• Author / Uploaded
• Izwan Ibrahim

• Categories
• Evidencia
• Arrestar
• Crímenes
• Crimen y justicia
• Estandarización

Citation preview

A S I S

I N T E R N A T I O N A L

Investigations ANSI/ASIS INV.1-2015

S TA N D A R D The worldwide leader in security standards and guidelines development

ANSI/ASIS INV.1-2015

an American National Standard

INVESTIGATIONS

Approved July 28, 2015 American National Standards Institute, Inc.

ASIS International

Abstract This Standard provides guidance for conducting investigations. It provides guidance on establishing investigative programs as well as the conduct of individual investigations, including the competence and evaluation of investigators.

ANSI/ASIS INV.1-2015

NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS International standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this Standard or guide. In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document should not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner.

Copyright © 2015 ASIS International ISBN: 978-1-934904-76-3

ii

ANSI/ASIS INV.1-2015

FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages.

About ASIS ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is dedicated to increasing the effectiveness of security professionals at all levels. With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs, including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government, or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence, resources, and technology needed within the business enterprise. www.asisonline.org The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818.

Commission Members Charles Baley, Farmers Insurance Group, Inc. Michael Bouchard, Sterling Global Operations, Inc. Cynthia P. Conlon, CPP, Conlon Consulting Corporation William Daly, Control Risks Security Consulting Lisa DuBrock, Radian Compliance LLC Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Bernard Greenawalt, CPP, Securitas Security Services USA, Inc. Robert Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group Inc. Michael Knoke, CPP, Express Scripts, Inc., Vice Chair Bryan Leadbetter, CPP, Alcoa Inc. Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Jose Miguel Sobron, United Nations Roger Warwick, CPP, Pyramid International Temi Group Allison Wylde, Consultant

iii

ANSI/ASIS INV.1-2015 At the time it approved this document, the INV Standards Committee, which is responsible for the development of this Standard, had the following members:

Committee Members Committee Chairman: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Commission Liaison: Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc. Committee Secretariat: Sue Carioti, ASIS Secretariat Deborah Aebi, SPHR, McPherson Organization Consultants, LLC John Albanese, CPP, Independent Greg Alexander, CPP, CFE, Praxair, Inc. Frank Amoyaw, LandMark Security Limited Thomas Anderson, Independent Edgard Ansola, CISA, CISSP, CEH, CCNA, Asepeyo MATEPSS nº151 Charles Atkinson Jr., A and K Investigations Don Aviv, CPP, PSP, PCI, Interfor Inc. William Badertscher, CPP, PMP, GSEC, Georgetown University David Bagnoni, CPP, Independent Lester Bain, CFE, Burke and Herbert Bank Pradeep Bajaj, Eagle Hunter Solutions Limited Michael Balentine, CPP, ConocoPhillips Company Luis Bauza, CPP, Purdue Pharma Dean Beers, CLI, CCDI, Independent Jay Beighley, CPP, CFE, Nationwide Insurance Dennis Blass, CPP, PSP, CISSP, CFE, CHSP, Children's of Alabama John Boal, CPP, PCI, Independent Michael Bouchard, Security Dynamics Group LLC Tom Bourgeois, CPP, Health Care Service Corporation Tena Bracy, SPHR, GPHR, CDM, Independent Marc Brenman, Independent Robert Brzenchek, Independent Michael Brzozowski, CPP, PSP, Symcor Rod Buckingham, PCI, SaskGaming Gary Bukowicki, CPP, G4S Security Systems (Hong Kong) Ltd Keith Butler, Independent Louis Carpenter, Jr., CPP, AT&T Asset Protection Darren Carter, MSyI, Radisson Blu Edwardian Group John Casas, PSP, John Casas & Associates LLC Rene Castillo, CITIBANK Mexico & Latam based in Mexico Steven Castor, CPP, CBRE Security Services Fernan Cepero, PHR, The YMCA of Greater Rochester Darlene Chames, SELEX Galileo Inc. Antony Chattin, IRCA 9001 Lead Auditor, Maritime Security Solutions Global Ltd iv

ANSI/ASIS INV.1-2015 John Cholewa, CPP, Mentor Associates, LLC Marvin Clark, CPP, AT&T Asset Protection Winoka Clements, PHR, Erickson - Wind Crest Roland Cloutier, ADP Scott Coggins, CPP, Flextronics International Bill Cooper, T-Mobile Terry Cooper, JD, SPHR, Saft America, Inc. Hugues Costes, ArcelorMittal Frank Davis, CPP, Independent Joe Davis, CPP, CFI, LPC, T-Mobile USA Steven Dawson, Owens Corning Robert Day, CPP, PCI, CSP, Office of Regulatory Change Management Edward De Lise, CPP, W. T. Hill & Associates, LLC Iain Deckard, Cox Communications, Central Region Candy Delgado, Independent Philip Deming, CPP, SPHR, Independent Anthony DiSalvatore, CPP, PSP, PCI, REVEL Bobby Dominguez, CPP, CISSP, PMP, Infinite Computer Systems, Inc. James Dowling, Independent Nicholas Economou, Cablevision Systems Corporation Steve Elliot, SGS Cheryl Elliott, CPP, CPI, Emory Police Idris Elmas, FedEx Domenico Fama', Independent Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc. Benjamin Ferris, CPP, CISSP, CCEP, Alutiiq, LLC Linda Florence, PhD, CPP, University of Phoenix David Flower, JD, PCI, CFE, C. David Flower PLLC Robert Fluharty, Private Investigation and Security Professionals of West Virginia (PISPWV) Jeremiah Frazier, CPP, Coca-Cola Shaun Fynes, CPP, CPI, PSP, CRM, Independent Carlos Galvez, Jr., CPP, Cisco Systems, Inc. Lorraine Galvin, PCI, Kreller Business Information Group, Inc. Nanpon Gambo, CSS, Suffolk Petroleum Services Limited Scott Gane, CPP, CRSIC, Gane Security Solutions, LLC Brian Glynn, CPP, Independent Guillermo Gonzalez, CHPP, Sempra Energy/OSAC Phillip Guffey, CPP, Roche Carlos Guzman, Security 101 Denver Linda Haft, SPHR, Independent Francis Hall, CPP, PCI, Independent S. Hauri, CPP, CFE, Bradford Garrett Group Larry Henning, CFE, CIFI, G4S Irene Higgins, SPHR, Resources Global Professionals v

ANSI/ASIS INV.1-2015 William Hill, CPP, W. T. Hill & Associates, LLC Brian Hollstein, CPP, Independent Patricia Hoofnagle, Magellan Health Services, Inc. Jeffrey Horblit, Northeast Intelligence Group, Inc. Barry Horvick, Corporate Intelligence Researchers, Inc. Tim Houghton, Alberta Association of Private Investigators (AAPI) Taras Hryb, PSP, Hemispheres Security Investigation Corporation - CAPI Nadeem Ijaz, Secure Options Group Katherine Johnson, Harsco Corporation Ross Johnson, CPP, Capital Power Lisa Johnston-O'Hara, PhD, The Pennsylvania State University Robert Jones, Socrates Ltd Karen Jones, CPP, Independent Syl Juxon Smith, BSc, Independent Brian Kaye, CBCP, Global Response Center Michael Keenan, Forest Laboratories Richard Kelly, CPP, Ingersoll Rand Mitchell Kemp, CPP, Cummins Filtration Steven Kerley, CPP, Air Force Office of Special Investigations Todd Lacy, CPP, Harley-Davidson Motor Company Misty Ladd, CPP, PCI, CPOI, Academy of Professional Education Henrik Laidlow-Petersen, Siemens Wind Power Marie LaMarche, Harrison Medical Center William Lang, CBCP, MBCI, CBCV, Independent Bryan Leadbetter, CPP, CFE, Alcoa Inc. Vickie Leighton, AMBCI, Avanade Inc. Paulo Lino, JD, CFE, MBA, Cisco Systems - SPTVSS John Lohse, University of California System Anthony Macisco, CPP, Executive Security Group Inc. Duncan MacLeod, CPP, Battelle Memorial Institute Virginia MacSuibhne, JD, CCEP, Roche Molecular Systems Alissa Mallow, Acacia Network Mark Mason, Hollywood Casino Lawrenceburg Jioacchino (Jack) Mattera, CPP, CFE, AECOM Joe Mazza, CHPP, Independent Scott McClellan, Independent George McCloskey, CPP, Pixar Animation Studios James McMahon, CPP, CISSP, McMahon & Associates Tracy McPhail, Assessment & Organizational Development, TECO Energy Keith McRae, CPP, Independent David McRoberts, CPP, Assured Assessments Marisel Melendez, Casino del Sol Paul Michaels, CPP, PSP, PCI, CISSP, CB&I Federal Services Murray Mills, CPP, Independent vi

ANSI/ASIS INV.1-2015 Robert Molina, Stewart & Stevenson Jason Morris, EmployeeScreenIQ Richard Moulton, CPP, AlliedBarton Security Services Deyanira Murga, International Private Security IPS Isaac Nakamoto, Sr., CPP, PCI, PSP, Verisign Ahsan Naqvi, CFE, CICA, San & Associates Todd Noebel, Sr., SPHR, Independent Curtis Noffsinger, CPP, PSP, Independent Ray O'Hara, CPP, Andrews International Augustine Okereke, MBA, CPP, PZ Cussons Nigeria PLC Joseph Olmeda, Jr., CPP, PCI, Independent Amy Oppenheimer, Independent James Paulsen, CPP, Minnesota Discovery Center Matthew Payne, CFE, Intuit Inc. Mario Pecoraro, Alliance Worldwide Investigative Group Inc. Juan Carlos Pena, Cummins Kevin Peterson, CPP, CPOI, Innovative Protection Solutions, LLC Axel Petri, Deutsche Telekom AG William Phillips, P.E., CNA John Pool, Target Corporation Peter Psarouthakis, EWI & Associates, Inc. Celeste Purdie, Verizon Wireless Jeff Puttkammer, M.Ed., HSS Joseph Rector, CPP, PSP, PCI, 11th Security Forces Group John Reus, CPP, PCI, Virginia Department of Transportation Michael Robbins, Association of Workplace Investigators Joseph Robinson, CPP, CHS-III, Independent Dr Kim Rocha, ITT Technical Institute Thomas Rohr Sr, CPP, Carestream Health, Inc. James Rowan, II, Independent Jeffrey Sarnacki, CPP, Independent Dr. Gavriel Schneider, CPP, Dynamic Alternatives Jeffrey Schoepf, CPP, Independent Alister Shepherd, Allen & Overy LLP Maya Siegel, M. Siegel Associates Nancy Slotnick, SPHR, GPHR, Setracon, Inc. Keith Slotter, CPA, CFE, CFF, CGMA, Stroz Friedberg LLC Darien Smith, Independent Kevin Smith, CPP, Nationwide Insurance Rebecca Speer, JD, Speer Associates Patrick Speice, Jr., Compliance Counsel Barry Stanford, CPP, AEG Paul Stanford, CBRE Security Services Thomas Stephens, Independent vii

ANSI/ASIS INV.1-2015 J. Kelly Stewart, CPP, Newcastle Consulting, LLC Peter Stiernstedt, Cikraitz AB Neil Stinchcombe, Eskenzi PR Jarod Stockdale, CPP, CFI, Independent Timothy Sutton, CPP, Sorensen, Wilder & Associates Karl Swope, CPP, CFE, CFI, Rush Enterprises Donald Taussig, CPP, Land O'Lakes, Inc. Mark Theisen, Thrivent Financial Melanie Thomas, SAS Institute Rajeev Thykatt, Infosys BPO Ltd Richard Tonowski, Independent Bonnie Turner, PhD, SPHR, MBCI Gregory Tweed, The Preston Matthews Group - PIABC Dana Valley, Cardinal Health Sue Ann Van Dermyden, Independent Shawn VanDiver, CPP, CEM, CTT, VanDiver Consulting Lloyd Vaughan, Council of Private Investigators Ontario Carlos Velez, Johnson & Johnson Stéphane Vuille, CFE, Novartis International AG Colin Walker, Mclean Walker Security Risk Management Inc. Roger Warwick, CPP, Pyramid International Temi Group Lee Webster, University of Texas Medical Branch Allison West, Esq., SPHR, SHRM-SCP, Employment Practices Specialists Allan Wick, CFE, CPP, PSP, PCI, CBCP, Tri-State Generation & Transmission Association, Inc. Wei-Ning Wong, PhD, CBCP, MBCI, Instramax Loftin Woodiel, CPP, Missouri Baptist University Trisha Zulic, Efficient Edge HR & Insurance Services, Inc.

viii

ANSI/ASIS INV.1-2015

Working Group Members Working Group Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Don Aviv, CPP, PSP, PCI, Interfor Inc. William Badertscher, CPP, PMP, GSEC, Georgetown University David Bagnoni, CPP, Independent Lester Bain, CFE, Burke and Herbert Bank Dennis Blass, CPP, PSP, CISSP, CFE, CHSP, Children's of Alabama Michael Bouchard, Security Dynamics Group LLC Tena Bracy, SPHR, GPHR, CDM, Independent Marc Brenman, Independent Robert Brzenchek, Independent John Casas, PSP, John Casas & Associates LLC Winoka Clements, PHR, Erickson - Wind Crest Steven Dawson, Owens Corning Nicholas Economou, Cablevision Systems Corporation Cheryl Elliott, CPP, CPI, Emory Police Idris Elmas, FedEx Benjamin Ferris, CPP, CISSP, CCEP, Alutiiq, LLC Robert Fluharty, Private Investigation and Security Professionals of West Virginia (PISPWV) Brian Glynn, CPP, Independent Guillermo Gonzalez, CHPP, Sempra Energy/OSAC Linda Haft, SPHR, Independent Francis Hall, CPP, PCI, Independent Jeffrey Horblit, Northeast Intelligence Group, Inc. Barry Horvick, Corporate Intelligence Researchers, Inc. Taras Hryb, PSP, Hemispheres Security Investigation Corporation - CAPI Syl Juxon Smith, BSc, Independent Michael Keenan, Forest Laboratories Todd Lacy, CPP, Harley-Davidson Motor Company Misty Ladd, CPP, PCI, CPOI, Academy of Professional Education Bryan Leadbetter, CPP, CFE, Alcoa Inc. John Lohse, University of California System Anthony Macisco, CPP, Executive Security Group Inc. James McMahon, CPP, CISSP, McMahon & Associates Marisel Melendez, Casino del Sol Ahsan Naqvi, CFE, CICA, San & Associates Curtis Noffsinger, CPP, PSP, Independent Amy Oppenheimer, Independent James Paulsen, CPP, Minnesota Discovery Center Mario Pecoraro, Alliance Worldwide Investigative Group Inc. Celeste Purdie, Verizon Wireless Joseph Rector, CPP, PSP, PCI, 11th Security Forces Group ix

ANSI/ASIS INV.1-2015 Michael Robbins, Association of Workplace Investigators Thomas Rohr Sr, CPP, Carestream Health, Inc. Jeffrey Sarnacki, CPP, Independent Nancy Slotnick, SPHR, GPHR, Setracon, Inc. Kevin Smith, CPP, Nationwide Insurance Thomas Stephens, Independent J. Kelly Stewart, Newcastle Consulting, LLC Donald Taussig, CPP, Land O'Lakes, Inc. Rajeev Thykatt, Infosys BPO Ltd Sue Ann Van Dermyden, Independent Shawn VanDiver, CPP, CEM, CTT, VanDiver Consulting Stéphane Vuille, CFE, Novartis International AG Colin Walker, Mclean Walker Security Risk Management Inc. Roger Warwick, CPP, Pyramid International Temi Group Lee Webster, University of Texas Medical Branch Allison West, Esq., SPHR, SHRM-SCP, Employment Practices Specialists

x

ANSI/ASIS INV.1-2015

TABLE OF CONTENTS 0. INTRODUCTION ....................................................................................................................................................... XIII 0.1 GENERAL ............................................................................................................................................................................. XIII 0.2 INVESTIGATION DEFINED ........................................................................................................................................................XIV 0.3 MANAGING INVESTIGATION PROGRAMS AND INDIVIDUAL INVESTIGATIONS ......................................................................................XIV 0.4 PLAN-DO-CHECK-ACT MODEL ................................................................................................................................................ XV 1 2 3 4

SCOPE ......................................................................................................................................................................... 1 NORMATIVE REFERENCES ............................................................................................................................................ 1 TERMS & DEFINITIONS ................................................................................................................................................ 2 PRINCIPLES.................................................................................................................................................................. 5 4.1 GENERAL ............................................................................................................................................................................. 5 4.2 IMPARTIALITY........................................................................................................................................................................ 5 4.3 TRUST, ETHICS, COMPETENCE, AND DUE PROFESSIONAL CARE ....................................................................................................... 6 4.4 HONEST AND ACCURATE REPORTING ......................................................................................................................................... 6 4.5 INDEPENDENCE AND OBJECTIVITY ............................................................................................................................................. 7 4.6 FACT-BASED APPROACH .......................................................................................................................................................... 7 4.7 RELEVANCE .......................................................................................................................................................................... 8 4.8 THOROUGHNESS.................................................................................................................................................................... 8 4.9 TIMELINESS .......................................................................................................................................................................... 8 4.10 RESPONSIBILITY AND AUTHORITY ............................................................................................................................................ 8 4.11 CONFIDENTIALITY ................................................................................................................................................................ 9 4.12 CONTINUAL IMPROVEMENT ................................................................................................................................................... 9

5 MANAGING AN INVESTIGATIONS PROGRAM ............................................................................................................... 9 5.1 5.2 5.3 5.4 5.5 5.6 5.7

GENERAL ............................................................................................................................................................................. 9 UNDERSTANDING THE ORGANIZATION AND ITS OBJECTIVES ......................................................................................................... 12 ESTABLISHING THE FRAMEWORK............................................................................................................................................. 15 ESTABLISHING THE PROGRAM ................................................................................................................................................ 21 IMPLEMENTING THE INVESTIGATION PROGRAM ......................................................................................................................... 31 MONITORING THE INVESTIGATION PROGRAM ........................................................................................................................... 41 REVIEW AND IMPROVEMENT.................................................................................................................................................. 42

6 PERFORMING INDIVIDUAL PROCESS DRIVEN INVESTIGATIONS .................................................................................. 44 6.1 6.2 6.3 6.4 6.5

GENERAL ........................................................................................................................................................................... 44 COMMENCING THE INVESTIGATION ......................................................................................................................................... 44 PLANNING INVESTIGATION ACTIVITIES ..................................................................................................................................... 49 CONDUCTING INVESTIGATION ACTIVITIES ................................................................................................................................. 54 POST INVESTIGATION ACTIVITIES............................................................................................................................................. 64

7 CONFIRMING THE COMPETENCE OF INVESTIGATORS ................................................................................................. 68 7.1 GENERAL ........................................................................................................................................................................... 68 7.2 COMPETENCE ..................................................................................................................................................................... 68 A REQUIRED QUALIFICATIONS AND PERSONAL TRAITS OF INVESTIGATORS .................................................................. 75 A.1 PROFESSIONAL QUALIFICATIONS .............................................................................................................................................. 75 A.2 PERSONAL TRAITS ................................................................................................................................................................. 76 A.3 UNACCEPTABLE BEHAVIORS .................................................................................................................................................... 77 B USE OF EXTERNAL RESOURCES .................................................................................................................................. 79 B.1 GENERAL ............................................................................................................................................................................. 79 xi

ANSI/ASIS INV.1-2015 B.2 USE OF EXTERNAL INVESTIGATORS AND TECHNICAL EXPERTS ......................................................................................................... 79 C LEGAL ISSUES AND LITIGATION AVOIDANCE .............................................................................................................. 82 D TYPES OF INVESTIGATIONS ....................................................................................................................................... 83 D.1 GENERAL ........................................................................................................................................................................... 83 E F G H

DETERMINING THE NEED FOR AN INVESTIGATION ..................................................................................................... 85 TYPES OF QUESTIONS ................................................................................................................................................ 97 EXAMPLES OF DIFFERENCES IN REGULATORY, LAW ENFORCEMENT, AND PRIVATE SECTOR INVESTIGATIONS ............ 99 BIBLIOGRAPHY........................................................................................................................................................ 101

TABLE OF FIGURES FIGURE 1: FIGURE 2: FIGURE 3: FIGURE 4:

PLAN-DO-CHECK-ACT MODEL ........................................................................................................................................... XV INVESTIGATION PDCA FLOW DIAGRAM ............................................................................................................................... 11 REPORTING LINES DURING THE INVESTIGATION PROCESS .......................................................................................................... 15 DEFINING INVESTIGATION PROGRAM OBJECTIVES .................................................................................................................. 20

xii

ANSI/ASIS INV.1-2015

0. INTRODUCTION 0.1 General This Standard provides guidance for individuals and organizations conducting investigations. The Standard uses a systems approach for developing an investigation program consistent with the business management principles related to the Plan-Do-Check-Act (PDCA) Model. The Standard provides insight and guidance for generally accepted practices including the processes and considerations one should contemplate when undertaking an investigation. As guidance, it does not contain requirements, nor is it intended for third-party certification. If implemented, the framework offered should provide users a high degree of assurance that the investigations conducted will be: a) Effective; b) Ethical; c) Lawful; d) Useful in meeting the intended objective(s); e) Minimally disruptive to the organization and its operations; f) Able to provide feedback on procedure/policy deviations; and g) Value added, providing the highest return on investment without compromising the investigation. The guidance in this Standard provides a framework for establishing an investigation program and conducting individual investigations within the overall program. It uses the PDCA Model approach to facilitate integration of an investigation program into any risk and resilience based management system. It describes establishing and managing an investigation program as well as conducting individual investigations. The competence of investigators is the foundation for conducting reliable investigations. This Standard provides competence criteria for investigators conducting investigations. Investigators understand their activities involve interacting with people; therefore, there is a need to build rapport, trust, and confidence while avoiding the creation of an adversarial atmosphere. Good investigative techniques project a sense of fairness based on an impartial approach. An investigation supports the achievement of the objectives of the organization; therefore, it adds value and may lead to opportunities for improvement. Good investigative techniques help identify and understand root causes of any problems, thereby supporting proactive improvements to avoid a recurrence. Organizations should adapt this guidance to fit the specific needs, size, nature and level of maturity of their risk management system. This Standard can be used by anybody involved in the investigative process supporting the achievement of the organization’s objectives.

xiii

ANSI/ASIS INV.1-2015

0.2 Investigation Defined For the purposes of this Standard: An investigation is a fact-finding process of logically, methodically, and lawfully gathering and documenting information for the specific purpose of objectively developing a reasonable conclusion based on the facts learned through this process. An investigation is conducted to reveal information and facts that can be used to support conclusions about an allegation, assertion, claim, or process. By focusing on uncovering facts and essential information needed to reach conclusions and solve problems, a properly conducted investigation can provide additional benefits, such as: a) b) c) d) e) f)

Increased awareness of policies and procedures of the organization; A means to analyze and identify process and system failures; Providing actionable information to resolve problems and mitigate consequences; Providing an informed response to litigation and regulatory actions; Identifying and understanding the root causes of an incident to prevent a recurrence; and A basis for improvement of the organization’s operations and activities.

