a) Information that will be needed in order to conduct an effective and efficient investigation,
where that information resides, and how to effectively access that information;
b) The cost/benefit of applying various resources toward the investigation;
c) Revision of policies and practices addressing identified risks to minimize the likelihood of an
event occurring (e.g., improved management of access to assets, improved information
management practices, clearer communication of organization policies related to interactions
between people, improved physical asset protection measures, etc.);
87
d) Legal and liability implications of what actions can and cannot be taken;
e) Consensus with top management regarding which actions should or should not be investigated
and how any information gained during the investigation will be managed;
f) Top management commitment to make the necessary resources available;
g) Establish an OIP defining which matters will be subjected to internal, outsourced and/or law
enforcement investigations; and
h) Determine the logistics of managing the investigation and the persons who conduct it.
E.6 Monitoring and Review

The organization should establish performance metrics and measure the effectiveness of the OIP.
Performance monitoring and evaluations should include:
a) Response and implementation of corrective and preventive actions to pre-emptively minimize
risks that may result in the need for an investigation;
b) Achievement of risk management objectives;
c) Value-added to the organization by better managing the factors that may trigger an
investigation as well as the effectiveness of an investigation in improving performance;
d) Time and resource management of investigations;
e) Resource management;
f) Ability to achieve the objectives of the OIP;
g) Competence and professionalism of persons affiliated with investigations and the decision to
conduct an investigation and subsequent operational improvements; and
h) Effectiveness of communication between all parties involved in the OIP and investigative
processes.
88
E.7 Example Template for OIP
The following template is provided for illustrative purposes only. The organization should tailor it OIP
to its needs.
Organizational Investigations Policy
Policy number <<insert number>> Version <<insert number>>

Drafted by <<insert name>> Approved by Board on <<insert date>>
Responsible person <<insert name>> Scheduled review date <<insert date>>
Preamble
This organization possesses both tangible and intangible assets which could possibly be the target of illegal or unethical
action by internal or external elements. The organization’s security management plan has considered the risks to our
assets and has provided for appropriate and adequate protection measures. However, full protection cannot be guaranteed
and despite optimal planning, unwanted events could occur. Consequently this Organizational Investigation Policy (OIP)
assesses potential situations that could require investigation and analysis, and establishes information and processes that
should be available, if or when an investigation is warranted.
The OIP contains guidance for assessment, pre-planning and the management of an investigation.
Introduction
[Name of organization] will endeavor to prepare for any situation that may warrant consideration of an investigative
activity to protect the organization’s assets, minimize risk to operations, and resolve outstanding issues.
Purpose
This document sets criteria for assessing the need for an investigation and to determine the objectives, scope, timing, and
parameters relative to the conduct of investigations; whether conducted by the organization, contracted to an external
organization or the responsibility of law enforcement.
Definitions
The organization should provide definitions and comments, if deemed opportune, to understand the OIP
Policy
[Name of organization] has a duty to exercise due care over its assets and to be in a position to make timely decisions
whether, and how, to conduct investigations. Our organization also has the duty to take pre-emptive steps to ensure that
information, or other relevant elements that can be beneficial to the successful conclusion of an investigation are practically
available and that legal and ethical issues have been duly considered.
[Name of organization] will implement procedures that will, as far as is practical, ensure that investigations will not be
hampered by insufficient preplanning.
89
To this end, the following working groups are established and will meet regularly to review investigations and issues
relevant to their charter: (the following list is not exhaustive.)
a) Workplace Violence Working Group (Organizational Security, HR, Legal).
b) Ethics and Policies Working Group (HR, Legal, Organizational Security, IT, Internal Audit)
c) External and Supply Chain Working Group (Logistics, Organizational Security, Legal)
d) Financial Crimes and Fraud Working Group (Internal Audit, Finance, Organizational Security, IT, Legal)
90
Responsibilities
It is the responsibility of the Board, with the assistance of the CEO and the Investigations Management Officer to identify
assets, the owners of the assets and the risks that the assets face. It is the responsibility of the CEO to ensure that:
x An Investigations Management Officer for the organization is nominated.