This definition applies to public and private organizations. It covers the broad range of investigations, from preemployment screening, to administrative and internal inquiries, to criminal matters, to allegations of improprieties. The value of investigative capabilities may be measured in terms of recovery, restitution, risk reduction, and process improvements. Investigations may differ in terms of legal authorities, resource allocations, and use of outcomes based on jurisdictional laws, policies, and procedures. This Standard examines investigative functions which may be conducted with internal and external resources, or a combination of both.

0.3 Managing Investigation Programs and Individual Investigations The investigation program establishes the overall investigation process. The investigation program is the overarching organizational structure, resources, commitment, and documented methods used to plan and execute investigations. An effective program is built by clearly defining the investigation objectives. A competent person should manage the investigation program and the necessary resources (including qualified personnel and sufficient time) should be committed to meet the program objectives. Priority should be given to gathering and assessing information significant to the mission of the organization and meeting legal, ethical, and contractual obligations. Individual investigations within the overall investigation program are conducted within a clearly defined scope consistent with achieving the objectives of the overall investigation program. This Standard also provides guidance on the preparation for and execution of individual investigations.

xiv

ANSI/ASIS INV.1-2015

0.4 Plan-Do-Check-Act Model This Standard adopts the PDCA model from Total Quality Management (TQM). Figure 1 illustrates the model.

Plan Define & Analyze an Issue and the Context

Do

Act

Devise a Solution Develop Detailed Action Plan & Implement it Systematically

Standardize Solution Review and Define Next Issues

Check Confirm Outcomes Against Plan Identify Deviations and Issues

Figure 1: Plan-Do-Check-Act Model The PDCA model is a clear, systematic, and documented approach to: a) Set measurable policies, objectives, and targets; b) Methodically implement the program; c) Monitor, measure, and evaluate progress; d) Identify, prevent, or remedy problems as they occur; e) Assess competence requirements and train persons working on the organization’s behalf; and f) Provide top management with a feedback loop to assess progress and make appropriate changes to the investigation program. Furthermore, it contributes to information management within the organization, thereby improving operational efficiency. In conjunction with the PDCA model, this Standard uses a process approach for the investigation program. An investigation program is a compilation of a system of interrelated processes. The identification, linkages, and interactions of the processes comprising the investigation, and their management, can be referred to as a “process approach”. When designing an investigation program, it is necessary to identify and manage many activities in order to function effectively. Any managed activity using resources to enable the transformation of inputs to outputs can be considered a process. In developing the

xv

ANSI/ASIS INV.1-2015 investigation, and individual investigations, it is important to recognize that often the output from one process directly forms the input of another process. Tip #1: Investigations and PDCA Though the objectives, and certainly the scope of investigations vary widely, their principal purpose is always objective fact-finding. Thus the investigator must be fair, impartial, thorough and certainly purposeful. Lacking an effective process, investigators often spend more time and resources than necessary, produce inconsistent results, and create unnecessary liabilities for those they serve. No investigation, regardless of its objectives or scope, can be successful if not properly planned, lawfully executed, and within a prescribed process.

xvi

AN AMERICAN NATIONAL STANDARD

ANSI/ASIS INV.1-2015

Investigations 1 SCOPE This Standard provides guidance for individuals and organizations intending to undertake the collection and examination of information pursuant to an investigation. It should be noted that although this Standard is intended for use in the private sector, this document may also be applicable to the processes and methods used in the public sector. This Standard: a) Provides a framework for investigative processes that is intended to enable an organization to identify, develop and implement policies, objectives, protocols and programs; b) Identifies some of the jurisdictional laws and regulations or other obligations that may impact or govern the investigative process and the various ways investigations are used; c) Describes the process for conducting investigations consistent with the PDCA Model; d) Provides confidence that the information was gathered and assessed in a fair, objective, thorough, and purposeful fashion; and e) Provides insight and guidance regarding generally accepted practices relative to the processes and considerations for an investigation. This Standard is applicable to all organizations that conduct investigations whether using persons who are internal or external to the organization. Annex E provides information for organizations considering the use of external investigators. Furthermore, the guidance offered is sufficiently generic to be applicable to all organizations, regardless of type, size, geographic footprint or nature of their activities, products or services. This Standard is a guidance document and not intended as a specification for third-party certification.

2 NORMATIVE REFERENCES This Standard does not make reference to any normative documents which constitute foundational knowledge for the use of this American National Standard.

1

ANSI/ASIS INV.1-2015

3 TERMS & DEFINITIONS For the purposes of this Standard the following terms and definitions apply: Term

Definition

3.1

action

A lawsuit brought in court.

3.2

actionable

A matter which may be subject to legal or administrative action or intervention.

3.3

admissibility

The legal authority permitting the entry of evidence into a legal proceeding.

3.4

admissible

Evidence which may be formally considered in a legal proceeding.

3.5

admission

The simple admission to the commission of an offense, work rule or policy violation, or violation of the law. Differs from a confession in that it may or may not contain all of the elements of the offense or crime in question.

3.6

agency

Fiduciary relationship between two parties in which one (Agent) is under the control of (is obligated to) the other (Principal). NOTE 1: The agent is authorized by the principal to perform certain acts, for and on behalf of the principal. NOTE 2: The Principal is the person from whom an agent's authority derives.

3.7

appeal

An application to a higher court to correct or modify a judgment rendered by a lower court.

3.8

arrest

The taking of a person into custody in a manner provided by law for the purpose of detention in order to answer a criminal charge or civil demand.

3.9

attorney work product

Evidence which a party to a lawsuit does not have to reveal during the discovery process because it represents the thought process and strategy of the opposing attorney giving legal advice.

3.10

case file

The tool used by investigators to organize and maintain their records, documents and reports during an investigation.

3.11

chain of custody

A record detailing those who handled or possessed a piece of evidence. Synonymous with chain of evidence.

3.12

chain of evidence

See Chain of Custody.

3.13

circumstantial evidence

Indirect evidence which in and of itself does not prove a material fact. Often gathered and used cumulatively to prove a fact.

3.14

confession

A comprehensive admission to the commission of an offense or violation of the law that contains all of the elements of the offense or crime in question. Not to be confused with admission.

3.15

credibility

The reliability or trustworthiness of an individual.

3.16

custodian of record

The person or entity responsible for record possession, retention, and/or preservation.

3.17

client

The individual or entity for which an investigation is performed. NOTE: A customer is a more general term used to indicate the recipient of a tangible or intangible service or product.

3.18

decision-maker

A person who decides things, especially at a high level in an organization. NOTE: The decision-maker rather than a member of the investigative team is responsible for making decisions regarding discipline and corrective action.

3.19

direct evidence

Evidence which proves a material fact.

2

ANSI/ASIS INV.1-2015 Term

Definition

3.20

discovery

The legal process of obtaining information and/or evidence from a legal opponent.

3.21

due process

A fundamental guarantee that all legal proceedings will be fair and that one will be given notice of the proceedings and an opportunity to be heard before the government acts to take away one's life, liberty, or property.

3.22

electronic surveillance

Any form of surveillance which uses electronic technology.

3.23

embezzlement

The unlawful appropriation of property or assets of another of which one has been entrusted.

3.24

entrapment

Actions which might induce an otherwise honest citizen to commit a crime that without the inducement would not have committed. Entrapment is a criminal defense and is not a crime. In order to use entrapment as a defense, the accused must first admit they committed the offense. NOTE: Legality is based on jurisdictional laws.

3.25

ethics

A collection of “accepted principles that govern” a particular group or profession.

3.26

evidence

Evidence is any type of proof that when presented, is materially capable of proving or disproving a contention or fact. In order to be used or admissible, the evidence must be material to the matter in question.

3.27

fact pattern

The collection of known facts associated with or directly related to the matter in question.

3.28

false imprisonment

The criminal or civil offense of improper arrest or detainment with confinement, of a person without proper warrant or authority for that purpose by force, intimidation or coercion.

3.29

fraud

Theft by deceit and deception.

3.30

hearsay evidence

Testimony from a person who has secondhand knowledge.

3.31

inadmissible

Evidence which cannot be formerly considered in a legal proceeding.

3.32

intent

A state of mind which if proven, demonstrates the intention to commit a criminal act.

3.33

interview

A conversational exchange for the purpose of collecting information to reveal facts and the truth about the events under question.

3.34

interviewer

One who conducts interviews.

3.35

investigation findings

A result or conclusion reached after examination or investigation. NOTE: The term as used in this Standard should not be confused with the word findings when used as a term of art by the legal profession. Generally when used as such, the word describes the result of the deliberations of a jury or court following a judicial proceeding or investigation.

3.36

investigation process

A structured and sometimes scientific approach to investigation. Sufficiently structured to provide uniformity and consistency yet, fluid and flexible enough to accommodate any situation or fact pattern.

3.37

investigation

A fact-finding process of logically, methodically, and lawfully gathering and documenting information for the specific purpose of objectively developing a reasonable conclusion based on the facts learned through this process.

3.38

investigation team leader (ITL)

The person designated as leading the investigation team. The ITL is typically the point of contact through whom those outside the investigative team communicate with it.

3.39

investigator

A person engaged in the systematic collection, analysis and preservation of information and/or facts related to the matter in question. 3

ANSI/ASIS INV.1-2015 Term

Definition NOTE: The investigator may be a member of an investigative team working under the direction of an investigation team leader and/or investigation unit manager.

3.40

investigative unit (IU)

The entity within the organization tasked with conducting or overseeing investigations.

3.41

investigation unit manager (IUM)

The person responsible for managing the investigation program and assuring the necessary financial, human, physical, and time resources are committed to conduct an effective investigation.

3.42

judgment

A legal finding of responsibility.

3.43

jurisdiction

An area or subject over which a party has authority.

3.44

management system standard

A framework of processes and procedures used to ensure that an organization perform activities needed to achieve its objectives.

3.45

organizational investigations

Investigations performed at the direction of the organization, for the organization. Usually involves the investigation of crimes and offences committed against the organization and/or as a method of establishing the facts and organizational due diligence relating to potential regulatory action. NOTE: Differs from workplace investigations in that the subject of the investigation may not be an employee or former employee of the organization.

3.46

physical surveillance

A form of monitoring where the subject is kept under physical observation. NOTE: May be augmented with technology but requires constant human monitoring.

3.47

preemployment screening

A form of investigation used to verify the identity, personal history and credentials of an employment applicant.

3.48

preponderance of the evidence

The amount of evidence needed to prevail in most civil matters, which is based on a finding that it is more likely than not that an alleged event occurred.

3.49

privacy, the right to privacy

A human right and an element of various legal traditions which may restrain both government and private party action that threatens an individual to be free from being observed or disturbed by other people, or having their affairs made public.

3.50

private investigations

Investigations performed for and by the private sector.

3.51

private sector

The part of the economy that is not under direct government control. NOTE 1: Run by private individuals or groups either for profit or not for profit. NOTE 2: Those suspected of a workplace offence may be the subject of a private sector investigation conducted by their employer or agents, and if determined responsible, disciplined by their employer.

3.52

privilege

3.53

public sector

A legal protection which permits the lawful withholding of information or evidence from an opponent during the course of litigation. May be used in both criminal and civil cases. The part of an economy that is controlled by the government. NOTE: Composition of the public sector varies by country, but in most countries the public sector provides services which benefit all of society rather than just the individual who uses the service.

3.54

restitution

Returning to the proper owner property or the monetary value of loss.

3.55

return on investment (ROI)

The return enjoyed on any particular investment. The return may be monetary or otherwise.

3.56

spoliation

The intentional or negligent destruction, alteration, or mutilation of evidence, and may constitute an obstruction of justice. 4

ANSI/ASIS INV.1-2015 Term

Definition

3.57

standard of proof

The quality and quantity of proof necessary to make a finding.

3.58

subject

The individual who is under investigation or the matter in question. Not to be confused with suspect as used in the public sector. The individual may or may not be a suspect. NOTE: Sometimes referred to as “respondent”.

3.59

surveillance

3.60

workplace investigations

The direct and deliberate observation or monitoring of people, places or things. Any investigation taking place in or involving the workplace. NOTE 1: May be conducted by those either in the private or public sector. NOTE 2: Typically involving the investigation of employee misconduct, workplace policy violations or work rule violations. The matter under investigation may or may not be a violation of the law.

NOTE: Some legal definitions may vary by jurisdiction, therefore, some of the terms in this glossary may have specific legal definitions in certain jurisdictions. The definitions provided are based on common usage.

4 PRINCIPLES 4.1 General The principles in this Standard give guidance necessary to provide consistency, accuracy, credibility, fairness and scalability in the fact-finding, documentation, information rendering, and reporting processes as they relate to investigations. Examples of stakeholders in these processes include, but are not limited to: a) Customers, clients, shareholders, directors, employers, employees, vendors, or anyone engaged in commerce or other lawful activities in the private sector; b) Government and regulatory authorities including elements of both the criminal justice system and all of its counterparts in the civil justice system; c) Civil society groups, non-governmental organizations, and non-profit entities; d) Organizations that provide and/or support investigative services whether for profit or not; and e) Members of the public (including the media). The principles below apply to the activities involved in most routine investigative activities, as well as those conducted for special or specific purposes. Use of these principles helps ensure those conducting investigations independently yet in similar circumstances will likely produce similar findings based on similar circumstances.

4.2 Impartiality Impartiality is the ability to separate one’s self and self-interests from the investigation and its outcome. Confidence in the investigation process is dependent on an independent and impartial fact-finding process and a complete separation of self-interests from the investigation’s ultimate outcome. Impartiality requires both the actual and perceived presence of objectivity. Investigation programs 5

ANSI/ASIS INV.1-2015 should implement measures to ensure and monitor impartiality. These measures should demonstrate to stakeholders that a credible investigation process is in place. Investigators should be objective, impartial, unbiased, have no vested interest in the outcome, and avoid any conflict of interest. Any possible conflicts of interest should be identified, disclosed, resolved, and documented before an investigation begins. Threats to impartiality include: a) Self-interest threats: arise from having a vested or financial self-interest; b) Self-review threats: arise from reviewing advice or the work done by oneself on behalf of the organization; c) Familiarity threats: arise from being too familiar with processes and persons being investigated to obtain unbiased evidence and conclusions; d) Cognitive bias threats: arise from individuals creating their own subjective reality from their preconceived perception of the input; and e) Intimidation threats: arise from having a perception of being coerced or pressured. Tip #2: Impartiality The investigator can demonstrate their impartiality by: a) b) c)

Not deciding the investigation’s objectives and not having a vested interest in the outcome. Excluding themselves from any decision-making process at the conclusion of the investigation. By not being party to the decisions regarding discipline or corrective action, the investigator has no say in the outcome. Demonstrating their impartiality by their work. The analysis in the investigative report should fairly show how the investigator weighed all the evidence, both for and against the ultimate findings.

4.3 Trust, Ethics, Competence, and Due Professional Care Activities in investigations should be conducted honestly, diligently, and responsibly. All interested parties should be confident the investigator possesses the technical competence and integrity required to conduct the investigation in a professional manner throughout the investigation process. Competence is the ability to apply knowledge and skills relevant to the investigation in order to achieve intended accurate results. Investigations should be conducted with proficiency and with due professional care. Integrity provides the foundation for professionalism and trust. Investigators have a responsibility to observe and comply with any applicable legal, safety, and security requirements. To be ethical requires the investigator to behave in such a fashion as to protect the rights of those under investigation, obey the law, respect organizational policies and procedures, and protect the integrity of the process. Many organizations have established a code of ethics that sets standards of conduct in the performance of work. Actions such as truthfulness, honesty and impartiality collectively constitute ethical behaviour. To instil trust, an investigator’s ethical principles and integrity may be codified by a formal set of ethical standards addressing issues of independence, diligence, honesty, impartiality, and confidentiality.

4.4 Honest and Accurate Reporting Investigation findings and conclusions should be based on evidence that accurately and honestly reflects investigative activities and is truthfully presented in the reports. Impediments to achieving investigation 6

ANSI/ASIS INV.1-2015 objectives, unresolved issues, and divergent opinions should be reported. Communications should be timely, accurate, unambiguous, unbiased, and complete. Evidence should be clearly documented.

4.5 Independence and Objectivity Investigators should be independent and objective in performing their work. Investigation activities should be free from interference in fact-finding and reporting. Questions related to impairment of independence or objectivity should be analyzed, mitigated, and reported. Investigators should be aware of and sensitive to influences that may affect their judgment when conducting an investigation. Investigators should evaluate if they can conduct an investigation in a cultural, professional, organizational and technically unbiased fashion. Confidence in the investigative process, which is necessary to encourage the reporting of incidents or allegations, is not only dependent on the actual independence of the investigator, but also on the perception of independence by a variety of third party observers (e.g. employees, vendors, regulators, etc.). Organizational segregation of duties insulates the investigative process from undue influence and provides a significant counterweight to possible allegations that the investigation was not fair and objective. Tip #3: Independence and Objectivity To aid in maintaining objectivity, every investigator should consciously recognize their personal prejudices and neutralize the effects of those prejudices on investigative activities, including the formation of the hypothesis. In other words, the professional investigator must ensure that the investigative findings form the basis for their impressions, not the reverse. In addition, the investigator’s approach and demeanor is of critical importance to the successful outcome of a case. First and foremost, the investigator should project an air of objectivity. This is accomplished by choosing words and phrases carefully during the investigative process and by avoiding facial expressions and body language that might project an inappropriate attitude or prejudgment.

4.6 Fact-based Approach Investigation conclusions should be based on verifiable information or evidence gathered through a systematic investigation process that ensures reliability and integrity. It should be recognized that an investigation is conducted with finite resources. Investigators should effectively determine the depth, breadth, and quality of information required for accurate fact-finding. This should be done by considering an adequate spectrum and depth of details without gathering so much data as to confuse the facts of the case, causing unnecessary delay to the investigation or possibly even obscuring the truth. The accuracy of a fact-based approach is reflected by the credibility of the information source, whether human, documentary, physical, or electronic.

7

ANSI/ASIS INV.1-2015

4.7 Relevance Investigations should be focused on the information that pertains to the purpose of the investigation and is at the appropriate level of detail. The spectrum of details pertains to how wide a net the investigator needs to cast in order to gather all relevant information. Tip #4: Cause and Effect Relationships Cause and effect relationships may be relevant to an investigation. For example, the subject of a personnel background investigation may have a poor credit rating. Rather than simply reporting a potential weakness in the applicant, the investigator should attempt to determine and verify the cause of the credit rating, as well as possible mitigating information. The subject may have been a victim of identity theft or may have suffered the loss of a close relative and been saddled with large secondary financial debts until the estate could be settled. In either case, the concerns may be addressed through the investigative process and may provide the appropriate information to decision-makers..

4.8 Thoroughness Based on the investigative scope, activities should follow relevant leads to their conclusion. A thorough investigation involves making efforts to corroborate allegations and facts, doing follow-up enquiries to clarify and confirm testimony and evidence. Corroborating important aspects through different sources is a helpful means of achieving thoroughness along with using different types of sources. Tip #5: Thoroughness Various types of sources for a particular piece of information might be interviewees or witnesses, subject matter experts, physical evidence, electronic evidence, public records, surveillance results, open sources, databases, etc.

4.9 Timeliness Investigators should conduct the investigation in a timely manner, achieving the investigative objectives while ensuring the quality and integrity of the investigation. Investigations should be conducted as soon as possible, consistent with jurisdictional requirements, and to avoid degradation of human, physical, or electronic evidence. Once an investigation is under way, it should be completed in an expedient manner to conserve resources, allow operations to return to normal as soon as possible, and implement corrective actions. However, care should be taken not to rush an investigation at the expense of quality, thoroughness, or accuracy.

4.10 Responsibility and Authority It is the responsibility of the investigation team to objectively evaluate the criteria of the investigation program by collecting and documenting unbiased evidence. Findings should be supported by sufficient documentation and evidence. The authority to perform an investigation should be verified prior to the start of investigation activities. Authority for an investigation may be granted by either a single source or multiple sources; internal or external to the organization. It is the responsibility of the investigation team leader to confirm any authorizations and that the investigation tasking is within the bounds of jurisdictional laws and regulations or other obligations. Explicit authority to conduct the investigation confers legitimacy to the investigation. The relationship between the permitting authority and the investigation team should be clearly understood. 8

ANSI/ASIS INV.1-2015

4.11 Confidentiality Persons involved in the investigative process should maintain confidentiality. Investigators should strive to minimize the possibility of inadvertent disclosure which may result in reputational, psychological, or physical harm to individuals or organizations. Confidentiality arrangements should consider jurisdictional laws and regulations or other obligations, including those for privacy, protecting information, and discoverability. Tip #6: Confidentiality Subject to jurisdictional laws and the organization’s policies and practices, confidentiality admonitions should be provided to interviewees at the beginning of the investigation interview. The investigator should clearly explain the confidentiality and disclosure relationship and its limitations. Investigators should strive to minimize the possibility of inadvertent disclosure of information unless instructed by counsel. Confidentiality arrangements consider jurisdictional laws and regulations or other obligations, including those for protecting information as well as requirements related to discoverability. Attorney investigators may be held to a different standard and have additional ethical obligations regarding confidentiality. Failure to protect personal or confidential information, either by the organization, investigator, or interviewees, may result in: increased risk; retaliation; leaked information; lawsuits; bias of the process; and erroneous conclusions. Confidentiality should be maintained to prevent compromise or unwanted exposure of an investigation. Only those with a need to know should be involved in or told of the investigation. To do otherwise may risk the integrity of the investigation as well as may put people (including the investigator) at risk. In order to require confidentiality, it may be important to consider and document one or more of the following business reasons for maintaining confidentiality: a) b) c) d) e)

That an employee is in need of protection; Evidence may be destroyed; Testimony is in danger of being fabricated; There is a risk of a cover-up; and Protection of privacy rights.

4.12 Continual Improvement Managers improve their investigation processes through the monitoring, measurement, review, and subsequent modification of the investigation program, processes, procedures, capabilities, and information within a continual improvement cycle. Formal, documented reviews are conducted regularly. The findings of such reviews should be considered by top management, and action taken where necessary to identify opportunities for improvement.

5 MANAGING AN INVESTIGATIONS PROGRAM 5.1 General 5.1.1 Managing Investigation Programs The purpose and objectives of an investigation drive the approach and methodology. Most successful investigations are process driven. Investigations can be complex undertakings which are time consuming and fraught with enormous potential for legal liability. When properly managed, they combine an intricate mixture of skill, experience and knowledge. A sound understanding of 9

ANSI/ASIS INV.1-2015 investigation management fundamentals is necessary for success and efficient use of resources. Managing the risk associated with an investigation is essential given that few organizational activities invoke so much risk and at the same time, so much opportunity. Like any other organizational function, managing investigations entails basic functions of management: planning, organizing, directing, coordinating, and controlling. All five of these functions apply to managing the overall investigative program, as well as when conducting individual investigations. The strategic level of an investigation program involves the management program and its relationship with the organization’s top management. Legal counsel, human resources, risk management, and other relevant departments should be involved at this level to ensure the proper focus of the investigation as it relates to organizational policy and procedure, labor relations, or the law. Issues at this level may include: a) Establishing attorney work product protection; b) Designating head of the investigative function; c) Identifying the organizational structure; d) Defining strategic goals and objectives; e) Focusing investigative efforts; and f) Identifying and allocating resources. At the case level, individual investigation parameters and details are prescribed, including the particular investigators, investigative techniques, and case management protocols associated with them. The details of both the overall program and individual investigations include technical aspects of the investigative function and how the function works within the program. Such issues as case load, case assessment, quality control, investigative policies and procedures, reporting formats, liaison, team composition, supplies and equipment, evidence management, and outside contracts are considered at this level. The investigation unit manager (IUM), sometimes referred to as the project manager or case manager, should participate at the program and individual investigation levels while simultaneously considering factors that transcend the investigative management levels. The IUM is typically the person directly responsible for the investigative function in an organization and depending on the organizational structure; this individual may hold the title of chief security officer, security director, director of investigations, director of human resources or something similar.

5.1.2 Characteristics of an Investigation In order for the results of an investigation to be useful, it should have well defined objectives understood within the business and risk management context of the organization. An investigation should be properly and lawfully executed, be fair and impartial, and the results accurately documented and communicated. Figure 2 illustrates how to build an efficient investigation using the concepts of the PDCA model.

10

ANSI/ASIS INV.1-2015

Figure 2: Investigation PDCA Flow Diagram The properly planned and executed investigation will often produce tangible, measurable results such as the reduction or deterrence of undesirable events and infractions of policy; the recovery of stolen assets; the termination of dishonest employees or vendors; and successful prosecution. Protection of brand and reputation provides significant benefit to the organization, but may be difficult to quantify. Also possible are civil recovery, restitution, damage awards, and successful insurance claims. In some instances, even the cost of the investigation can be recovered. By using the PDCA model the organization clearly defines the objectives, methodologies, and processes thereby enabling the efficiencies of repeatability and scalability. The PDCA model, by defining the approach, results in reliable and predictable outcomes. While all investigations are unique and are tailored to the fact pattern or allegation presented, the PDCA provides a repeatable and scalable framework for the conduct of the investigation. The objectives of the investigation will drive what facts and evidence are to be gathered. Experienced investigators will find that over a period of time investigations of similar type take on similar themes. These themes should be documented as defined and repeatable processes which then support that particular type of investigation. Examples of support tools include, but are not limited to: a) Case management software; 11

ANSI/ASIS INV.1-2015 b) Case files and file storage systems; c) Evidence management tools and systems; d) Report styles and templates; and e) Document retention protocols.

5.1.3 The Elements of a Successful Investigation Given the diverse nature of investigations and their many purposes, successful investigation programs require the following common elements: a) Management commitment; b) Meaningful objectives; c) A well-conceived strategy; d) Well-deliberated time plan; e) Properly pooled resources and expertise; and f) Lawful execution.

5.2 Understanding the Organization and its Objectives Investigations are conducted as part of the organization’s overall business and risk management activities. Therefore, ultimately investigations must be considered within the context of the organization’s mission and achievement of enterprise-wide objectives. Persons planning and conducting an investigation need to develop an understanding of the organization where the investigation is being conducted in order to understand how the investigative activities impact the organization and its human, tangible, and intangible assets. Investigations support the core mission of the organization, market research, competitive intelligence, and other functions. The investigative activities should be seen as a resource and employed in ways that support overall business objectives. The IUM should understand how the investigative capability fits into the organization and how top management envisions its application in support of overall risk and business management objectives. Ideally, the IUM plays a key role in defining the fit and the nature of the investigative functions. Understanding the organization may include factors such as: a) Organization mission and business objectives; b) Nature of the business activity; c) Governance, authority, and management style; d) Types of services provided or products produced, manufactured, stored, or otherwise supplied; e) Risk appetite (including reputational risk); f) Stakeholders and their objectives; g) Types of clients served; h) Information flow, command and control; 12

ANSI/ASIS INV.1-2015 i)

Supply chain and critical infrastructure dependencies and interdependencies;

j)

Regulatory environment;

k) Competitive nature of the industry; l)

Organization culture;

m) Cultures, informal structures, and geographic spread within the organization; n) Any special issues raised by the production, administration and service processes (e.g., environmental waste, disposal of defective goods, etc.); o) Type of labor (e.g., labor union, unskilled, use of temporary workers, outsourcing, use of immigrants, etc.); p) Hours of operation; q) Sensitivity of information; and r) Stakeholder perception of risk tolerance and acceptance (internally and externally).

5.2.1 Investigative Function within the Organization The investigative function and its location in the organizational structure varies significantly from one organization to the next. The structure of an investigative function should be the result of a needs assessment and a cost-benefit analysis. Senior security, assets protection, or risk management professionals should advise top management on realistic investigative needs and the most effective structure for meeting those needs. The following are examples of common structures for an investigative capability within organizations: a) A separate investigative unit with the IUM or investigative team leader, (ITL) reporting to the chief security officer (CSO); b) A separate investigative unit with the IUM or ITL reporting to the risk management or assets protection director; c) A separate investigative unit with the IUM or ITL reporting to the legal department; d) A separate investigative unit with the IUM or ITL reporting to the chief compliance or audit officer; e) Specialized investigation teams supported by internal audit or IT; f) Investigations performed by an independent function, such as an inspector general or equivalent, which reports directly to top management; g) Investigations conducted by the security director personally since no dedicated investigative unit or investigator exists; h) Security director oversight of an outsourced investigative capability, calling on an outside vendor as needed under a prearranged agreement; i)

Specialized investigations supported by a special litigation committee which is typically comprised of a sub-group of a board of directors, executives or outsiders with specific expertise;

13

ANSI/ASIS INV.1-2015 j)

Oversight by general counsel or other in-house attorney with specific expertise of the internal or external investigation team;

k) Human resources or employee relations executive with oversight over investigation team; or l)

Outside counsel with oversight over internal or external investigation team.

In larger or more geographically dispersed organizations, regional investigative units or personnel may be established in order to conserve travel costs and time. This arrangement also allows for investigators who are familiar with local issues (culture, geography, procedures, laws, regulations, etc.) and provides an opportunity to work more effectively with local liaison contacts. Organizations may also establish separate investigative capabilities within different business units. The reporting chain for investigative information or results is critical and can affect both the outcome of specific cases and the effectiveness of the unit itself. Generally, the shortest reporting chain between the source of the information and the final decision maker is best. Tip #7: Reporting Chain If litigation is anticipated or there is suspected unlawful conduct within the workplace, legal counsel may engage the investigator and communicate that the investigation is “confidential and privileged.” By this assertion, any communication, inclusive of reports, occurring between the investigator and legal counsel should be considered “attorney work product.” In some jurisdictions, the work product may be considered protected and not discoverable in the litigation process. Alternative means exist for establishing attorney-client and work-product protections, such as by clearly establishing at the outset (either by contract or other dictate) that the investigator is charged with producing factual findings to legal counsel, so that legal counsel may use the findings to provide legal advice to the organization.

The final decision maker(s) should be top management, such as the chief executive officer, chief operating officer, chief legal counsel, president, or some other official who has similar executive and decision making authority (e.g., person authorizing the investigation). It is important to identify the decision maker, establish a close working (and trust) relationship with him or her, and develop a formal reporting mechanism. In some situations, it may be advisable to establish an alternate or contingency reporting mechanism in case the identified decision maker is unavailable, is a party in the case or investigation, or is possibly involved in the investigative matter. The lineup of liaison contacts, potential outside sources for investigative services, specialists, and equipment vendors should be tailored to the primary focus areas of the investigative unit. Whether the investigative capability of an organization consists of a dedicated unit, a single investigator, the security director alone, or another arrangement, a specific individual (with a backup) should be designated to manage these outside investigative resources. This provides continuity and facilitates rapid implementation of capabilities. Investigative needs generally arise on short notice and on a surge basis. Figure 3 provides an example of reporting lines during the investigative process. See Annex E for more information on determining the need for an investigation within an organization.

14

ANSI/ASIS INV.1-2015

Figure 3: Reporting lines during the Investigative process

5.3 Establishing the Framework 5.3.1 Context of the Organization Conducting investigations within an organization requires knowledge of the internal and external factors that can influence an organization’s performance in managing its business and risks. When planning the investigation process it is important to consider: a) Risks associated with the industry sector and organization’s processes; b) Internal factors affecting the operating environment of the organization; c) External factors affecting the operating environment of the organization; d) Internal and external stakeholders who contribute to risks associated with the investigation; e) Internal and external stakeholders who are impacted by outcome of the investigation; and f) Factors that influence the acceptance of risk in the organization and by its stakeholders. 15

ANSI/ASIS INV.1-2015

5.3.1.1 Internal Context The investigative unit should identify, evaluate, and document the internal context, including: a) Strategies, policies, objectives, plans, and guidelines to achieve objectives; b) Governance, roles and responsibilities, and accountabilities; c) Values, ethos, and culture; d) Financial arrangements and restraints; e) Information flow and decision-making processes; f) Internal stakeholders who are the owners, contributors, impacted parties, and managers of risk (enterprise-wide and by sub-divisions); g) Capabilities, resources, and assets (tangible and intangible); h) Procedures and practices; i)

Activities, functions, services, and products including their value streams; and

j)

Brand and reputation.

5.3.1.2 External Context The investigative unit should define and document the external context, including: a) The cultural and political context; b) Legal, regulatory, technological, economic, natural, and competitive environment; c) Contractual agreements, including other organizations within the contract scope; d) Infrastructure dependencies and operational interdependencies; e) Supply chain and contractor relationships and commitments; f) External stakeholders who are the owners, contributors, impacted parties, and managers of risk (within the supply chain, vested interests, impacted communities, and the media); g) Key issues and trends that may impact the processes and/or objectives of the organization; h) Perceptions, values, needs, and interests of external stakeholders (including local communities in areas of operation); and i)

Operational forces and lines of authority.

In establishing its external context, the organization should ensure that the objectives and concerns of external stakeholders are considered when determining investigation criteria, where appropriate. The focus of the investigation will help identify the internal and external factors that will affect how the investigation is conducted and its outputs.

5.3.2 Needs and Requirements The needs and requirements for the investigative function vary between organizations, as well as within business units of an organization. Therefore, the IUM and ITL need to have a clear understanding of the needs and requirements of the organization for investigative functions. The persons conducting the 16

ANSI/ASIS INV.1-2015 investigation should also understand the reason and purpose for the investigation. There should be a clear understanding between the IUM and top management as to the purpose of the investigation program and intended use of the outcomes. Examples are: a) Personnel screening; b) Employee misconduct (including but not limited to harassment, discrimination, retaliation, policy violations); c) Internal or external theft; d) Fraud prevention and detection; e) Provide input for human resource management processes; f) Better protect tangible and intangible assets; g) Determine causes of accidents, mishaps, or disruptive incidents; h) Use of a systematic process to identify weaknesses in the organization’s processes and risk management approach; i)

Identify opportunities for improvement;

j)

Evaluate effectiveness of training and awareness programs;

k) Evaluate and improve the allocation of resources; l)

Demonstrate regulatory compliance (including but not limited to food, health, safety, production, labor, equal employment opportunity, and discrimination regulations);

m) Conformance with organizational policies; n) Reduce liabilities; o) Provide information for post investigation activities and actions; p) Reputation and brand protection; and q) Evaluate business relationships and supply chain needs, as well as address customer/client concerns. When developing the investigation program, the IUM should understand the organization’s intended use of the investigation results. The needs and requirements of the organization for the investigative function may change based on: a) Economic realities of the organization; b) Market forces; c) Risk appetite (the amount of risk an organization is willing to accept, retain, or pursue1); d) Increase or decrease in the number of incidents requiring an investigation;

1

Adapted from ANSI/ASIS/RIMS RA.1-2015, Risk Assessment 17

ANSI/ASIS INV.1-2015 e) Organizational response to criminal and unethical behavior; f) Reputational considerations; g) Jurisdictional laws and regulations or other obligations; h) Outsourcing of services and activities; and i)

Stakeholder perceptions and interests.

Tip #8: Linking Value Added to Needs and Requirements The investigative unit should demonstrate value to the organization consistent with its needs and requirements. Support for budget justifications can be bolstered by any or all of the following: a)

Proper investigative focus to support the organizational mission as well as strategic and business objectives;

b)

Accurate and detailed tracking of investigative costs;

c)

Effective implementation of cost management and efficiency measures;

d)

Demonstration of restitution and recovery benefits;

e)

Quantitative estimation of risk avoidance in monetary terms;

f)

Creating a safe and respectful work environment for employees and others; and

g)

Compliance driven to meet requirements and minimize organizational risk.

Carefully tracking and managing operational and overhead costs can significantly improve the response to funding requests. Costs can be tracked by case type, location, business unit, or other variable. Additionally, recoveries and restitution figures should be tracked and reported to senior management to help demonstrate a financial benefit to the organization and support return on investment (ROI) arguments. Often, IUs can demonstrate ROI through civil recovery efforts, recovering not only the losses but also the related investigative costs.

5.3.3 Objectives of the Investigation Program Clearly defined investigation objectives are crucial to implementing a successful investigation program. Investigations provide more value to the organization if the investigation program objectives are aligned with organizational and management objectives (as may be articulated in the enterprise-wide strategic business plan). The IUM and top management should clearly define and agree upon the investigation objectives. Both overarching and specific objectives are critical to the investigation from a strategic and tactical perspective. Long-term and overarching objectives should be consistent with the organization’s strategic intentions and should be incorporated into the investigative unit’s mission statement. Specific objectives (short and long term) should be measurable, providing the basis for key performance indicators (metrics) used to gauge the progress, success, or achievement of an investigative unit. When defining the investigation program objectives, the following factors should be considered: a) Management and decision making requirements; b) Human, tangible and intangible assets to be protected; c) Business management system requirements; d) Organizational, business, and operational goals; e) Jurisdictional laws and regulations or other obligations; 18

ANSI/ASIS INV.1-2015 f) Risk management priorities and performance; g) Perceptions and expectations of stakeholders and other interested parties, including supply chain needs; h) Cultural and informal structures within the organization; i)

Previous risk events; and

j)

Level of maturity of the organization’s management system.

Examples of program objectives include, but are not limited to: a) Support human resource management functions of the organization; b) Identify root causes of problems; c) Prevent, manage, and remediate undesirable events and behaviors; d) Loss prevention and recovery; e) Prevention and awareness of potential risk events; f) Demonstrate compliance with laws, regulations, or other obligations; g) Verify conformance of a management system to the requirements of relevant standards; h) Demonstrate effectiveness of risk treatment measures; i)

Validate organizational risk management for internal and external stakeholders;

j)

Demonstrate consistency with accepted industry practices; and

k) Evaluate alignment of risk management with the overall business management approach in order to achieve the overall organizational objectives. The investigation’s objectives define the investigator’s purpose, and provide a basis to benchmark progress and provide the framework to support individual investigations. The investigative objectives must be carefully articulated at the beginning of the process to establish the investigation’s starting point and where it is intended to finish. The objectives should make it clear that the investigation’s purpose is proper and lawful. Figure 4 illustrates the considerations in defining the investigation program objectives.