x The Investigations Management Officer operates in cooperation with the Organization’s Risk Management
Officer.
x All employees and, where opportune, external operators and the general public, are familiar with the
organization’s Organizational Investigations Policy
It is the responsibility of the Investigations Management Officer to ensure that:
x All relevant assets have been identified and classified according to their importance for the organization.
x The owners of assets have been identified.
x The owners of assets are aware of the importance of their role and have been consulted regarding the risks that
the assets may incur and the elements that may be of use to investigations, if the assets should be subject to theft
or malicious damage.
x All appropriate departments, in particular legal and human resources have been consulted to ascertain what
elements can be legally accessed and stored in advance by the organization, taking into consideration the
jurisdictions involved.
x Decisions have been taken as to which investigations can be carried out legally and efficiently using in-house
resources and which would necessitate professional assistance, either private or public, and for which it would
be compulsory to inform law enforcement.
x Decisions have been taken regarding the resolution of the investigations and how the results of investigations
will be used.
It is the responsibility of all employees to ensure that:
x They are familiar with the organization’s Organizational Investigations Policy management procedures
applicable to their sector.
Procedures - Pre-emptive Investigations Management
The Investigations Management Officer should:
x Maintain regular contacts with the owners of assets and discuss with them any changes in the status of the
assets.
x Maintain regular contact with relevant departments such as Legal and HR, in order to keep up to date with any
relevant jurisdictional laws and regulations or other obligations or administrative issues that could impact
investigations.
x Consult with these departments and with Top Management if any changes in procedures would seem to be
appropriate.
x Maintain records of all procedures established and of all events.
x Keep the records secure and only available to those who are authorized.
The Investigations Management Officer should participate in any Risk Management exercise to ensure consistency of
approach.
91
Authorization
<Signature of CEO>
<Name of CEO>
<Document and Version Number>

<Date>
E.7.1 Guidance for Use of Template

E.7.1.1 Preparatory Phase
E.7.1.1.1 Step One - Awareness

a) Identify, classify, and rank the assets, programs, policies, and activities that are potential targets
for criminal, civil, or other unauthorized and inappropriate actions;
b) Identify, classify, and rank the potential criminal or unauthorized and inappropriate acts that
could impact the assets, programs, and activities;
c) Identify, classify, and rank the potential impacts to the organization of criminal or unauthorized
and inappropriate acts;
d) Be aware of the actions that may be necessary if an investigation is conducted following criminal
or unauthorized and inappropriate acts;
e) Be aware of the jurisdictional laws and regulations or other obligations of conducting the various
types of investigations that could be needed;
f) Be aware of the positive and negative internal and external implications of conducting or not
conducting the investigation;
g) Be aware of the information that will be needed in order to conduct an effective and efficient
investigation, where that information resides, and how to effectively access that information; and
h) Assess the tangible and intangible cost/benefit of applying various resources toward the
investigation.
E.7.1.1.2 Step Two - How to React

a) Choose a potential case type, either from internal experience or from knowledge of other
organisations;
b) Develop an appropriate desktop plan for each criminal, unauthorized, or inappropriate activity
envisaged in Step One. This will include identifying the asset owners, line management of the
persons who could be involved in the activity, and potential in-place information resources such
as cameras, access control records, paper files, trusted witnesses and knowledgeable individuals,
and internal data bases/computer programs;
c) Conduct a desktop exercise during which all alternatives are discussed. Include crisis
communications, media reporting and public relations. The desktop exercise will possibly bring to
92
light situations that had not been contemplated during Step one. Document lessons learned from the
exercise for future consultation.
E.7.1.1.3 Step Three - Getting Organized

a) Use the experience gained in Steps One and Two to review both internal policies and external
influences;
b) Ensure that policies address the permitted and prohibited conduct of persons that have access or
influence to assets;
c) Ensure that policies provide appropriate access to information regarding persons, programs, and
systems needed during an investigation;
d) Ensure that legal counsel has advised what actions can and cannot be taken;
e) Ensure consensus with management regarding which actions should or should not be
investigated and how any information gained during the investigation will be managed;
f) Ensure management has agreed to make the necessary resources available; and
g) Establish a general policy regarding which matters will be subjected to internal, outsourced
and/or law enforcement investigations.
E.8 Policy
The development of a framework for the risk assessment of the organization’s assets and a methodology
for their classification should entail:
a) Establishing the context of the organization and its assets, both tangible and intangible.
Remember that reputation may be the organization’s key asset;
b) Conducting a risk assessment including risk identification, analysis, and evaluation including
classifying the assets according to relative importance, vulnerability to illegal or improper
behavior, and the motivations.
Tip #29: OIP Risk Assessment Considerations
The probability of illegal / improper behavior occurring will depend on the level of opportunity, how easy it is to attack and
how important it is for the attacker (motivation), not just for the organization. The risk assessment needs to consider both
these factors.
c) Getting prepared. Make a general assessment of the assets at risk. Identify the person(s) with the
potential opportunity and, where possible, motivation for committing illegal / improper actions.
Identify the owner(s) of the assets. Discuss with them the prospective methodologies of a
potential attacker. Consult HR and Legal Counsel to determine what counter actions
(investigations) are legal and feasible if such action were to occur. Take into consideration
whether it would be preferable to conduct internal enquiries or to involve public or private
93
external assistance. Decide the course of action you intend to take against the person found
guilty. e.g. Keep it private or seek a civil and/or criminal solution?
Tip #30: Creating Working Groups
Avoid consulting legal counsel at the last moment and possibly losing essential time before commencing the investigation or
worse always being in a reactive mode instead of having one or more proactive remedies or solutions to address issues that
may require an investigation; i.e. create a working group(s) that meets quarterly to discuss issues and risks to various assets.
The group(s) would discuss what has happened across the organizational footprint the previous quarter, what has happened
across ‘the industry’ the previous quarter and what is being done to prepare for events that may require addressing by
management or an investigation.
The pre-emptive steps should include:

a) Elements needed. Investigations need information in order to be successful. On a case by case
basis the organization needs to evaluate and provide for, in advance, whatever direct or discreet
access to information will be vital to decide whether and how to investigate, as well as to actually
conduct and resolve the investigation.
b) Organizations, especially large corporations, should review internal policy regarding contractors.
If the procedures for engaging the services of new contractors are long and complicated, as is
often the case, then the organization should consider identifying and certifying in advance, as a
contractor for investigative services, a qualified professional person or entity, so that precious
time will not be lost if the need for an urgent investigation should arise.
Tip #31: Collecting Vital Information

Organizations are often taken by surprise and discover, when it’s already too late, that vital information such as the names
and contact information of family members, employment/criminal history, and personal financial information are not readily
or even legally available without disclosing the matter to the suspect. These matters should be addressed in advance with
legal counsel and human resources.
Further guidance points:

a) An indication regarding preliminary steps. As mentioned in the getting prepared stage; consider
creating working groups to address various issues that may eventually require an investigation.
For example depending on the size of the corporation and the core business process create a
working group addressing potential insider threats and/or workplace violence issues that may
be facing the organization. Another example is industries reliant upon a large and varied supply
chain should ensure that all aspects of the chain are protected and review/analyze past and recent
events to help determine patterns that may need investigation or inquiry to find a solution.
b) The assessment, case by case, whether to conduct internal, external or both, investigations.
The organization needs to act both legally and in its own interests. The choice between handling
the investigation as an internal affair, with or without external private sector assistance, must
take into consideration whether reporting the event to the authorities is mandatory or not. In
order to act efficiently in a timely manner and, above all, legally the organization must be aware
94
of what is mandatory or not. Only if the matter is not mandatory can the organization consider
the pros and cons of a public or private investigation.
c) Pitfalls to be avoided. (Refer to the ANSI/ASIS/RIMS RA.1-2015 Risk Assessment standard for
practical advice.)
Always be consistent in following organizational policies and procedures when conducting an