19

ANSI/ASIS INV.1-2015

Figure 4: Defining Investigation Program Objectives

5.3.4 Establishing the Scope of the Investigation Program The scope of the investigation program should be defined in order to achieve the investigative objectives and consider the context of the organization, its needs, and requirements. The scope of the investigative program should define which processes, functions, activities, physical boundaries (facilities and locations), and stakeholders to include. It will have a direct effect on the resource and time requirements needed for the individual investigations. When setting the scope of the investigation program, it should be kept in mind that resource and time requirements are directly proportional to the size of the scope. The IUM and top management should agree to the investigation program scope prior to establishing the investigations program; any subsequent changes in scope should be mutually agreed upon in writing. The scope of the investigation program may consist of one or more individual investigations. If conformance to a management system standard is the objective of the investigation program, the scope of the program should be in alignment with the scope of the management system with any divergence noted and understood. Additional factors to consider in setting the scope: a) Business and risk management objectives of the organization; b) Size and complexity of the organization; 20

ANSI/ASIS INV.1-2015 c) Facilities and geographic factors; d) Jurisdictional laws and regulations or other obligations; e) Available in-house and external expertise; f) Results of previous investigations; g) The likelihood and consequences of known undesirable and disruptive events (including consideration of previous incidents and weaknesses of the management system); h) Reports and concerns of internal and external stakeholders; i)

Supply chain tiers to be included and supply chain partner requirements;

j)

Complexity and maturity of the risk management system;

k) Organizational and community culture; and l)

Factors related to timing, logistics, communications, and information accessibility.

When setting the scope of the investigation program, it is important to consider that many organizations that deal with both internal and external investigations establish separate units for each. Doing so allows investigators to focus on a particular activity and to develop special expertise, liaison networks, and prosecutorial contacts. It also reduces confusion regarding investigative outcomes and processes. The boundaries of these activities should be defined in the program scope.

5.4 Establishing the Program There is no typical organizational structure for the investigative function in organizations. Factors such as the industry and the organization’s mission, size, and scope all play a role in determining how the investigative function looks and how it fits in the organization. When establishing or reengineering an investigative function, the IUM should align the investigation program with the program objectives and scope. Tip #9: Size of organization: Many small organizations keep qualified investigative consultants or private investigators on retainer to respond quickly to various issues that require an investigative response. In larger organizations or other environments with a constant need for investigative services, a full-time investigator or investigative staff may be justified. Regardless of the organizational structure of the investigative function, a clearly defined investigative program is essential to assure a transparent, accurate, fair, and unbiased investigation program.

Investigation program success requires the development and deployment of a sound investigative strategy. Effective investigative strategies involve more than mixing and matching investigative methods and tools. The investigative process must be sufficiently structured so that it provides efficiencies and the opportunity to measure results. However, the process must be sufficiently flexible so that it permits the changing of objectives and strategy as new information is learned. The IUM and investigators should have the ability to change their objectives and modify their strategy as new information is developed.

5.4.1 Roles and Responsibilities The roles and responsibilities of the parties conducting the investigation and the client should be clearly defined and understood, and may include: 21

ANSI/ASIS INV.1-2015 a) Investigation unit manager (IUM) – the person responsible for managing the investigation program and assuring the necessary financial, human, physical, and time resources are committed to conduct an effective investigation; b) Investigation team leader (ITL) – the person designated as leading the investigation team; c) Investigator – a person competent in conducting the investigation, individually, or as a member of a team; d) Technical expert – a person with specific knowledge or expertise supporting the investigation team but does not act as an investigator (e.g. a language, legal, or industry sector expert); e) Observer – a person who is present but not actively participating in the investigation (e.g. a client’s representative or guide); and f) Client – top management of an organization that requests the investigation. The IUM is responsible for the planning, management, and conduct of the investigation program, while the ITL is responsible for the conduct of individual investigations. They are both responsible for the professional and ethical behavior of the investigation team members. The IUM and ITL are responsible for: a) Defining the objectives, criteria, and scope of the investigation program as well as individual investigations; b) Communicating and consulting with relevant parties to the investigation; c) Ensuring the investigation team and its members have the necessary competence to successfully conduct the investigation; d) Ensuring the allocation of adequate resources for the investigation; e) Ensuring compliance with applicable laws, regulations, and policies; f) Ensuring the investigation program is executed as planned in a timely fashion; g) Ensuring the completeness and integrity of documentation; h) Minimizing impartiality and bias related risks; i)

Ensuring risks of the investigation program to the client and investigation team are appropriately managed;

j)

Reviewing work product(s) of investigators for completeness and accuracy; and

k) Ensuring the integrity and confidentiality of information. The organization requesting the investigation (“client”) should appoint at least one representative from top management to interface with the investigation team. The client’s representative should have the authority to make appropriate and timely decisions and to provide the investigators with: a) Appropriate organizational, functional, stakeholder, and historical information to evaluate risks; b) Access to areas and activities within the scope of the investigation; c) Access to relevant persons and information; 22

ANSI/ASIS INV.1-2015 d) Facilities for the investigation team use (e.g. private work space, telecommunications, safety and hygiene facilities, etc.); e) Support personnel if needed; f) Access to legal counsel and human resources; g) Safety, security, and regulatory requirements; and h) Information needed for protection of brand, reputation, proprietary rights, and confidentiality. Tip #10: Management Commitment Investigations support the achievement of objectives of the organization. Because many investigations are complex and often involve potential litigation, management commitment is an essential component if success is to be achieved. From the very beginning, the management representative of the organization requesting the investigation (“client”) needs to be prepared to commit the requisite time, patience and resources in order to achieve the investigation objectives. In accepting the assignment, the IUM must be prepared to accept responsibility and communicate honestly with the client. Only with the proper information and a thorough understanding of the issues and options can the client make decisions that are sound and appropriate. Therefore, the client should commit the time, patience, and resources necessary for the investigation to succeed.

5.4.2 Legal and Other Requirements Investigators should perform professional duties in accordance with the law and the highest ethical principles. An investigator should observe the principles as listed in Section 4 to be faithful and diligent in discharging professional responsibilities. Investigators should safeguard confidential information and exercise due care to prevent its improper disclosure. The investigators should not maliciously injure the professional or personal reputation of colleagues, clients, employees, employers or individuals under investigation. IUM and ITLs should be mindful of legal and liability issues related to the investigation. Investigators should understand their responsibilities to: a) Be compliant with laws regarding the licensing of investigators and consultants and their work; b) Comply with applicable laws and regulations; c) Respect the rights of individuals; d) Minimize compliance risks; e) Minimize liability of the investigation to the investigative unit and client; f) Avoid conflicts of interest and protect real and perceived impartiality; g) Not disclose proprietary information or use information learned during the course of the investigation for personal gain or the gain of others; h) Not share information beyond a need to know basis or that can be used to cause business or personal harm; i)

Exercise responsible care and competence to avoid violation of the principle of due care;

j)

Report findings accurately; and

k) Observe environmental, safety, and security regulations. 23

ANSI/ASIS INV.1-2015 Investigators should be apprised of their responsibilities to report illegal and unsafe activities within or outside the scope of the investigation, including legal requirements for disclosure. Once discovered, an investigator should not ignore illegal or unsafe activities. Investigators should inform the ITL - who informs the client and investigative unit manager. The ITL should verify and create a record of the condition. If the team is endangered, the investigation should be paused until the risk can be assessed and issues rectified. It is incumbent on the IUM to ensure the investigation team is familiar with all applicable laws and regulations, as well as organizational (client) policies. This can become a significant task, especially if the client has locations in several different jurisdictions, even in other countries. The venue of a particular case may not necessarily be within the expected jurisdiction. Applicable laws, regulations, and restrictions may vary across the different jurisdictions. Jurisdictional requirements should be understood by the investigation team, particularly those associated with: a) Privacy; b) Human and civil rights; c) Access to legal counsel; d) Chain of custody of evidence; e) Consumer reporting; f) Financial reporting; g) Detention; h) Physical contact and use of force; i)

Confidentiality;

j)

Regulatory reporting and discoverability; and

k) Information storage. Tip #11: Lawful Execution Investigators have enormous responsibility. The outcomes of their effort often impact the organizations they serve and the employees that work for them but also anyone else their investigation touches. Those who conduct private sector investigations are governed largely by organizational (client) dictates and ethics. Regardless of the venue or the likelihood of critical examination, all investigations should be conducted ethically and lawfully. To do otherwise is a disservice to the subject, the client and the investigative profession.

See Annex C for additional information on legal and liability issues.

5.4.3 Competence Requirements Competence – the ability to apply pertinent knowledge and skills to achieve intended results, is necessary for persons involved in conducting investigations. Competence is the demonstrated sum of personal attributes, general investigation knowledge, techniques, and skills, business and risk management knowledge, and industry sector specific knowledge and skills. To conduct an effective investigation, the IUM, ITL, and investigators should demonstrate skills and knowledge in the following areas: 24

ANSI/ASIS INV.1-2015 a) Interpersonal and communications skills; b) Relevant client policies and parameters for the investigation; c) Knowledge of applicable laws in the areas being investigated; d) Ability to analyze and weigh evidence and information; e) Systems, PDCA, and process approaches to investigations; f) Standards being used, as well as normative documents; g) Principles of investigations articulated in Section 4; h) Technical knowledge of the investigative techniques used; i)

Risk assessment and management from a business perspective;

j)

General knowledge of jurisdictional laws and regulations or other obligations; and

k) Industry sector and risk discipline (e.g., security, safety, compliance, etc.) specific good practices. The IUM and ITL should ensure the investigative team provide investigation services in those areas where they have the requisite knowledge, skills, and experience.

5.4.4 Identifying and Managing Uncertainty in the Investigation Program Conducting investigations involves uncertainty in achieving program objectives. Changes both within and external to the organization may affect risk. Therefore, analysis of the uncertainty related to the investigation processes is an integral part of developing and improving the investigation program. To effectively conduct an investigation, it is important to understand the risks related to: a) Operations and operating environment of the client; b) Achieving the objectives of the investigations; c) Real and perceived impartiality; d) Jurisdictional laws and regulations or other obligations; e) Execution and disruptive effects of the investigation on the client’s organization and its activities; f) Health safety and security of the investigation teams; and g) Perceptions of interested parties. By managing the uncertainties related to the investigation program, failure to meet program objectives and damage to the reputation of the investigation process can be minimized.

5.4.4.1 Risk to the Organization Sponsoring the Investigations Investigations involve evaluating inherently sensitive information of organizations. This introduces an element of uncertainty to the investigation process. The IUM should evaluate the potential tangible and intangible impacts of the conduct of the investigation on the client.

25

ANSI/ASIS INV.1-2015 The IUM should consider: a) Information security and confidentiality needs; b) Background of the investigation team; c) Clearances; d) Litigation; e) Reputational and brand aspects (e.g. adverse publicity); f) Retaliation by or towards the complainant, respondent, or interviewees involved in the investigation; g) Morale of stakeholders; h) Exposures of vulnerabilities; i)

Reporting requirements (including disclosures); and

j)

Disruption of activities and continuity of operations.

5.4.4.2 Risk to Achieving the Objectives of the Investigations Persons conducting the investigation should understand the uncertainty that may have an impact on achieving the objectives of the investigation. It is also important to allocate available time and resources to the areas with higher levels of risk. The planning process should prioritize resources commensurate with the associated level of risk and ensure important risk factors are not overlooked. In identifying, analyzing, and evaluating risks to the investigation program, the IUM should consider: a) Planning; b) Overall competence of the investigation team and team members; c) Allocation of sufficient resources; d) Implementation of the investigation plan; e) Communication between team members, as well as between the investigation team and client; f) Appropriate documentation and recordkeeping (and documentation control) consistent with jurisdictional requirements; and g) Monitoring of program outcomes.

5.4.4.3 Risk to Real and Perceived Impartiality and Biases The IUM should establish and document a procedure for identifying, analyzing, evaluating, and treating (reducing) risks associated with real and perceived threats to impartiality. Consideration should be given to biases that may impact the outcomes of the investigation. The IUM should identify and understand the inherent and cognitive biases within the organization and the individuals conducting the investigation. The inherent bias is the effect that underlying factors and assumptions may have an impact on information collection and analysis. Cognitive biases are tendencies to think in certain ways.

26

ANSI/ASIS INV.1-2015

Tip #12: Examples of Cognitive Biases Types of biases to consider include: a)

Social and cultural biases;

b)

Familiarity and confirmation biases;

c)

Perception, observational selection, and memory biases;

d)

Belief and behavioral biases;

e)

Relational and group-think biases;

f)

Confirmation and post rationalization biases;

g)

Decision making biases;

h)

Illusion of control biases; and

i)

Biases related to organizational structure.

5.4.4.4 Legal and Regulatory Issues When planning the investigation program, the IUM should consider the jurisdictional requirements related to: a) Security (physical and information); b) Jurisdictional labor laws and collective bargaining agreements; c) Safety; d) Disclosure and non-disclosure requirements; e) Liability issues; f) Privacy requirements; and g) Contractual obligations.

5.4.4.5 Health, Safety, and Security of the Investigation Teams When there is the potential for exposure of the investigation team to threats and hazards during the investigation, the IUM should evaluate health, safety, and security related risks and take appropriate actions.

5.4.4.6 Perceptions of Stakeholders The perceptions of stakeholders may impact the design and implementation of the investigation program. Therefore, during the design of the investigations, the IUM should be aware of and consider the perceptions of: a) Key stakeholders (e.g. workers, unions and labor organizations, customers/clients, investors, etc.); b) Supply chain partners; c) Government regulators and law enforcement; 27

ANSI/ASIS INV.1-2015 d) Liaison agents; e) Neighboring communities; f) Civil society groups and organizations; and g) The media. Tip #13: Adversarial Stakeholders Some stakeholders may be inclined to use investigation results for unintended or undisclosed purposes. Defining the threat entails identifying, within reason, all potential information collectors or adversaries who may access investigation results using legal or illegal means. The following are examples of potential adversaries: a)

Individuals or organizations with a stake in the outcome of the investigation;

b)

Friends or supporters of the parties involved in the investigation;

c)

Parties in litigation;

d)

Co-conspirators not yet identified (individuals or organizations);

e)

News media and simple public curiosity (especially in high-profile cases); and

f) Potential copycats or others engaging in similar wrongdoing.

5.4.5 Program Approach and Procedures Design of effective investigative procedures should be based on clearly defined objectives, always taking into account the legal obligations of the organization and the respect for rights of the individuals involved. In many types of investigation it is important to have an understanding of how the outcomes of the investigation will be utilized. However, sometimes how the investigative outcomes will be used is not defined in advance to avoid potential investigator biases. In addition, how the outcomes will be utilized may change depending on the information obtained. Knowledge of how the investigative outcomes will be utilized needs to be considered on a case-by-case basis, depending on the facts of the case, parties involved, or organization's practices. In all cases, the level of confidence in the investigation outcomes will be based on the evidence and facts collected, not perceptions and assumptions. A balance must be drawn between gathering too much and too little information during an investigation. There is frequently a tendency to follow every possible lead to its logical conclusion. This can result in an unnecessarily prolonged investigation. In some organizational environments, there can be pressure to complete an investigation quickly. The natural tension between following every lead to its logical conclusion and completing the investigation in a timely manner is a balance that must be managed by the IUM and ITL. Those individuals will need to decide when continued investigative effort is required to meet the objective(s) of the investigation and when following additional leads has become nonproductive. Some types of investigations are founded on a working hypothesis, which may be developed at the outset or later, and may change one or more times. The hypothesis is appropriately used as a tool as long as it remains within the bounds of objectivity. Effective procedures avoid jumping to conclusions even in the face of what seems to be overwhelming and conclusive evidence – without first attempting to corroborate the facts. Defining objective procedures helps the investigator identify and avoid biases, including in the formation of the hypothesis.

28

ANSI/ASIS INV.1-2015 In other types of investigations, a working hypothesis is not recommended and if done, can create legal liability for the client. The investigator in all types of investigations must come to the investigation open, impartial and giving the complainant the opportunity to provide their version of the facts concerning the allegations. Likewise, the investigator must provide opportunities for the subject of the investigation to provide relevant evidence, leads, and to admit, deny or explain the allegations and evidence. The IUM should develop one or more procedures for managing the investigation program. When developing the procedures, the IUM should identify performance metrics that will be used to determine if the procedures were effective and successfully applied. Procedures should be developed for: a) Planning the investigations to meet the investigation objectives consistent with promoting the organizational business and risk management objectives; b) Identifying and maintaining the appropriate level of investigator competence; c) Selection of investigation team members and appointment of ITL; d) Ensuring effective communication between all parties involved in the investigation; e) Evaluating required resources, logistics, and feasibility of investigation success; f) Conducting the investigation, including data collection and sampling techniques; g) Ensuring time management and scheduling; h) Evaluating the investigation data, definition of priorities, and improvement of risk treatment methods to promote awareness and prevent recurrences of undesirable behaviors and incidents; i)

Performance assessment of the investigation process to identify opportunities for improvement;

j)

Conformance with organizational policies and commitments;

k) Compliance with jurisdictional laws and regulations or other obligations, as well as liability issues; l)

Integrity, confidentiality, and protection of information;

m) Handling, chain of custody, access control, and archiving of records; n) Proper documentation and review of investigative findings before providing reports to the client; and o) Monitoring, review, and continual improvement of the investigation program.

5.4.6 Commitment of Resources Once the objectives and scope have been established, the IUM should identify and assure the commitment of resources necessary to conduct a successful investigation program. The IUM should obtain a commitment from top management to provide resources in terms of personnel, time, travel, and the finances necessary to develop, implement, manage, and improve the investigation activities (including assuring investigator competence). From the organization’s perspective, the tangible and intangible benefits of increasing the likelihood of achieving organizational objectives should outweigh the costs of conducting the investigation. Personnel resources may include the allocation of appropriate and adequate full and part-time internal and external investigators, as well as any accompanying technical experts. The makeup of the 29

ANSI/ASIS INV.1-2015 investigation team should reflect the objectives of the investigation program and the complexity of organization’s business and risk management systems. The IUM should calculate the personnel hours required to successfully complete each portion of the investigation. Factors that will affect the allocation of resource requirements (particularly personnel and time requirements) include (but are not limited to): a) Complexity of investigation nature and range of issues (associated risks) to be investigated; b) Expected type of cases and projected caseload per investigator; c) Risks associated with the organization, its activities, and its context; d) Complexity and size of the organization to be assessed (e.g. technologically complex or laborintense organizations may increase the personnel hours needed); e) Maturity of the existing risk management system; f) Risks associated with the investigation program (including minimizing bias); g) Desired timeframe in which the investigation is to be conducted; h) Investigation methodologies and sampling methods; i)

Results of prior investigations;

j)

Extent of changes in operating environment;

k) Review of documentation; l)

Availability and accessibility of interviewees and information;

m) Number of sites, multi-site considerations and diversity of stakeholders; n) Single or multiple shifts, as well as weekends and off-hours; o) Physical size and layout of the organization to be assessed; p) Meeting requirements (opening and closing meetings, top management briefings, and investigation team meetings); q) Communications (including availability of information and communications technologies and methods); r) Administrative or other support needs; s) Safety and security arrangements and equipment; t) Travel and logistics (including lodging, meals, and breaks); u) Data analysis and report preparation; v) Availability of competent personnel to conduct the investigations; and w) Anticipated scheduling delays.

30

ANSI/ASIS INV.1-2015 Tip #14: Commitment of Resources To ensure a successful investigation and achieve objectives, the IUM should obtain a commitment for the resources needed prior to the investigation’s initiation. If staffing needs cannot be accurately projected or benchmarked, the best approach is to start small, using outsourced resources when required, and grow the unit over time if necessary. Selecting professional personnel is an important aspect of setting up a proprietary IU. Many positions in today’s environment require backgrounds in specialized fields, such as computer investigations, contract fraud, or financial crimes.