internal investigation to avoid future allegations of possible discrimination or special treatment
for select personnel. External investigators should be made aware of organizational policies and
procedures which may apply to their investigation.
Attempt to keep the investigation as covert as possible by only sharing information with those
that have a need to know. When conducting interviews advise the interviewee not to discuss the
interview and situation with anyone else, if this is compliant with jurisdictional laws.
Conduct the investigation as quickly as reasonably possible for the situation; document
everything done during the investigation. Conclusions reached should be documented and
answer Why, Who, What, When, Where, and How. This will provide the deciding member of
management with the information needed to make a decision that is supported by clearly
documented facts and evidence.
Place authority to conduct each investigation with a single person/department. No investigation

profits by having more than one case supervisor.
d) Evidence management. Investigators, in both the public and private sectors must know how to
handle and not compromise evidence. Evidence that has been mishandled could end up being
useless in a court of law or an administrative action and could be a boomerang for the
organization.
Tip #32: Handling Evidence
As a rule of thumb all evidence should be handled in accordance with documented jurisdictional legal requirements, even if
no legal action is anticipated. Do not touch evidence before a professional has had the opportunity to evaluate and advise
(e.g., the organization may possibly have the legal right to consult an employee’s computer but the simple act of just switching
it on could invalidate evidence).
E.9 Responsibilities
It will depend on the size and complexity of the organization where, within the organization, this role
resides and whether this will be a full time role or added to other duties. Typically, it will be the
responsibility of loss management, human resources, or security management.
Awareness and cooperation are fundamental to the success of all security related functions, including
investigations. The OIP should be presented and explained to all relevant persons and the organization
should be prepared to discuss, as opportune, its contents and purpose. The first two points, in the policy
template, have been addressed in the section “Pre-emptive steps.”
If the organization promotes employee knowledge of, and pride in, ownership of assets, it will achieve
major protection from, and increased assistance, following an illegal/improper act.
95
It is advisable to create adequate documentation of the information gathered and establish file
maintenance and retention policies. This can be done by talking through potential scenarios and reaching
overall decisions as how to classify them. If opportune seek assistance and advice from public or private
sector professionals.
All employees must be informed in a way that is understandable for them and records kept of when and
how this has been done.
E.10 Procedures
The establishment of regular, friendly contacts and making constructive use of information gathered can
be decisive in the prevention of illegal/unethical acts. This is particularly important when the
organization diversifies activity and/or begins operations in new jurisdictions, or for change
management, and could be of use in legal proceedings as a demonstration of the organization’s ethical
conduct.
96
Annex F
(informative)
F TYPES OF QUESTIONS
An interview is a conversation in which one or more persons question, consult, or evaluate another
person. It is important that investigators develop good interviewing techniques to maximize reliability
and minimize pitfalls, and to establish a rapport with the interviewee to promote the sharing of
information. Interviews are conducted to obtain factual information. The interviewer may use various
types of questions, including:
a) Open-ended: Require more than one word answers. They encourage the person being asked the
question to think, reflect, and describe a situation. The respondent provides an answer that may
include facts, opinions, and feelings about a subject.
b) Probing: A follow-on clarifying question, typically an open-ended question. It is intended to
help the person being asked the question to think more deeply about a subject or specific issue.
c) Closed-ended: Can be answered in only one word or short phrase. Respondents answer from
limited number of choices (e.g., “yes” or “no”). They are direct questions that ask for specific bits
of information.
d) Leading: Prompts or encourages the desired answer. They suggests to the person being
questioned how to answer the questions or embeds the answer in the question. Leading questions
should not be used as they bias the response.
Type of Question Advantages Disadvantages
Open Establish a broad topic area May be very time consuming
Serve a variety of purposes Open to a variety of interpretations
Allow more freedom of choice in Rely heavily on questioning and

responses interpretative ability of interviewer
Gather a broad spectrum of May elicit irrelevant information

information
Closed Require less time Limited choice of responses
Can be clearly phrased May solicit biased answers
Direct and easily understandable Limited interpretation
Restrict range of responses
97
Examples of open-ended questions include:

a) Who
b) What
c) Where
d) Why
e) When
f) How
g) Show me
h) Tell me
Note that sometimes it is difficult to get the person to open up with broad open-ended questions. In such
cases it may be prudent to narrow the questioning with a probing question and then return to broader
questions after getting them into the conversation.
98
Annex G
(informative)
G EXAMPLES OF DIFFERENCES IN REGULATORY, LAW

ENFORCEMENT, AND PRIVATE SECTOR INVESTIGATIONS
Regulatory, law enforcement, and private sector investigations may differ in jurisdictional legal
authorities, resource allocation, and use of the outcomes. Jurisdictional differences may exist between
public and private sector investigations. Some examples may include:
a) Powers of Arrest: Designated individuals in law enforcement and the criminal justice system
(e.g., police, prosecuting attorneys, and judges) can under a host of circumstances arrest people,
subject them to custodial interrogations, and even incarcerate them. Within defined jurisdictional
legal parameters, the public sector has the power to detain and interrogate. The authority of
private sector investigators to detain individuals varies widely across jurisdictions; therefore
legal counsel should be sought. To forcibly question or hold another against their will may
constitute false imprisonment and may be actionable under jurisdictional laws.
b) Search and Seizure: Within the parameters set by jurisdictional laws, the public sector has at its
disposal the power to search people, seize property, and compel testimony. While limits to the
use of this authority exist and vary by jurisdiction, one’s person, property and papers can be
searched and/or seized by the government. The public sector uses this critical tool in criminal
investigations and enforcement of public law. The private sector’s ability to conduct search and
seizure is bound by jurisdictional limitations and an employer’s search policy. Typically,
workplace searches of desks, computers, lockers, and other work areas are permissible only
where an employee does not have a reasonable expectation of privacy. The employer can
substantially reduce the expectation of privacy by: advising employees that such areas are subject
to inspection, with or without notice; restricting private use of these areas by issuing its own locks
and retaining duplicate keys; and by establishing policies that limit workers’ expectation of
privacy and permit searches under any circumstances.
c) Testimony: Persons giving evidence in public inquiries and proceedings are obliged to tell the
truth and provide full disclosure or they may be subject to criminal action. In private inquiries
and proceedings, persons may have a contractual obligation to tell the truth and provide full
disclosure or they may be subject to administrative action.
d) Prosecution: Only the government can prosecute an individual for criminal violations. In many
jurisdictions, the improper influence of the prosecution is in and of itself a crime. An employer’s
threat of prosecution may constitute criminal extortion in certain jurisdictions. Representatives
of the private sector can only file a complaint, then it is the duty of the government to determine
if a law might have been broken and if so, what charges should be brought based on the evidence
available.
99
e) Due Process: The obligations for due process vary for public and private investigations
depending on the jurisdictions in which the investigation is being conducted. Due process
includes, but is not limited to: the right to know the offense(s) and crime(s) of which one is
accused; the right to view and examine the government’s evidence; the right to face one’s accusers
and examine them as well as any and all interviewees; the right to competent representation; and
the right to protection against self-incrimination.
f) Consequences: Successful public sector prosecutions may result in fines, sanctions, and/or
incarceration. Consequences vary widely based on jurisdiction of the prosecution. Requirements
and protections for reporting and records of the investigative process and disciplinary action also
vary by jurisdiction. Private sector consequences may be subject to the employment contract,
collective bargaining agreements, and relevant law.
100
Annex H
(informative)
H BIBLIOGRAPHY
H.1 ASIS Publications3