5.4.7 Establishing a Code of Ethics As a normal course of business, the organization should establish, implement, and maintain a Code of Ethics for norms of behavior for all persons working on its behalf in the investigation program. The Code of Ethics should be documented and clearly communicated. It should clearly articulate the following key parameters to ensure diligent, honest, and professional conduct: a) People are treated with respect and dignity; b) Business is conducted with objectivity, honesty, and integrity; c) Conflicts of interest and impartiality risks are divulged; d) Focus on the scope of the investigation; and e) Confidentiality and integrity of information is respected. Tip #15: Questions the IU and its Investigators Might Ask Themselves When Contemplating an Investigative Strategy are: a)

Is it legal?

b)

Is it fair and impartial?

c)

Is it relevant?

d)

Is it balanced?

e)

Is it necessary?

f)

Is it consistent with organizational values, both internally and professionally?

g)

Is it affordable?

h)

Is it ethical?

5.5 Implementing the Investigation Program 5.5.1 Setting Criteria for Individual Investigations The investigation program may consist of one or more investigations, the sum of which achieves the overall objectives of the investigation program. The objectives, scope, and criteria of the individual investigations within the program should be consistent with the overall objectives of the investigation program. The objectives of the individual investigations should be clearly defined and documented. The objectives of an individual investigation will be determined by the type of investigation needed. The functions required may range from relatively simple activities such as documenting facts surrounding a security force response, to a workplace incident,or to complex procurement fraud investigations. 31

ANSI/ASIS INV.1-2015 The scope of the individual investigations should be clearly defined and documented. Examples of individual investigation scope include (but are not limited to): a) Specific investigation type; b) Incident investigation; c) Specific facilities and physical locations; d) Individual divisions and organizational units; e) A value chain in the organization; f) A specific set of risks; g) Individual(s) within the human resource pool; h) Evaluation risks related to new products and services; and i)

Specific processes.

The criteria of the individual investigations should be clearly defined and documented. Examples of individual investigation criteria include (but are not limited to): a) Investigation objectives set by top management; b) Organizational policies; c) Level or burden of proof; d) Risk management goals established by top management; e) Management system standards requirements of one or more standards; f) Accepted industry practices; g) Headquarters, contractual, or supply chain requirements; h) Jurisdictional laws and regulations or other obligations; i)

Security requirements;

j)

Concerns and perceived risks of stakeholders; and

k) Risk management policies and procedures. See Annex D for more information on types of investigations.

5.5.2 Identifying Investigation Methods The IUM and ITL should determine the appropriate methodology for conducting an investigation to achieve the objectives, scope and criteria. Methods chosen will be a function of the size and nature of the organization as well as risk, human, cultural, legal, infrastructure, and geographic factors. The investigative methods utilized should be reviewed by legal counsel familiar with jurisdictional regulations. When choosing a methodology, it is important to understand the capabilities, competencies and resources required to effectively execute the methodology. The methodology should follow a logical process by which the inputs into an investigation are evaluated to produce the outputs that inform the 32

ANSI/ASIS INV.1-2015 decision making processes. When trying to determine the methodology, previous investigations may be a good starting point concerning protocols for protecting data and evidence, confidentiality, and logistical issues. However, extreme care should be taken to make sure the investigator is not provided information that could later be seen as creating bias. Always evaluate the appropriateness of the current circumstances when reviewing prior investigations. When selecting a methodology, it is important to understand the reliability and confidence levels of the available data. There is no single methodology and therefore each one requires independent judgment regarding its design. Examples of basic methods of investigation include (but are not limited to): a) Physical surveillance; b) Electronic surveillance; c) Physical examination; d) Searches; e) Information review; f) Forensic analysis; g) Undercover; h) Interviews; and i)

Legal mechanisms for discovery (generally not available pre-litigation).

Other methods of investigation may be considered subcategories of one of these. Not all of these methods are appropriate for every type of investigation. Most investigations use one or more of the investigative methods. The IUM and ITL should select the method(s) most suitable to achieve the investigation objectives given the particular circumstances and cost/benefit; and deploy them properly and efficiently. Typically, there is a need to combine the methods in some fashion or mix and match them. Using the PDCA Model as described in this Standard, the IUM and ITL should plan, implement, evaluate and review the method(s) for each individual investigation with a goal of continually improving the methodology.

5.5.2.1 Physical Surveillance Physical surveillance involves observing people, places, things and activities. Surveillance has only two requirements; there is something to watch, and someone to watch it. Physical surveillance requires significant skill and patience and should always be conducted consistent with jurisdictional laws. For physical surveillance to be generally effective, it should: a) Have a clearly designed purpose and goals; b) Not interfere with what is being observed; c) Record and document what the investigator is observing; and d) Support the objectives of the investigation.

33

ANSI/ASIS INV.1-2015

5.5.2.2 Electronic Surveillance Electronic surveillance is similar to physical surveillance in that it too involves observing people, places, things, and activities. Electronic surveillance is another tool for investigators to use to gather information to corroborate or disprove testimony, provide additional leads, and possibly provide evidence. Because electronic surveillance uses technology such as audiovisual and covert cameras, and personal computer monitoring software, it can be used when and where physical surveillance is not possible. This surveillance method may enhance the investigative process and outcome by providing a permanent record of the observed activities. Electronic surveillance regulation varies by jurisdiction. Legal counsel should be consulted to avoid violation of laws and regulations, particularly the right to privacy. An individual’s right to a reasonable expectation of privacy is broad and to violate it may be both criminally and civilly actionable.

5.5.2.3 Information Review Information review is the combination of research and evaluation of cross-media resources. This method involves the collection and examination of information from both public and private sources. The collection and examination of public records or public sources may include criminal and civil records, asset ownership records, financial liabilities (liens and judgments), organizational records, and address histories, among others (access to which may be controlled differently in different jurisdictions). Public records often afford the investigator a source of information and can assist in reaching conclusions. Information review also can be conducted on records and documents internal to the organization specifically the examination of documents and information that would not normally be available to someone outside the organization. The investigator should be aware of access and confidentiality requirements of the organization to protect information integrity and avoid liability issues related to both the organization and the individual(s) under investigation. Tip #16: Information Sources To the extent criminal and civil records are obtained, the investigator must be aware of jurisdictional laws governing such sources, including for example, reporting and privacy regulations. The investigator should also fully explore all relevant information sources, including but not limited to, electronic documents, text messages, emails, social media writings, personnel files, supervisor files, interviewee notes, incident notes, personal websites, blogs, demographic information, policies and procedures, past complaints, time cards, expense reports, internet usage, and calendars. Caution should be exercised when transferring information between jurisdictions, particularly international boundaries.

5.5.2.4 Forensic Analysis Forensic analysis includes investigations that employ science and/or scientific method. This category can include: biological, chemical, and substance analysis; fingerprint examination and comparison; computer forensics; various deception detection methods; and forensic document examination. The forensic analysis should be conducted by individuals with demonstrated expertise in the field so that the conclusions of the analysis hold credibility with stakeholders and in a court of law.

34

ANSI/ASIS INV.1-2015

5.5.2.5 Undercover Use of undercover methods can be one of the most effective methods of investigation due to its interactive nature. This method involves the surreptitious placement of a trained and skilled investigator for the purpose of gathering information. It permits the investigator to interact and communicate with those being investigated. Due to its covert nature, the use of an undercover investigator is complex and may be fraught with psychological, financial, and legal challenges that may create serious liabilities for both the client and the investigator. Therefore, when conducting an undercover investigation, investigators should be aware and trained on jurisdictional limitations, particularly with regard to entrapment.

5.5.2.6 Interviews An interview is a conversation in which one or more persons question, consult, or evaluate another person. Interviews should be well-conceived and conducted within the parameters of the investigation objectives, ethics, and the law. Interviews conducted during investigations, can be either highly structured or a casual conversation, and should focus on obtaining facts and evidence about the events under question. It affords the investigator the opportunity to determine: who, what, when, where, how, and why from persons with relevant information and to provide context. The purpose is to determine what happened or did not happen. This benefit combined with the opportunity to obtain the relevant evidence makes interviews the most powerful form of investigative method for those conducting investigations. The investigator needs to remain objective and maintain control even if the interview becomes adversarial, confrontational or accusatory. Tip #17: Types of Interviews Interviews are an investigative method used between two or more persons where the interviewer(s) poses questions to the interviewee(s) to elicit facts or statements about the events under investigation. Interviews fall into several categories, including but not limited to: a)

Subject;

b)

Witness;

c)

Complainant; and

d)

Applicant.

Regardless of the category of interview, the conversation should be focused on obtaining the information about events. The level of aggressiveness of the questioning varies with the type of interview, personalities of the parties of the interview, and objectives of the interview. If questioning becomes confrontational or accusatory, the interviewer should be aware of ethical and legal boundaries, and should be able to maintain sufficient control to scale the level of aggressiveness of the questioning.

5.5.2.7 Physical Examination Physical examination is the inspection of items (e.g., doors, tools, locks, fencing, etc.) for information that may be useful in furthering the investigation and/or as evidence. It is also the inspection of areas (e.g., rooms, fields, walkways, etc.) in search of the same type of information.

5.5.2.8 Searches A search is the structured, detailed and careful examination of an area (e.g., room, vehicle, desk, locker, etc.), the purpose of which is to locate specific items or materials that are suspected to be in the area 35

ANSI/ASIS INV.1-2015 searched and that will be useful in furthering the investigation and/or as evidence. Prior investigative steps generally indicate areas that are appropriate and likely fruitful for search. Because they can lead to claims of invasion of privacy, searches have the potential to create serious liability exposure for both the client and investigator if conducted improperly. After a thorough legal vetting, review of organizational policies, and requirements under any collective bargaining agreement, a fully competent investigator should execute the search within the appropriate guidelines of the organization.

5.5.3 Competence, Evaluation, and Selection of Investigators The credibility of any investigation program is dependent on the experience, knowledge, and interpersonal skills of the investigators. The IUM should select investigation team members and an ITL based on the competence needed to achieve the objectives of the investigation and with the interpersonal skills necessary to achieve the objectives of the investigation. The IUM should select the correct mix of ITL, investigators, and technical experts so that the sum of their competence and interpersonal skills will result in a successful investigation. The size and composition of the investigation team will be dependent on the objectives, scope, and criteria of the investigation. The investigation team members are responsible to collect factual-based evidence. Investigation team members should be able to gather information efficiently, objectively and with due consideration of potential disruption to normal routine. The IUM should establish well-defined investigator criteria for selection of individuals and assigning work. Procedures should be developed to evaluate particular investigator qualifications, including: a) Knowledge; b) Experience; c) Personal skills and traits; and d) Legal and licensing requirements. Factors to consider in selecting members of an investigation team include: a) Overall competence of the investigation team needed to achieve the investigation objectives; b) Nature of the investigation; c) Knowledge of industry sector and the risks the sector faces, including understanding the specific context of the organization and its supply chain; d) Complexity of the investigation; e) Investigation methods to be used; f) Legal, regulatory, and other requirements keeping in mind jurisdictional variations; g) Independence, impartiality, and avoidance of perceived or real conflict of interest; h) Personal, cultural, social and language skills required to deal with a specific investigation; i)

Security, clearances, citizenship, and safety requirements of the organization;

j)

Dynamics of the investigation team members and their ability to work together;

k) Availability of personnel; and 36

ANSI/ASIS INV.1-2015 l)

Leadership requirements and the need to oversee and train new investigators.

When considering the selection of investigators, the IUM should evaluate the qualifications, knowledge, experience, personal skills, and traits of the investigators needed to achieve the investigation objectives. The IUM should have a documented process for evaluating and selecting investigators. See Annex B for additional details. Technical experts may supplement the competence of an investigation team. At all times the technical experts should operate under the direction of an investigator and not function as an investigator. Technical experts are intended to supplement the overall expertise of an investigation team to provide subject matter expertise. Investigators-in-training may also be included in the investigation team. Investigators-in-training should have knowledge of investigation methods. They should participate under the direction and guidance of an experienced investigator. The IUM and ITL may make adjustments to the investigation team during the course of the investigation depending on the necessity for additional competencies.

5.5.4 Establishing Roles and Responsibilities of Investigation Team Leader The IUM should assign an ITL to direct and monitor the team prior to commencing the investigations to allow for sufficient preparation time. The ITL should be an experienced investigator familiar with the specific nature of the case. Individual investigator assignments should be based on the competence of the individual and reflect the complexity of the tasks. The ITL should assign and communicate investigation responsibilities prior to commencing the investigation. The ITL is responsible for: a) Satisfactory performance of all phases and activities of the investigation; b) Representing the investigation team with the organization; c) Initiating and maintaining communication with the organization and top management; d) Maintaining professional behavior and harmony amongst the investigation team; e) Developing the investigation plan; f) Managing risks during the investigation; g) Organizing and directing investigation team members (particularly investigators-in-training); h) Making effective use of resources during the investigation and time management; i)

Conducting opening and closing meetings;

j)

Conducting regular meetings and briefings with the investigation team as well as the IUM;

k) Protecting the health, safety, and security of the investigation team; l)

Assuring the confidentiality and protection of sensitive and proprietary information;

m) Preventing and resolving conflicts; n) Reviewing the evidence and observations of the investigators and leading the team in determining the findings and conclusion; and 37

ANSI/ASIS INV.1-2015 o) Preparing and submitting the investigation report.

5.5.5 Managing and Maintaining Program Documentation, Records, and Document Control The IUM should identify the documentation needs of the investigation. Procedures should be established by the IUM for the use and handling of documents and records created for the investigation program. Clear procedures should be outlined for obtaining and handling client and other organizational documentation. The client must explicitly approve copying of any information or photography. Investigators should not remove, modify, delete, or destroy documents (including electronic files) without explicit permission to do so. The IUM should establish, implement, and maintain procedures to protect the sensitivity, confidentiality, and integrity of documents and records including access to, identification, storage, protection, retrieval, retention, and disposal of records. Documents should be clearly labelled as to their status and version (e.g. draft or final, active or archival) as well as level of sensitivity and confidentiality. Records of access to information and documents should be maintained. In instances where reports are deemed confidential, the IUM should establish computer and network controls over files and investigation information to prevent access by unauthorized users. When confidential information is collected the IUM should establish procedures and provide technology to investigation team members to use encrypted storage devices or laptops to secure this information. Records and documentation should be created, maintained, and appropriately stored for both the overall investigation program and individual investigations, including; a) Program objectives, criteria, and scope; b) Risk assessment and treatment measures; c) Evaluation of achievement of investigation objectives; and d) Investigation program effectiveness and opportunities for improvement. For individual investigations, records should include: a) Plans and reports; b) Safety, security, and confidentiality requirements and conditions; c) Agenda and minutes from opening and closing meetings; d) Non-conformance reports; e) Corrective action requests; and f) Investigation follow-up reports. Procedures should be established to create and maintain records of investigation performance. Performance review records should be used to drive continual improvement of investigation process and investigation team. Examples of performance records include: a) Feedback from the client; b) Selection criteria and competence of investigation team members; c) Performance evaluations of the investigation team members and team leader; 38

ANSI/ASIS INV.1-2015 d) Effectiveness of time management; and e) Needs for continuing training and competence improvement of investigation team members.

5.5.5.1 Records and File Storage Investigative files are highly sensitive or confidential and are subject to both practical and legal access restrictions. In addition, files and records have widely varying retention requirements. Thus, it is important to ensure that adequate secure storage is available for records and those records are organized in such a way that they can easily be identified for retention and destruction (or disposition) at the appropriate time. The investigative file should be retained separately from the personnel file, and should be kept in a locked, secure location with access by only individuals with a business need. The IUM should consult with the organization's top management and legal counsel to establish an appropriate policy for retaining document and evidence in their original format consistent with the statute of limitations for all legal or liability issues, as well as labor relations and organizational policy. In some circumstances, records can more easily be stored electronically. Such storage requires less physical space and often results in more efficient retrieval, but some precautions are in order. Secure backup copies should be stored off-site and should be immediately accessible should the primary data, the computer system, or the IU facility become unavailable (e.g., due to cyber-attack, natural disaster, or other catastrophe). In addition, even if investigative records and associated information are digitized, the original documents, photographs, and other items may need to be preserved in some instances. Items that may be needed as evidence (such as photographs and original written statements) must not be disposed of or destroyed. Tip #18: Ownership of Information Retention of records and files is professional practice and client preference. The client is the recipient of the final report of the investigation and ownership of information is transferred when the report of the investigation is accepted. Establishing a destruction of record routine at a set interval is recommended to protect the information obtained from disclosure outside the client contract, unless required by jurisdictional law and regulations, policy, or other obligation to maintain records for specified time periods.

5.5.5.2 Case Files At the completion of the investigation, all case file documents, including original notes, reports, and investigative summaries as well as any evidence should be retained. The person designated to maintain and archive the closed case file is called the “custodian of record.” The management and format of case files is largely a matter of preference by the ITL. However, the system chosen should be simple and neat. Electronic folders and files should be downloaded and safely stored. Digital images, spreadsheets, and databases can also be safely stored. Although duplicate information and files can be deleted to save space on servers, original documents and files should be retained.

5.5.6 Investigations and Operational Control The IUM, in conjunction with the ITL, should identify the background documentation and information necessary to conduct the investigation. The ITL should arrange with the organization to access the availability of documents related to the investigation criteria within the scope of the investigation. 39

ANSI/ASIS INV.1-2015 When conducting the initial document review, attention should be given to: a) Nature and scope of the investigation; b) Context of the risk environment; c) Methodology and key outcomes of the investigation risk assessment; d) Selection and effectiveness of risk treatment measures relative to the investigation; e) Policies, procedures, and internal audits related to the issues addressed in the investigation; and f) Availability of current documents and responsible duties. The document review should provide input into planning the investigation and an indication of areas needing additional focus and resources to conduct the investigation. The document review will indicate the likelihood of achieving the investigation objectives and may indicate the need for changes in the investigation approach and investigation team composition. Any changes should be made in consultation with the IUM and client. The next stage of the investigation consists of information and evidence gathering to substantiate findings and draw conclusions. It should consider: a) Are matters being investigated contrary to jurisdictional law and regulations, policy, or other obligations? b) Are issues defined in organizational policies and procedures effectively being addressed? c) Are legal, regulatory, and contractual obligations being met? d) Are infractions and deviations from expected outcomes due to deliberate or undeliberate actions? e) Has the organization acted on identified non-conformances, internal audit findings, exercise results, and lessons learned from events by implementing appropriate corrective and preventive actions? f) Are changes adequately addressed in a timely fashion?

5.5.7 Managing Outcomes of the Investigation Program The organization should assign responsibility for review and approval of the investigation findings and the investigation report. For credibility, any changes should come from the investigation team and resubmitted for approval. In addition the assigned party is responsible for: a) Appropriateness of corrective and preventive actions; b) Ensuring the distribution of the investigation report to authorized parties only; c) Maintaining the confidentiality of sensitive and proprietary information; and d) Assuring proper investigation follow-up where necessary.

40

ANSI/ASIS INV.1-2015

5.6 Monitoring the Investigation Program 5.6.1 Monitoring, Measurement, and Evaluation of Program Performance The IUM should establish performance metrics and measure the effectiveness of the investigation program. Performance metrics should be used to evaluate the performance of both the overall investigation program as well as individual investigation. Performance monitoring and evaluations should include: a) Response and implementation of corrective actions; b) Achievement of investigation objectives; c) Value-added for the client; d) Improved risk management and incident prevention; e) Time management; f) Resource management; g) Ability to achieve objectives and implement individual investigation plans; h) Competence and professionalism of investigation team members; and i)

Effectiveness of communication between all parties involved in the investigation.

5.6.2 Evaluating Program Outcomes The integrity of the investigation program will be challenged by questions of investigator impartiality and conflicts of interest, as well as the improper handling of sensitive information. The IUM and ITL should revisit the risks identified during the risk assessment process of both the investigation program and individual investigations to determine if the identified risks have been adequately controlled and if any risks emerged that were not previously identified.

5.6.3 Nonconformity, Corrective, and Preventive Action The IUM should establish, implement, and maintain procedures for dealing with nonconformities and for taking corrective and preventive action for issues identified in the conduct of the investigation program. The procedures should include: a) Identifying and correcting nonconformities and taking actions to mitigate their consequences; b) Evaluating the need for actions to prevent nonconformities and implementing appropriate actions designed to avoid their occurrence; c) Investigating nonconformities, determining their root causes and taking actions in order to avoid their recurrence; d) Recording the results of corrective and preventive actions taken; and e) Reviewing the effectiveness of corrective and preventive actions taken.

41

ANSI/ASIS INV.1-2015

5.6.4 Investigator Competence and Skills Improvement Investigators should enhance their knowledge, skills and competence through continuing professional development. The ITL should evaluate the performance of all the members of the investigation, with the IUM evaluating the ITL. Evaluations should recognize both strengths and weakness to help with investigator selection for future investigations. The IUM and ITL should provide feedback to investigators, particularly investigators-in-training, to help them enhance and maintain their proficiency. Evaluations should consider: a) Personal behaviors and professionalism; b) Communication skills; c) Interactions with other team members and the persons in the investigation; d) Ability to follow instructions; e) Strengths and weaknesses at accomplishing specific investigation tasks and assignments; f) Knowledge and evaluation skills related to the investigation; g) Overall investigation knowledge; h) Knowledge of relevant jurisdictional laws and regulations, or other obligations; and i)

Industry sector expertise.

Tip #19: Competence Improvement The IUM, ITL, and members of the investigation team should pursue ongoing improvement of their investigation competence. This may be accomplished by: a)

Skills training;

b)

Mentoring and networking with industry peers;

c)

Continuing education;

d)

Pursuit and maintenance of certifications; and

e) Membership in professional organizations and societies.

5.7 Review and Improvement 5.7.1 Adequacy and Effectiveness The IUM should review the investigation program to assess whether the investigation objectives are being met and to ensure the program’s continuing suitability, adequacy, and effectiveness. Reviews should include assessing opportunities for improvement and the need for changes in the investigation program. Investigation program review should include a review of: a) Appropriateness of objectives, criteria, and scope; b) Effectiveness of risk assessment and treatment process of the investigation program;

42

ANSI/ASIS INV.1-2015 c) Conformity to investigation program procedures and jurisdictional laws and regulations, or other obligations; d) Effectiveness and accuracy of investigation methods; e) Resource allocations (including human resources); f) Maintenance of records and documentation; and g) Protection and integrity of information.

5.7.2 Need for Changes The IUM should monitor the context of the investigation program and manage change. Factors that may trigger the need for changes in the investigation program include changes in the: a) Needs, perceptions, and expectations of stakeholders and other interested parties; b) Risk related to impartiality and conflict of interest (real and perceived); c) Risk environment of the client and the investigators; d) Organizational policy requirements; e) Sector and industry trends, including identification of accepted industry practice; f) Jurisdictional laws and regulations or other obligations; g) Skills required for effective investigations; and h) Availability of resources.

5.7.3 Opportunities for Improvement The IUM should review the overall implementation of the investigation program to identify areas for improvement. Continual improvement and investigation program maintenance should reflect changes in the risks, activities, and operation of the program that will affect the achievement of objectives. The IUM should ensure that any problems with the investigation program and their root causes have been identified and that corrective measures have been initiated to prevent or minimize recurrence. Any changes resulting from implementing improvements that will impact the on-going investigation program should be identified by the IUM and communicated to the client, prior to implementation, to ensure their understanding of potential benefits and any consequential process changes. The IUM should address issues related to improvement of investigation program implementation and the improvement of investigation competences. When appropriate, request for client feedback for possible investigation process improvements may be considered.

43

ANSI/ASIS INV.1-2015

6 PERFORMING INDIVIDUAL PROCESS DRIVEN INVESTIGATIONS 6.1 General This section focuses on individual investigations, both the preparation for and the execution of these investigations. Depending on the scope of the investigation, not all provisions in this section are applicable to all investigations. An investigation can be conducted by an internal team, external team, or combination depending on the resources of the organization and depth of expertise. An investigation often follows the order described in this section; however this is not always the case depending on the circumstances of the investigation, particularly the definition of investigation objectives.

6.2 Commencing the Investigation 6.2.1 Setting Objectives Objectives of the individual investigation should be clearly understood and documented in order to focus tasks, resources, and goals of the investigation activities. Investigations should include an analysis and evaluation of the effectiveness of current risk treatment measures and opportunities for improvement. Objectives are set within the context of achieving the organization’s overall business and risk management objectives. Objectives should be anchored in key value drivers. In defining the objectives for individual investigations, the following should be considered: a) Nature of the organization’s objectives; b) Events that could affect the achievement of enterprise-wide objectives (positively or negatively); c) Clear outcomes to achieve from the investigation; d) Use of the investigation outcomes; e) Nature of investigations; f) How the individual investigation relates to the overall investigation program; g) Current control measures to manage risk and to protect tangible and intangible assets; h) Metrics and indicators for measuring risk levels; i)

Timeframes for the investigation objectives; and

j)

Resources needed to achieve the investigation objectives;

Objectives of individual investigations may be broadly defined to consider enterprise-wide strategic or operational requirements; or more narrowly focused to consider issues and incidents related to specific risks, products, activities, processes, or functions. The objectives can consider issues related to the organization and/or all or part of its supply chain including jurisdictional laws and regulations or other obligations, organizational policies, and managing risks. Individual investigations may identify, analyze and evaluate risks related to one or more issues 44

ANSI/ASIS INV.1-2015 contributing to uncertainty in achieving the organization’s objectives. Examples of individual investigation types that will set the objectives for individual investigations may include, but are not limited to investigating: a) Adequacy and concurrence with organizational policies and procedures; b) Incident or accident; c) Employee misconduct; d) Misuse or abuse of computer or IT system; e) Substance abuse; f) Due diligence; g) Regulatory compliance violation; h) Lifestyle or financial inquiries for the organization’s executives and personnel; i)

Personnel security or background;

j)

Theft, pilferage, skimming, or misappropriation;

k) Assaults and crimes against persons; l)

Property damage and vandalism;

m) Inventory discrepancies or unexplained shrinkage; n) Sabotage; o) Industrial espionage; p) Copyright and proprietary information violations; q) Embezzlement or defalcation (appropriation of property by a person to whom it has been entrusted); r) Fraud (general, procurement, insurance, travel, accounting, etc.); s) Product tampering (actual and hoax); t) Diverted or counterfeit product; u) Communicating threats; v) Harassment, discrimination, and retaliation (e.g., gender, racial, religious, sexual); w) Workplace violence, (actual or potential) and stalking; and x) Litigation support (varying according to whether the organization is the complainant or respondent in a particular case). Once defined, the objective(s) of the individual investigation should be written in a concise statement and referred to in defining the scope, assumptions, procedures, and outcomes.

45

ANSI/ASIS INV.1-2015 Tip #20: Dynamic Objectives In order to be successful, the process of investigation must be fluid and dynamic. Because facts can alter outcomes, the objectives of the investigation must be flexible. Situations change and the investigator must be able to adapt. As information and facts are developed, the true nature of the problem becomes increasingly clear. It is logical therefore, that if the nature of the problem under investigation is not what it was thought to be, then the objectives of the investigation must change accordingly. Steering a rigid course, no matter how well planned in advance will not typically get one to his desired destination when the destination has changed. In other words, the investigative process cannot be so rigid and single-purposed that it cannot be altered when necessary.

6.2.2 Identification of Stakeholders A stakeholder is any individual or organization that is directly or indirectly involved with or affected by an organization’s decisions and activities. Internal and external stakeholders may be directly involved in the investigation, impacted by the outcomes, influence the perception of the investigation, or be individuals who should be considered when determining how to handle the actions driven by issues addressed by the investigation. Examples of stakeholders include (but are not limited to): a) Internal i.

Persons working on behalf of the organization, such as employees (and their families)

ii.

Business owners/partners

iii.

Boards of Directors

iv.

Trustees

v.

Management

vi.

Labor unions and workers’ associations

vii.

Onsite contractors/vendors

b) External i.

Customers/clients, present and potential

ii.

Contractors/vendors/distributors

iii.

Investors/shareholders/donors/venture capitalists

iv.

Competition

v.

Bankers and creditors

vi.

Trade associations

vii.

Lobbyists

viii.

Civil society and non-governmental organizations (NGOs)

ix.

Media

x.

Government and regulatory agencies

xi.

Law enforcement personnel 46

ANSI/ASIS INV.1-2015 xii.

Emergency responders

xiii.

Surrounding communities and community leaders

Tip #21: Stakeholder Influence Care should be taken to not be influenced by the needs of stakeholders who may have a bias or agenda regarding the outcome of the investigation. The investigation should be as confidential as possible and involving stakeholders may impede efforts at confidentiality. Many employers have obligations under jurisdictional law and the impact on stakeholders as part of the investigation may be irrelevant. Certainly care should be given to contractual relationships, working relationships between complainants and subjects, co-workers, and third parties.

6.2.3 Identification of Internal Context and Variables In setting the parameters of an investigation, consider the interrelated conditions in which objective(s) exist or occur, as well as what the variables might be. Establishing the internal context involves understanding how the following interrelated conditions apply to the investigation: a) Capabilities of the organization in terms of resources and knowledge; b) Information flows and decision-making processes; c) Internal stakeholders; d) Objectives and the strategies that are in place to achieve them; e) Perceptions, values, and culture; f) Policies and processes; g) Standards and reference models adopted by the organization; and h) Structures (e.g., governance, roles, and accountabilities).

6.2.4 Assumptions Assumptions are frequently part of fact-finding and problem-solving and often linked to an individual’s perspective and point of view. Investigators should be aware of assumptions and potential bias that can occur. An investigator can potentially misinterpret information if the assumptions are not clearly identified. Persons conducting the investigation should consider: a) What are the assumptions based on? b) How are the underlying assumptions impacting the outcomes? c) How is the assumption affected by the level of uncertainty? d) Are the assumptions a reflection of investigator biases? e) Are assumptions that something is a “given” based on opinions or evidence? f) How do the assumptions affect the confidence in the interpretation of evidence? g) Are assumptions about likelihood balanced by potential consequences in achieving objectives? h) Could the assumptions be different if made by another individual? 47

ANSI/ASIS INV.1-2015 i)

Would the outcomes be different if they were based on different assumptions?

j)

Were the assumptions made when setting the investigation criteria still valid in light of the evidence and data gathered?

6.2.5 Defining Scope and Statement of Work The scope may be enterprise-wide or limited to an organizational unit, geographic location, product flow, or a particular activity or function. The scope defines the boundary conditions of the individual investigation (what is in and out of the investigation). As with any project, scope is a function of resources, authorities, and time. Care should be taken not to over-scope or under-scope the investigation. When defining the boundaries of the investigation, the scope should be synchronized with the objectives and needs of the client, as well as the objectives and scope of the overall investigation program. Under-scoping may result in some organizational objectives, assets, stakeholders, or threats being overlooked. Under-scoping may result in tunnel vision with regard to the interaction of factors in the investigation. Over-scoping may result in a waste of time and resources without being able to provide enough focus to the needs of the client. A scope statement should be prepared clearly defining the boundaries of the investigation. This should include a statement of work highlighting what are the organizational, physical, operational, logical, and logistical parameters included in the boundaries so to explicitly delineate what is in and what is out of the investigation. The ITL should obtain from the client verification or permission and access to conduct the investigation within the stated scope. Changes in the scope of the investigation should be reviewed and approved in writing by the authorized client representative.

6.2.6 Policy and Management Commitment Prior to commencing the investigation on-site activities, the ITL should obtain the appropriate authorization and support of the client and/or top management in the form of a policy statement. The policy statement may include statements of: a) Investigation objectives; b) Importance of investigation to the organization being assessed; c) Clear authorization to conduct the investigation within the stated scope; d) Need for confidentiality and information integrity; e) Client and/or top management commitment to engage in setting criteria and reviewing output; f) Commitment of persons working on behalf of the organization to share information with investigators; and g) Commitment of the client to communicate the importance of participation in the investigation to persons working on their behalf within the scope.

6.2.7 Commitment of Resources The ITL should obtain the appropriate commitment of resources from the client and/or top management to conduct the investigation activities. If the ITL determines that there is insufficient time and resources allocated to conduct the investigation, the client should be notified. If additional resources cannot be 48

ANSI/ASIS INV.1-2015 secured then the objectives and scope of the investigation should be modified accordingly with the agreement of the client.

6.3 Planning Investigation Activities The investigation is an iterative process consisting of the steps described in the following sections and based on the PDCA model.

6.3.1 Assessment Phase Analysis The assessment phase of the investigation involves examination and evaluation of the fundamental facts regarding the allegation or problem and generally involves some type of initial inquiry or assessment. For example, in the case of workplace investigations, considerations in this phase include: a) Determining if the parties suspected have a relationship with the organization and were working on the date and time in question (including off-duty or off-site); b) Determining what policies, practices, and precedents exist which may impact the intended investigation and the manner in which it is to be conducted; c) Who else in the organization should be notified prior to the initiation of the fact-finding or before investigatory interviews take place; d) Is there a concern about bias, reporting or other relationships that would warrant looking to retain an outside investigator; and e) Are there any parties external to the organization that should be notified and if so, who. Other factors that may be considered during the initial inquiry or assessment to determine if the matter warrants an investigation include (but are not limited to): a) Are the allegations, accusations, or suspicions credible? b) Does the allegation require an investigation consistent with jurisdictional laws and regulations or other obligations? c) Does the investigation fall within either the grievance or whistle-blower policies of the organization? d) What might happen if the matter is simply ignored? e) What does a successful investigation look like? f) How might the results be used? g) Could result include prosecution, restitution or discipline? h) Can the investigation drive a reduction of risk and identify opportunities for improvement?

6.3.2 Jurisdictional laws and regulations or other obligations When conducting an individual investigation, the ITL should revisit the jurisdictional laws and regulations, or other obligations discussed in Section 5.4.2 relative to the objective and scope of the individual investigation. 49

ANSI/ASIS INV.1-2015 Tip #22: Legal Privilege Legal privilege can be invoked in certain cases to protect legal work, thought process and legal communication by the organization's attorneys from disclosure. Legal privilege can extend to investigations, particularly if those investigations are conducted in anticipation of litigation and directed by an attorney. Litigation can result from most circumstances that warrant investigations. Therefore, an investigator should consult with the legal counsel to determine whether and how to preserve privilege protections for an investigation. In general, the privilege is protected by demonstrating an intent to protect the privilege nature of the documents and keeping the investigation confidential. Common strategies to protect legal privilege include marking documents with statements such as "Confidential: Privileged Communication" and limiting the investigation results to those who have a reason to know related to the litigation. The investigator is encouraged to obtain advice from the organization's attorney on when to use the statement "Confidential: Privileged Communication" and on which types of documentation. Be mindful that communication or distribution of privileged documentation, including e-mails, may result in the loss of privilege and should be avoided.

6.3.3 Process, Scope, and Structure The ITL should clearly define the process, scope, and structure of the investigation to ensure efficiency and to make certain the goals are clear to all involved. This provides a basis for analyzing the results of the investigation. A clearly defined process demonstrate its integrity and credibility. Considerations in defining process and structure include (but are not limited to): a) Credibility of the allegation; b) Identity of those involved; c) Location; d) Jurisdictional laws and regulations, or other obligations; e) Resources and logistics; f) Precedent; g) Past practices; and h) External notification requirements. The challenge in conducting investigations in order to achieve the objectives is time. The ITL needs to develop an investigation strategy, or “path”, to collect data in a representative, logical, and methodical manner. Effective planning is necessary to make efficient use of time to ensure an informative investigation. Depending on the desired outcomes for the investigation and whether the scope is enterprise-wide or limited to a specific area, process or project, reasonable targets and timelines should be established within the constraints of available resources and funding.

6.3.4 Information Gathering It is the investigation team’s responsibility to collect factual information within the defined scope and criteria. The investigation team will determine its findings based on the evidence obtained. The investigation team should have a well-developed information collection strategy and sampling plan. Information can be gathered from various sources, including (but not limited to): a) Review of documents, performance indicators, and records; 50

ANSI/ASIS INV.1-2015 b) Websites and databases; c) External reports (e.g., industry publications, crime statistics, and government reports); d) Interviews with persons (internal and external); e) Physical, documentary, and electronic evidence; and f) Observation of operational processes. The ITL, in consultation with investigation team members, should determine how much information needs to be gathered. Some investigations are designed to find systemic weakness and opportunities for process improvements. For those investigation it may be necessary to develop a sampling plan to select representative items and elements from the overall population. Sampling examines selected items and elements from the overall population. The method of sampling should be defined and documented using sampling practice and procedures appropriate for the data collection objectives. If contradictory data is collected or possible systemic problems are identified, the sampling size may be increased to determine if there is a trend or pattern.

6.3.5 Review of Documentation Before performing the investigation, the ITL should obtain initial documentation about the organization, the incident, and/or individuals to be investigated in order to prepare for the investigation activities. The ITL and investigation team should review relevant documents to determine the investigation activities and better understand the client and organization. This includes organizational policy documents, mission statements, organization profiles, organizational structure, management system, and industry practices. It also includes information related to products, services, processes, and activities, as well as understanding the geographic extent, interactions, and dependencies. The ITL should consider obtaining previous investigation reports but should exercise care not to bias current investigation efforts. Proprietary concerns and non-disclosure agreements may need attention. Sufficient documentation should be obtained in preparation of the investigation to determine if the investigation is properly designed and if there are any significant gaps.

6.3.6 Preparing the Investigation Plan The ITL prepares an investigation plan based on objectives, scope, and criteria in the investigation program and the documentation and information provided by the client. The investigation plan may be reviewed and accepted by the client according to the stipulations of the investigation program. The investigation plan should be presented to the client prior to beginning activities. Any issues raised by the client should be resolved between the ITL and the client. The investigation plan may identify, where relevant: a) Objectives and scope of the investigation; b) Investigation criteria such as risk criteria, standards, contracts, regulations, manuals, and reference documents to be used in the investigation; c) Follow-up activities from previous investigations;

51

ANSI/ASIS INV.1-2015 d) The client, management representative, guides, and the divisions, facilities and functions related to the investigation; e) Investigation team members (e.g., ITL, investigators, technical experts, observers), their roles and responsibilities; f) Identifying the standard (or burden) of proof; g) Allocation of appropriate resources and any limitations; h) Investigation logistics including date and place of the investigation, travel, lodging, and facilities; i)

Timeframe and overall schedule of investigation activities;

j)

Communication procedures including meetings with client and investigation team;

k) Investigation methods including evidence collection and sampling methods; l)

Issues identified related to the investigation, the client, organization, and investigation team;

m) Confidentiality, safety, health, and security measures; n) Conditions that warrant stopping the investigation; o) Language of the investigation and report; p) Investigation report topics; and q) Specific exclusions. The investigation plan should: a) Provide the basis for the agreement with the client for the conduct of the investigation; b) Consider the effect that the investigation activities may have on the client and its functions; c) Facilitate efficient communication, coordination and scheduling of the investigation activities to most efficiently and effectively achieve the objectives; d) Take into consideration the competence and composition of the investigation team (including whether technical or security experts are needed); e) Outline appropriate investigation methods and practices (e.g., sampling and interview techniques); and f) Provide for scope and mission change approval procedures. The complexity and scope of the investigation and the confidence level of achieving the investigation objective determines the amount of detail needed in the investigation plan. The scope of the investigation may be dynamic. The investigation plan should include appropriate flexibility to allow for changes as the investigation progresses. Significant changes should be reviewed and approved by the client.

52

ANSI/ASIS INV.1-2015

6.3.7 Identifying the Investigation Team The ITL delegates responsibility to each team member regarding the specific processes, activities, locations, and functions of the investigation. When delegating the roles and responsibilities, the individual investigation team members’ competencies, strengths, and weaknesses are taken into consideration, as well as the effective use of resources. The ITL should decide on the frequency of the team briefings that are held to ensure the investigation objectives are met, work assignments are correctly allocated and decisions regarding possible amendments are made. Throughout the investigation, the investigation team should be aware of changing circumstances or risks. Investigators and the ITL should work collaboratively to address these changes in order to achieve investigation objectives. The ITL should communicate to the client representative any identified significant risks (particularly threats to health, safety and security of the investigation team or client’s organization) as well as recommended changes to the investigation plan.

6.3.8 Determining Feasibility The ITL should determine the feasibility of achieving the investigation objectives. If the investigation is considered feasible there should be reasonable confidence that the investigation objectives can be realized. If the investigation is not feasible, the ITL should promptly notify the IUM and client. Investigation preparation should be suspended until all parties agree to subsequent changes. Factors that contribute to the feasibility of the investigation include: a) Adequate resources committed to the investigation; b) Adequate time within scheduling constraints; c) Availability of investigation team personnel with the mix of characteristics, competences, and necessary clearances; d) Cooperation with the client and conducive work environment; e) Availability of interviewees (including complainant and respondent); f) Access to adequate and relevant information for preparing and conducting the investigation; g) Logistics; h) Language requirements; and i)

Constraints imposed by jurisdictional laws and regulations, as well as organizational policies.