ANSI/ASIS/RIMS RA.1-2015, Risk Assessment.
ASIS GDL PBS-2009, Preemployment Background Screening Guideline.
ASIS International, Professional Investigator’s Manual.
ASIS International, Protection of Assets (POA).
H.2 ISO Publications4

ISO 31000:2009, Risk management – Principles and guidelines
3 Available at www.asisonline.org
4 Available at www.iso.org
101
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2882
Virginia 22314-2882
22314-2882
USA
USA
USA
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org

STD Investigations

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STD Investigations

Uploaded by

Copyright:

Available Formats

A S I S I N T E R N A T I O N A L

an American National Standard

Approved July 28, 2015

NOTICE AND DISCLAIMER

Copyright © 2015 ASIS International

Deborah Aebi, SPHR, McPherson Organization Consultants, LLC

John Cholewa, CPP, Mentor Associates, LLC

William Hill, CPP, W. T. Hill & Associates, LLC

Robert Molina, Stewart & Stevenson

J. Kelly Stewart, CPP, Newcastle Consulting, LLC

Working Group Members

Don Aviv, CPP, PSP, PCI, Interfor Inc.

Michael Robbins, Association of Workplace Investigators

0. INTRODUCTION ....................................................................................................................................................... XIII

B.2 USE OF EXTERNAL INVESTIGATORS AND TECHNICAL EXPERTS ......................................................................................................... 79

0.2 Investigation Defined

0.3 Managing Investigation Programs and Individual Investigations

0.4 Plan-Do-Check-Act Model

Figure 1: Plan-Do-Check-Act Model

Tip #1: Investigations and PDCA

3 TERMS & DEFINITIONS

3.25 ethics A collection of “accepted principles that govern” a particular group or

Tip #2: Impartiality

The investigator can demonstrate their impartiality by:

4.3 Trust, Ethics, Competence, and Due Professional Care

4.4 Honest and Accurate Reporting

4.5 Independence and Objectivity

Tip #3: Independence and Objectivity

4.6 Fact-based Approach

Tip #4: Cause and Effect Relationships

Tip #5: Thoroughness

4.10 Responsibility and Authority

Tip #6: Confidentiality

a) That an employee is in need of protection;

4.12 Continual Improvement

5 MANAGING AN INVESTIGATIONS PROGRAM

5.1.2 Characteristics of an Investigation

Figure 2: Investigation PDCA Flow Diagram

b) Case files and file storage systems;

5.1.3 The Elements of a Successful Investigation

5.2 Understanding the Organization and its Objectives

i) Supply chain and critical infrastructure dependencies and interdependencies;

5.2.1 Investigative Function within the Organization

Tip #7: Reporting Chain

Figure 3: Reporting lines during the Investigative process

5.3 Establishing the Framework

a) Risks associated with the industry sector and organization’s processes;

5.3.1.1 Internal Context

5.3.1.2 External Context

5.3.2 Needs and Requirements

1 Adapted from ANSI/ASIS/RIMS RA.1-2015, Risk Assessment

e) Organizational response to criminal and unethical behavior;

Tip #8: Linking Value Added to Needs and Requirements

b) Accurate and detailed tracking of investigative costs;

c) Effective implementation of cost management and efficiency measures;

d) Demonstration of restitution and recovery benefits;

e) Quantitative estimation of risk avoidance in monetary terms;

g) Compliance driven to meet requirements and minimize organizational risk.

5.3.3 Objectives of the Investigation Program

f) Risk management priorities and performance;

Figure 4 illustrates the considerations in defining the investigation program objectives.

Figure 4: Defining Investigation Program Objectives

5.3.4 Establishing the Scope of the Investigation Program

c) Facilities and geographic factors;