6.3.9 Documentation and Document Control The ITL should maintain records to support the investigation activities. The ITL should establish, implement, and maintain procedures to protect the sensitivity, confidentiality, and integrity of records including access to, identification, storage, protection, retrieval, retention, and disposal of records. Record retention should be consistent with required or limited by law. The IUM and ITL should establish, implement, and maintain procedures to: a) Ensure an appropriate location for the storage of documents; 53

ANSI/ASIS INV.1-2015 b) Approve documents prior to issue; c) Protect sensitivity and confidentiality of information; d) Review, update as necessary, and document revisions; e) Record amendments to documents; f) Make updated and approved documents readily available; g) Ensure that documents remain legible and readily identifiable; h) Ensure that documents of external origin are identified and their distribution controlled pursuant to originator requirements; i)

Prevent the unintended use of obsolete documents; and

j)

Ensure the appropriate, lawful, and transparent destruction of obsolete documents.

The ITL should ensure the integrity of documents by rendering them securely backed-up, accessible only to authorized personnel, and protected from unauthorized disclosure, modification, deletion, damage, deterioration, or loss.

6.4 Conducting Investigation Activities 6.4.1 Preparing Work Documents Investigation team members prepare work documents to facilitate and record their investigation and report its results. Working documents both provide a flexible roadmap for conducting the investigation activities and record observations for investigation evidence. Work documents should show what was evaluated, how it was evaluated, what was examined and what was observed. Work documents can include checklists, investigation sampling plans, and forms for recording information including investigation findings and records of meetings. Well-prepared work documents can help improve investigation time management. The use of checklists, forms, process maps and log sheets should provide structure for the various investigation activities. However, the use of checklists should not restrict what an investigator needs to do and should be flexible enough to consider changes that take place throughout the investigation. When developing the work documents, procedures should be specified for their retention, access and the needs to protect confidential and proprietary information. The integrity of the information should be ensured at all times. Effective work documents should: a) Be tailored to the purpose; b) Indicate background information needed; c) Guide the investigator about what objective evidence needs to be examined; d) Record the process of evidence collection; e) Outline the types of questions to ask; f) Clearly identify and explain sampling techniques; 54

ANSI/ASIS INV.1-2015 g) Include space to document samples taken, documents reviewed, as well as record comments and observations; h) Provide evidence of the thoroughness of the investigation; and i)

Be reviewed at the end of the investigation for effectiveness and improvement.

Checklists should be reviewed before each investigation to determine if they are still relevant and appropriate. When preparing checklists they should be designed to: a) Maintain clarity of investigation’s objectives; b) Provide structure; c) Help ensure thoroughness; d) Maintain the rhythm and continuity of investigation; e) Reduce the investigator’s bias thereby increasing objectivity in evidence; f) Reduce the workload during investigating and provides formatted evidence collection; and g) Provide a record of the investigation and evidence collection.

6.4.2 Assigning Roles and Facilitating Communication among Team Members The ITL should make specific investigation assignments based on the competence of the individual investigators and reflect the complexity of the investigation tasks. There should be a balance in the investigation team between technical, legal, industry, administrative, and risk management knowledge. The ITL should assign and communicate investigation responsibilities prior to commencing the investigation. Formal channels of communication between the investigation team, client, and external bodies (where applicable) may be necessary during the investigation. This may be especially necessary where jurisdictional laws and regulations or other obligations require the mandatory reporting of certain risk, contractual, and regulatory violations. Communication within the investigation team should occur regularly to assess the progress of the investigation, reassign work among the investigation teams, and exchange information as needed. Frequency of the communication should be as often as necessary based on the complexity of the investigation and the needs of the investigation team. Team briefings confirm the updated information of the investigation and provide the ITL the opportunity to clarify the investigation team member’s evidence and their interpretation. This is particularly important in cases where team members will not be on-site through the end of the investigation. If there is a concern about an issue outside the investigation scope, it should be noted and reported to the ITL. It is up to the discretion of the ITL to communicate the concerns with the client. The progress of the investigation and any concerns regarding the investigation should be communicated by the ITL to the client on a regular basis, as needed. If evidence collected during the investigation suggests or indicates an immediate and significant risk to the organization, client, or investigation team, the client should be informed of the risk without delay.

55

ANSI/ASIS INV.1-2015 The ITL should report and provide an explanation to the client if the available investigation evidence suggests that the investigation objectives are unattainable. The ITL and client should determine the appropriate action (e.g. modify the investigation plan, change the investigation scope or objective, and terminate the investigation). The need for a change in the investigation plan may become apparent through the progression of the investigation and should be reviewed and approved by the client and IUM, where appropriate.

6.4.3 Conducting a Pre-Investigation Meeting The pre-investigation meeting (sometimes called the “kick-off meeting”) with the client typically initiates the information collection phase of the investigation. Pre-investigation meetings will vary from formal face-to-face meetings to informal verification of the investigation’s objectives and methodologies. The purpose of the pre-investigation meeting is to: a) Confirm the investigation plan – review the purpose, scope and outline of the investigation process; b) Introduce the investigation team and meet counterparts of the organization or client participating in the investigation; c) Confirm communication channels; d) Verify clearances and approval to conduct the investigation; e) Verify the feasibility of investigation activities; and f) Provide an opportunity for the client to ask questions about the investigation. The ITL chairs the pre-investigation meeting. A designated investigation team member should record attendance and minutes. It may be held with the client’s management who are responsible for the services, functions, or processes being investigated. The pre-investigation meeting should be as detailed as necessary to ensure everyone present understands the investigation process. The pre-investigation meeting is where, at a minimum, the nature of the investigation is explained. The formality of the meeting is dependent on the type of investigation being conducted. The following items are appropriate for the pre-investigation meeting (where applicable): a) Identification of members of the investigation team to client representatives, including experts, observers, and guides. Each of their roles should also be explained; b) Confirm the investigation plan - scope, criteria, reference standards, objectives, and methods used in the investigation; c) Confirm the logistics of the investigation including: i.

Schedules – especially site visits and meetings;

ii.

Communication channels between the client and the investigation team;

iii.

Language to be used during the investigation;

iv.

Issues of health and safety, as well as accommodation(s) for persons with disabilities;

v.

Review security and emergency procedures for the investigation team; 56

ANSI/ASIS INV.1-2015 vi.

Any issues related to information security and confidentiality; and

vii.

An overall investigation schedule, showing topics, investigators, and approximate times to complete.

d) Discuss with the client how the investigation findings will be reported including the method of presenting investigation findings; e) Confirm how the client will be informed of the progress of the investigation; f) Confirm what resources and facilities will be made available to the investigation team; g) Express the conditions in which the investigation may be terminated; h) Explain how findings of the investigation will be delivered; and i)

Give information regarding the systems for feedback from the client on the results of the investigation, as well as the system for complaints and appeals.

The pre-investigation meeting sets the tone for the investigation and establishes the communications channel between the client and the investigation team. The ITL should prepare an agenda for the preinvestigation meeting and project both knowledge and confidence in the investigation activities. Investigation team members should participate in the pre-investigation meeting only if called upon by the ITL.

6.4.4 Information Collection and Analysis 6.4.4.1 General The investigation team's responsibility is to collect, analyze, and document information which is relevant, credible, and supportable. It is the investigator's role to assess the information and determine by a preponderance of the evidence whether it is sufficient to draw conclusions. The investigation team should have a well-developed data collection strategy and sampling plan to ensure the gathering of comprehensive information. Avoid collecting information unless specifically required to achieve the objectives of the investigation. Information can be gathered from various sources, including (but not limited to): a) Review of documents, performance indicators, and records; b) Digital evidence (e.g., websites, email accounts, mobile phones, social media, and databases); c) External reports; d) Interviews with persons; e) Physical evidence; and f) Observation of operational processes. The ITL, in consultation with investigation team members, should determine how much evidence needs to be gathered in order to achieve credible findings and conclusions. When developing a sampling plan it is important to keep in mind that the investigation can provide added value to the client if systemic weaknesses and opportunities for improvement are identified. Sampling examines selected items and elements from the overall population. The method of sampling should be defined and documented using 57

ANSI/ASIS INV.1-2015 sampling practice and procedures appropriate for the data collection objectives. If contradictory data is collected or possible systemic problems are identified, the sampling size may be increased to determine if there is a trend or pattern of problems. Evidence is collected by appropriate sampling techniques from multiple sources of information (e.g., documents, records, interviews, and observations). The evidence is then evaluated against the investigation criteria to produce investigation findings. Findings are then discussed and evaluated to form the conclusions of the investigation. Tip #23: Types of Evidence a)

b)

c)

Testimonial evidence: Most, if not all, investigations will involve collecting this type of evidence. Testimonial evidence is derived from interviews with subjects or interviewees, stakeholders and affected parties, and subject matter experts. Documentary evidence: As the name implies, is derived from documents and other writings (hard copy or electronic). Documents could include but are not limited to: invoices, forged or altered company records, sales records, etc. Physical evidence: Physical evidence is derived from physical objects, such as computers, smartphones, equipment, tools, process equipment, company vehicle, etc.

6.4.4.2 Collecting and Verifying Evidence Collecting and verifying evidence necessitates the investigator to combine the various methods of investigation available and deploy them in a precise sequence and measure. Tactically, the investigator mixes and matches the methods to determine what is appropriate at the appropriate time. This mix is largely predetermined during the planning phase. The investigation team, ITL and client should together, determine the investigative tools to be used and when they should be used. By front-ending the process with sufficient planning and sequencing the investigative tools to be used, the objectives are usually easier to achieve and the investment necessary to achieve them is diminished. The information and evidence gathered is what drives the findings and conclusions. The purpose is to gather the information and evidence to support the findings and conclusions. This point is missed all too often by many investigators. Many practitioners fail to appreciate that the successful gathering of information does not mark the end of the investigation. The successful gathering of information provides the foundation from which to move forward. Interviews, observations, and physical evidence are collected during the investigation. Physical examination of processes, equipment, IT systems, and products is a reliable source of objective information. Observing work activities to determine if they are being conducted according to defined requirements is also a reliable source of objective evidence. Information obtained by interview should be assessed for reliability and may need to be corroborated. It is important that investigators develop good interviewing techniques to maximize reliability and minimize pitfalls, and to establish a rapport with the interviewee to promote the sharing of information. Where feasible, the interview should take place during normal operating hours, at a location respecting the individual’s privacy and personal space (be sensitive of language, cultural, gender, disability, and authority issues). Interviews are conducted to obtain factual information and should not be used for intimidation. When conducting an interview the investigator should:

58

ANSI/ASIS INV.1-2015 a) Establish rapport by providing a personal introduction and exchange business cards where appropriate; b) Explain the purpose of the interview emphasizing that the interviewee will provide important and useful information; c) Explain, consistent with the organization's practices and any legal limitations, that the interviewee should treat the substance of the interview as a confidential matter, or one warranting a high degree of discretion; d) Inform the interviewee about non-retaliation policies for raising issues or participating in the investigation; e) Explain reasons for note-taking during the interview and explain that the information elicited is to be handled with appropriate confidentiality; f) Use a funneling technique during the interview process; i.

Start with an open-ended question to get the interviewee to describe their work and activities related to the investigation (this may include asking the interviewee to provide free associations regarding investigation topics);

ii.

Use clarifying or probing questions to fill gaps and obtain additional information; and

iii.

Closed-ended questions may be used to obtain additional information on specific points.

g) Analyze the major issues raised during the interview to determine if additional information is needed; h) Summarize and review the salient points of the interview with the interviewee; i)

Where appropriate, obtain a written, signed statement from the interviewee that incorporates the important information provided during the interview;

j)

Explain any next steps that may be necessary with regard to the interviewee; and

k) Thank the interviewee for their contribution and sharing their time. See Annex F for additional information on types of questions.

59

ANSI/ASIS INV.1-2015 Tip #24: Considerations when Conducting Interviews. A cooperative interviewee can provide information about their immediate and past actions, as well as provide information regarding others. Information provided about cohorts is corroborative only. However the accumulation of enough corroboration could justify the interview of an individual not identified during the information-gathering phase of the investigation. The resultant expansion of information and intelligence and ultimate identification of many more additional offenders significantly enhances the ROI. Interviews may also yield admissions. Depending on jurisdictional laws and regulations or other obligations, a properly obtained admission constitutes the best evidence obtainable. Unlike criminal law, where admissions and even confessions often only have corroborative value, private investigations need only to proffer an admission to make a case and may be used even when other information may be in conflict. However, the investigator should exercise caution and assess if an admission is consistent with other facts in the case or is it being used to mask other factors. If there are any inconsistencies within one person's response, the interviewer should note and attempt to resolve those inconsistencies by giving the interviewee the opportunity to explain, reposing the question, or through other investigative methods. The investigator should attempt to determine the reasons for inconsistencies (e.g., cognitive processes, questioning techniques, external influences, or untruthfulness).

6.4.4.2 Evidence and Evidence Management 6.4.4.2.1 The Definition of Evidence Evidence is any type of proof that when presented, is materially capable of proving or disproving an assertion or fact. In order to be used or be admissible, the evidence should be: a) Competent; b) Relevant; and c) Material.

60

ANSI/ASIS INV.1-2015 Tip #25: Types of Evidence Admissibility of evidence is determined by jurisdictional laws. It is important to understand the categories of evidence and their potential for use in legal actions: Factors affecting the type of evidence include (but are not limited to): a)

Direct evidence: Is information that is based on personal knowledge or observation. Direct evident may also include documentary or electronic evidence, a documented event, recorded conversations, or an original contract. It directly proves or disproves a disputed fact without inference or presumption. Direct evidence, if true, conclusively establishes that fact. Testimony from an interviewee who actually experienced an event is an example of direct evidence.

b)

Circumstantial or indirect evidence: Is information that is associated with the fact being investigated and that the fact to be proved may be inferred from the existence of the indirect evidence. Inference drawn from one piece of indirect evidence may not guarantee accuracy of the association. Presence at an event is an example of circumstantial evidence.

c)

Forensic evidence: Is information obtained by scientific methods that are based on scientific theories are established and accepted in the scientific community. Examples of forensic evidence include ballistics, and blood and DNA testing.

d)

Hearsay evidence: Is information provided by a person who does not have direct knowledge of the fact asserted, but knows it only from being told by someone else or from a secondary source (e.g., media, online research and resources). Hearsay evidence may be useful in the investigative process and may identify other sources of information. The admissibility of hearsay evidence varies by jurisdiction.

e)

Admissibility of evidence: Is information which the adjudicator finds is useful in establishing the facts of an event that are considered relevant and material. Depending on the type of proceedings the adjudicator will establish “rules of evidence” to determine what is admissible and what may prejudice the objectives of determining the truth.

f)

Materiality of evidence: Information that relates to specific issues necessary for proving or disproving a case is considered material. Materiality of the evidence is based on the relevance of evidence associated with the facts being investigated.

6.4.4.2.2 Hearsay Evidence Hearsay evidence is evidence that does not come from an interviewee’s or other individual's first hand personal knowledge but rather from what the witness has heard others say or from a secondary source (e.g., media, online research and resources). The investigator should determine the credibility of hearsay evidence. Hearsay evidence can provide context of the events and identify additional sources of information. The investigator should determine the relevance of the information.

6.4.4.2.3 Admissibility and Materiality Unlike court or an administrative hearing, investigations are not subject to the rules of evidence. Thus the investigator will need to gather evidence and determine whether the evidence is both material (that is, whether it is relevant to the matter being investigated) and reliable (that is, that the investigator understands the difference between direct, indirect, and hearsay evidence and can properly weigh evidence based on its reliability). While all information gathered might be considered, the investigator should be able to differentiate between information that is more or less reliable and explain why they relied on certain information or discounted other information.

61

ANSI/ASIS INV.1-2015

6.4.4.2.4 Spoliation of Evidence Spoliation is the intentional or negligent destruction of evidence, and may constitute an obstruction of justice. Spoliation is also the destruction, or significant and meaningful alteration of a document or instrument. Under jurisdictional laws, regulations or other obligations, the rules of evidence impose an obligation to retain and produce evidence deemed admissible and relevant in criminal and civil matters. The intentional and sometimes unintentional destruction of evidence may be unlawful and/or civilly actionable. Litigation and criminal indictments of both the organization and the responsible parties are not uncommon in cases of spoliation of evidence. Claims of spoliation may later arise if items such as emails, notes, and apparently extraneous documents are discarded. As such, it is recommended that in the course of investigation, nothing should be destroyed that may later be considered evidence. The investigator should consider informing the client of spoliation issues and recommend the client seek advice to ensure evidence is not tampered with or destroyed.

6.4.4.2.5 Evidence Retention Evidence retention and preservation are critical. The mishandling and misplacement of evidence can lead to faulty conclusions, wrongful terminations, claims of spoliation, and civil or criminal liability. The reconstruction of evidence is time consuming, expensive and likely inadmissible as evidence. An evidence file may be nothing more than a folder in which evidentiary documents are placed for safekeeping. Accordion folders, corrugated boxes, file cabinets or safes may also be used to store evidence. When necessary, consideration should be given to an evidence locker or storage vault. Regardless of its form or construction, the safe storage of evidence is essential to assure the integrity of the investigation.

6.4.4.2.6 Evidence Custody and Transfer If there is a transfer of evidence from one party to another, it should be carefully documented. Each person who handles or takes control of evidence must be recorded, creating what is called the chain-ofcustody. A chain-of-custody document at a minimum identifies each custodian, when they received it, and to whom it was transferred. There should be no gaps during which the evidence was unaccounted for or out of the control of a custodian-of-record. A chain-of-custody which is broken exposes it to challenge and jeopardizes the admissibility of the evidence.

62

ANSI/ASIS INV.1-2015 Tip #26: Sample Evidence Chain-of-Custody Form

.

Improper handling of evidence exposes both the investigator and the evidence to credibility challenges. Claims of evidence tampering, alteration or contamination are possible when evidence is mishandled. Therefore, the transport and storage of evidence should have clearly defined procedures to assure the integrity of the information.

6.4.7 Generating Investigation Findings Investigative findings should be determined by carefully evaluating the information gathered and then deciding, based on the evidentiary standard being utilized, whether the information is sufficient to meet the applicable burden of proof. Findings should be based on substantial and credible information. This could be one credible direct witness or it could be based on indirect information that tends to corroborate that an event or allegation did or did not occur. Sometimes a finding can be made based on a credible account by a complainant, without any corroborating witness. In some cases, the investigator will also discuss in the findings opportunities for improvement and current accepted industry practices. This will help the client understand the effect of issues under investigation on the organization. When creating findings, the investigation team should identify the investigation criteria being assessed, and evaluate the information gathered to support the findings. Every finding should be traceable back to the information gathered.

63

ANSI/ASIS INV.1-2015 The investigators should understand the standard of proof to be used. Most civil cases utilize the standard of proof of “preponderance of the evidence," which is, whether it is more likely than not that the event occurred.

6.4.8 Preparing Investigation Conclusions The ITL, in conjunction with the investigation team should prepare the investigation conclusions in a team meeting prior to the closing meeting. There should be consensus among the investigation team on the findings and conclusions. Disputes should be resolved by the ITL and unresolved issues should be recorded. During this meeting the investigation team should: a) Review the evidence, information collected during the investigation, and its findings against the investigation objectives; b) Prepare recommendations, where applicable (this can include recommendations for improvement and/or future investigation activities); and c) Discuss follow up to the investigation, where applicable. The investigation report should be clear and actionable. For the conclusions of the investigation to be useful, any findings should indicate the criteria and reason for the findings. The client should understand both what was found and what they need to consider in developing an action plan to correct any deficiencies, or implement any opportunities for improvement or accepted industry practices. The investigation report will provide the script and documentation for the closing meeting. Tip #27: Decision-Making and Discipline It should be emphasized that decision-making regarding discipline is the responsibility of the client organization’s decision-makers. It is often better that the investigator is not involved in the decision-making or discipline disbursement phase of the investigation. To do otherwise may create the appearance of bias or prejudice. Similarly, those who are not investigators should not become part of the fact-finding process. Segregating these duties enhances the independence and impartiality of the investigation.

6.5 Post Investigation Activities 6.5.1 Conducting Post-Investigation Debriefing The post-investigation meeting ends the on-site activities of the investigation and presents an investigation summation, draft, or preliminary investigation report to the client. Depending on the organizational structure, the post-investigation meeting should be facilitated by the ITL or IUM. The purpose is to present the investigation team’s conclusions and findings to the management of the organization, and those responsible for the areas being investigated, where applicable. The postinvestigation meeting may present areas of both upside and downside risks, as well as strengths and weaknesses in the risk management system and opportunities for improvements. A designated investigation team member should record attendance and minutes. The level of detail is dependent on the level of familiarity the client has with the investigation process. Also the formality of the meeting is dependent on the type of investigation. In some cases, a formal meeting is necessary with records of attendance and minutes, while in others the meeting may be a less 64

ANSI/ASIS INV.1-2015 formal communication of the investigation findings. The formality of the meeting is dependent on the type of investigation. If situations arose during the investigation that might call the results of the investigation into question, the investigation team should advise those present of the situation. Furthermore, any differences in opinion regarding the investigation conclusions or findings within the investigation team should be discussed. The parties should try to resolve any disagreements. If the parties cannot resolve their differing views, it should be recorded. Participants may discuss an action plan to address investigation findings and adapt the risk management system, where needed. Recommendations for improvements may be presented if specified by the investigation objectives. It should be clear that any recommendations are non-binding, and should be noted that in subsequent investigations these may bias an impartial evaluation. The following points should be addressed with the organization’s management so that they are acknowledged and understood at the post-investigation meeting (where appropriate): a) The investigation findings and conclusions; b) The method of reporting; c) The handling of investigation findings and possible consequences; d) Implications for improved management of risk; and e) Post-investigation activities, including recommendations for risk treatments and corrective action (where applicable). Tip #28: Recommendations for Improved Risk Management Some investigations provide opportunities to improve the organization’s policies, practices and system for managing risk. The client and investigation team critique the effort, benchmark, identify best practices and analyze their performance. Additionally, the client and investigation team may assess the damage and identify root causes. What was it that allowed the problem to occur and how can it be prevented in the future? This evaluation provides ROI to the organization. Clearly, if the organization continues the same practices, it is likely to get the same result again in the future. Such behavior is worse than pointless, it may also be negligent. Under the legal theory of foreseeability, negligence is compounded when a party should have reasonably foreseen an event that could have been prevented had it taken corrective or preventative action. Organizations make the mistake often and in doing so incur unnecessary additional liability.

6.5.2 Reports and Records The investigation report communicates the results of the investigation to the client and organization, as well as provides a complete and concise record of the investigation.

6.5.2.1 Overview The investigation report is prepared by the ITL, with input from the investigation team, and is provided to the IUM as soon as possible after the post-investigation meeting. The investigation report is approved and reviewed by the IUM prior to distribution. For credibility, any changes to the report, including findings, should be made by the ITL. The client determines who will receive copies of the investigation report. The purpose of the investigation report is to: a) Provide information about the objectives, scope, and criteria of the investigation; 65

ANSI/ASIS INV.1-2015 b) Provide information about the investigation findings and conclusions; c) Provide a basis for top management and decision-makers to determine any disciplinary actions; d) Identify needs for corrective actions to reduce significant risks requiring immediate attention, if applicable and part of investigation objectives; e) Serve as a basis for identifying opportunities for improvement of the risk management system, if applicable and part of investigation objectives; and f) Provide a record of the investigation.

6.5.2.2 Contents of the Investigation Report The investigation report should include the following: a) Identification of the organization and IUM conducting the investigation; b) The name and address of the organization (including client, and the client’s management representative) authorizing the investigation; c) The type of investigation; d) The investigation objectives; e) The investigation criteria (including any specific inclusions or exclusions); f) The investigation scope, specifically identification of the organizational or functional units or processes investigated; g) Identification of the ITL, investigation team members and any accompanying persons; h) The dates and places where the investigation activities (on-site or off-site) were conducted; i)

Investigation findings, evidence and conclusions (if applicable, opportunities and down-side risks), consistent with the requirements of the type of investigation; and

j)

Any unresolved issues, if identified.

The following may be included or referenced in the investigation report: a) An executive summary for lengthy investigation reports; b) Areas within the investigation scope which were not covered; c) Investigation plan; d) Time schedule of the investigation plan; e) Summary of the investigation process; f) Identified accepted industry practices; g) Opportunities for improvement; h) Follow up action plans; i)

Reiterate the confidential nature of the contents;

j)

Subsequent investigation; 66

ANSI/ASIS INV.1-2015 k) Implications for the risk management program; l)

Distribution list of the investigation report; and

m) List of relevant reference materials.

6.5.2.3 Distributing the Investigation Report The investigation report should be issued without delay within an agreed timeframe. If the investigation team is unable to do this, the reasons should be promptly communicated to the client, organization, and the person(s) responsible for the risk management program. In compliance with the good project management procedures, the investigation report should be reviewed, approved, and dated. Distribution of the investigation report is at the discretion of the client and organization. The IUM should not send a copy of the investigation report to anyone unless explicitly approved in writing to do so by the client and organization. The organization conducting the investigation maintains a copy for its records only as per agreement with the client and organization. In some instances, reports may be required to be submitted digitally. In these instances, the IUM should make good-faith efforts to control the release of this information by encrypting and password protecting this data. Passwords and encryption keys should be communicated via a secondary medium than that of the method being used to transmit the digital information. Passwords and encryption should comply with accepted industry practices/methods for securing this type of information.

6.5.3 Follow-up and Monitoring It is the responsibility and prerogative of the organization and client, not the investigative team, to apply disciplinary, corrective, preventive, or improvement actions indicated in the investigation report. If the client chooses to implement these actions, they should be implemented in a timely manner. These actions should be documented and verifiable so they may be included in a future investigation. Verification if the corrective, preventive, or improvement actions have been conducted and are effective should be documented before any follow-up investigation commences.

6.5.4 Checking and Reviewing the Investigation Activities The ITL should establish, implement, and maintain performance metrics and procedures to monitor and measure, on a regular basis, those characteristics of the investigation that have material impact on its performance. The procedures should include the documenting of information to monitor performance, applicable operational controls, and conformity with the organization’s investigation program objectives and targets.

6.5.5 Identifying Opportunities for Improvement of Investigations The organization should continually strive to improve the effectiveness of the investigation activities. The ITL should monitor, evaluate, and exploit opportunities for improvement in investigation performance and eliminate the causes of potential problems, including: a) Ongoing monitoring of the operational landscape to identify potential problems and opportunities for improvement; b) Determining and implementing actions needed to improve investigation performance; and c) Reviewing the effectiveness of any actions taken to improve performance. 67

ANSI/ASIS INV.1-2015 Actions taken should be appropriate to the impact of the potential problems, and resource realities. The IUM and ITL should ensure that timely actions are taken to exploit opportunities for improvement. Where existing arrangements are revised and new arrangements are introduced that could impact on the overall investigation program, the ITL should consider the associated outcomes before their implementation. The results of the reviews and actions taken should be clearly documented and records should be maintained. Follow-up activities should include the verification of the actions taken and the reporting of verification results.

7 CONFIRMING THE COMPETENCE OF INVESTIGATORS 7.1 General The credibility of any investigation program is a reflection of the competence of the investigators. All persons involved in the investigation should be competent to perform their roles and assigned tasks. Investigators should possess the technical expertise and interpersonal skills to effectively evaluate the criteria of the investigation. Investigators should provide value to the organization by being able to also evaluate the effectiveness of the risk management measures, not merely checking a box indicating measures exist. Therefore, to add value to the client and organization, the investigators should understand the management and risk approaches from the client’s business and risk environment. Investigators should have a clear understanding of how to apply the investigation criteria. Investigator competence is comprised of several elements: a) Personal traits and interpersonal skills; b) Investigation skills; c) Communication skills; d) Education, training, and knowledge; e) Work experience; and f) Professional credentialing and licensing. It is not sufficient to be a generalist. Investigators should have a proficient understanding of the business, types of investigations, and disciplines they are assessing. The investigation team should project an image to the client and organization that they have the competence relevant to the appropriate technical area of the investigation, risk-related disciplines, industry sector, and geographic location. See Annex A for additional information on investigator qualifications and personal traits.

7.2 Competence 7.2.1 General The IUM and ITL should determine and document the competence required to evaluate each technical area and function in the investigation activity. When identifying competence requirements, the IUM and 68

ANSI/ASIS INV.1-2015 ITL should tailor the competence requirements for the types of investigations required by the client and organization, and locations of operations, in order to: a) Define the scope of the activities that it undertakes; b) Identify any technical qualification of its investigators necessary for that particular type of investigation, services, and location of operation; c) Ensure that personnel have appropriate knowledge, skills, and experience relevant to types of services provided, organizational and cultural requirements, and geographic areas of operation; and d) Recruit and select a suitably qualified investigation team. The IUM and ITL should determine the means for the demonstration of competence prior to carrying out specific functions. Records of the determination should be maintained and made available upon request by the client and/or organization.

7.2.2 Determination of Competence Criteria The IUM and ITL should have a documented process for determining the competence criteria for personnel with a demonstrated capacity for the management and performance of the investigation. Measurable criteria should be determined to demonstrate competence with regard to: a) The requirements of the investigation; b) Investigation methodologies and management consistent with jurisdictional laws and regulations or other obligations and accepted industry practices related to operations; c) The legal, cultural and operational context of the location of operation; and d) Functions in the risk assessment process. The output of the process should be the documented criteria of required knowledge, skills, and experience necessary to effectively perform investigation tasks to achieve the intended results and provide a basis for: a) Selection of investigation team members to cover all areas of required competence; b) Ascertaining requirements for continual improvement of investigator competence; and c) Determining performance indicators for investigators. To determine the appropriate investigator competence, the following points may be considered: a) Risk associated with the organization’s operations and activities; b) Nature and complexity of the client’s risk management system; c) Investigation types and disciplines to be considered; d) Objectives and extent of the investigation program; e) Jurisdictional laws and regulations or other obligations, such as those imposed by internal or external bodies, where appropriate; f) Role of the risk management process in the business management system of the organization; 69

ANSI/ASIS INV.1-2015 g) The need for balance and avoidance of bias in the investigation process; h) Complexity of the business and risk management environment to be assessed; and i)

Risk related to achieving investigation objectives.

When determining the competence criteria the IUM and ITL should establish performance based evaluation criteria and a consistent documented method for evaluating competence. Examples of evaluation methods include (but are not limited to): a) Verifying the background, education, and experience; b) Psychometric (quantitative) testing of knowledge and skills (may include variables such as abilities, attitudes, personality traits, and educational achievement); c) Reviewing written samples of work; d) Interviews to evaluate knowledge, communications skills, and personal behavior; e) Observation of investigation skills; f) Certifications and professional credentialing; and g) Feedback and post-investigation review.

7.2.3 Training and Competence Evaluation Persons conducting investigations should have successfully completed training and be able to demonstrate competence in the understanding and application of: a) Investigation types and risk disciplines being assessed; b) Investigation methodologies; c) Investigation and management principles; d) Risk management principles; e) Legal, regulatory, and other relevant jurisdictional law; f) Liability and tort law associated with industry and risk profile; and g) Managing the risks of undesirable and disruptive events. The IUM and ITL should ensure persons conducting investigation have a working knowledge of this Standard. Investigators should have the knowledge and skills corresponding to a post-secondary education that includes language and communications skills. The IUM and ITL should ensure that investigation team members have the necessary specialized knowledge, experience, and training for the type of investigation being conducted. For example, one typical criteria used is work experience in a risk-related industry discipline or sector. Experience may be supplemented by appropriate and relevant education or specialized training. The organization may establish investigator-in-training and mentoring programs to enhance the specialized knowledge and skills needed for the investigations.

70

ANSI/ASIS INV.1-2015 The IUM and ITL should establish, document, and maintain a process to evaluate and verify the training and competence of persons conducting investigations, including appropriate continual training according to their specific qualification requirements to maintain competence.

7.2.4 Personal Attributes A minimum level of interpersonal skills are essential to conduct a successful investigation. Therefore the investigator should demonstrate good communication skills including, but not limited to: a) Good oral and written language skills; b) Being a good listener; c) Ability to handle stress and conflict to manage an adversarial environment; d) Cultural sensitivity, including appropriate body language; e) Ability to conduct unbiased questioning, analysis, and problem-solving; and f) Tact and diplomacy. Personal attributes are discussed in detail in Annex A.2. The ITL should also be able to display leadership, manage time, understand communication formalities, handle conflict, and provide mentoring to less experienced investigator.

7.2.5 Monitoring of Competence The IUM and ITL should ensure the acceptable performance of all personnel involved in its investigation activities. The IUM and ITL should establish documented procedures, metrics, and criteria for monitoring and measurement of the performance of all persons involved based on the frequency of their usage and the level of investigation knowledge linked to their activities. The IUM and ITL should review, at least annually, the competence of its personnel based on their performance in order to identify training needs. The monitoring procedures should include a combination of on-site observation, investigation report review, and feedback from clients or other affected parties. Monitoring should be designed in such a way as to minimize the disturbance of the normal operations, especially from the client’s viewpoint.

7.2.6 Improvement of Competence Investigators should increase and improve their skills through continuing education and experience. Risks, organizational management practices, technologies, accepted industry practices, and standards change with time. Investigators should continually improve their knowledge and skill sets with changing risk management and investigation conditions. Examples of continuing education and skills improvement methods include: a) Participation in investigations; b) Professional society and technical literature; c) Participation in professional associations and their workshops and conferences; d) Mentoring and peer review programs; e) Reading case studies; and 71

ANSI/ASIS INV.1-2015 f) Formal education programs.

7.3 Validation and Personnel Records The IUM and ITL should maintain up to date records of relevant licensing, qualifications, training, experience, professional affiliations and memberships, professional status and competence of all personnel involved in its investigation activities. The IUM and ITL should ensure all persons working on its behalf assigned to perform investigations, as well as technical experts, can be trusted to maintain confidential information obtained during investigative work. These personnel must not create a security risk by betraying confidentiality or adversely impacting operations (evidenced by an executed non-disclosure/confidentiality agreement). This should be validated by appropriate background screening of persons involved in investigation activities (see: ASIS GDL PBS-2009, Preemployment Background Screening Guideline).

7.3.1 Background Screening and Clearances The IUM and ITL should establish, document, and maintain a procedure for screening and vetting of all personnel involved in its investigation activities. Background screening and clearances should be aligned with jurisdictional laws and regulations, including information access and privacy regulations. The IUM and ITL should also ensure that all personnel involved in its investigation activities meet these requirements. The process for security vetting and review of personnel involved in its investigation activities should be documented in a way that can be accessed by the client and/or organization and, where applicable, other relevant stakeholder organizations. (For additional information, see: ASIS GDL PBS-2009, Preemployment Background Screening Guideline.)

7.3.1.1 Background Checks Some investigations may necessitate criminal and other relevant background checks of persons assigned to perform investigations, in accordance with data protection and privacy legislation. These checks may include: a) Work and education background check; b) Criminal records check; c) Personal and previous work references check; d) Posing ethical dilemmas as part of the job interview process; and e) Military background check for ex-services personnel. Where practicable, background checks may be conducted through national agencies or authorities. Where this is not practicable, the IUM and ITL should establish, document, and maintain a procedure to check suitability and integrity by an internal vetting process including records checks and interviews, overseen by the organization’s top management. The vetting process should include review of documented submissions by the candidate, interviews and reviews of documents such as identity cards, work permits, driving licenses, and work place references.

72

ANSI/ASIS INV.1-2015

7.3.1.2 Interviews The IUM and ITL should establish an interview procedure, including the hierarchy of interviewers, which should be overseen by the IUM. Top management should appoint an IUM who has been verified by interview and vetting as trustworthy and having the necessary competence and judgment to vet personnel involved in its investigation activities. The responsible manager should assess through review of documentation, submitted by candidates, and interviews and on-going monitoring, the trustworthiness and appropriate behavioral characteristics of personnel involved in its investigation activities.

7.3.1.3 Work History All personnel involved in the investigation activities should provide evidence of relevant work history which should be verified with current or previous employers. Self-employed candidates should provide other appropriate documentation that demonstrates the same level of confidence and trustworthiness as employment records. Candidates should provide two work-related references, as well as one probity reference relevant to their work or local jurisdiction.

7.3.2 Identification Credentials All personnel involved in the investigation activities should possess an identification credential (consistent with their duties and need for confidentiality). Identification credentials should show the following: a) Photograph; b) Full legal name; c) Period of validity; and d) Name of the issuing body.

7.3.3 Non-disclosure Agreements All persons assigned to perform investigations should sign confidentiality and non-disclosure agreements and a code of ethics. The IUM and ITL should establish, document, and maintain procedures on how to respect and protect the integrity of sensitive, confidential, and proprietary information. The IUM and ITL should periodically review, as part of its own quality management system, the performance of its personnel with respect to taking appropriate steps to protect the sensitive, confidential or proprietary information. When requested, confidentiality and non-disclosure agreements signed by personnel involved in its investigation activities should be made available to the client.

7.3.4 Accountability The IUM and ITL should establish, document and maintain procedures to make personnel involved in its investigation activities aware of infractions that could subject them to disciplinary actions, civil liability, and criminal prosecutions. The procedures may include a process to address infractions or procedures including investigative procedure and disciplinary actions, the code of ethics, and 73

ANSI/ASIS INV.1-2015 confidentiality and non-disclosure agreements.. Records should be kept of infractions, investigations, and any subsequent disciplinary actions. If, at any time, investigative team members become subject to arrest, charge, or litigation they should promptly disclose this information to the IUM or ITL.

7.3.5 Records The IUM and ITL should establish, document, and maintain procedures to maintain records of personnel involved in its investigation activities. Records should be retained for periods that the IUM and ITL deem appropriate and according to retention periods designated by the organization’s policies, as well as jurisdictional law and regulations, or other obligations.

7.4 Use of External Investigators and Technical Experts The IUM and ITL should develop a documented process for outsourcing any investigation activities to ensure compliance with investigation policies, procedures, and services, as well as respect for confidentiality and non-disclosure of client or organization information. Outsourcing agreements should be enforceable and reviewed by appropriate legal counsel.

74

ANSI/ASIS INV.1-2015

Annex A (informative)

A QUALIFICATIONS INVESTIGATORS

AND

PERSONAL

TRAITS

OF

Investigator competence criteria should include both the professional qualifications and the personal traits of the individual2.

A.1 Professional Qualifications a) Education. Formal education is a point to consider. Many investigative positions require at least a bachelor’s degree. Although the formal education may not be specific to the investigative field, it does connote a general level of intelligence, maturity and discipline as well as knowledge of a breadth of topic areas. A college education familiarizes people with structures and processes of culture and society that foster insights in the events and circumstances that real-world investigators encounter in the course of their professional work. Education also demonstrates an investigator’s ability to continue learning because specialists and experts will require specialized education—often including advanced degrees—in their particular field (e.g., forensic science, behavioral psychology, etc.). b) Training. An important factor in evaluating candidates is the training they have received. A wide variety of courses are available in general investigative techniques and specific aspects of investigations. Sources range from public sector law enforcement agencies to colleges and commercial vendors. The level of training, currency of the training and the training source (i.e., agency or school) should be carefully considered. c) Association Memberships. An investigator’s networking ability to integrate training, experience, and skills with industry professionals and peers becomes a force multiplier. The membership in local, state, national, and global organizations is key to ongoing development and maintenance of changes in the profession. Association memberships provide mentorships and resources that may be unavailable in a single organization. d) Certification. Related certifications such as PCI (Professional Certified Investigator; ASIS International, www.asisonline.org/certification/pci/pciabout.xml) or CFE (Certified Fraud Examiner; Association of Certified Fraud Examiners, www.cfenet.com/cfe/) or CFI (Certified Forensic Interviewer http://iaofi.org/CFI-Certification) indicate a demonstrated level of knowledge as well as an individual’s commitment to the field and effort to maintain currency. Professional certifications should be given significant weight in recruiting and considering applicants, and for advancement. e) Experience (General). Actual investigative experience is frequently the most important

2

ASIS International, Professional Investigators Manual, 2010 75

ANSI/ASIS INV.1-2015 qualification, and should be carefully considered. As a rule of thumb, candidates should possess two years’ experience actually conducting investigations, preferably a variety of types of investigations. General experience should be relevant to investigative processes and may include interviews, evidence handling, liaison, surveillance, record searches, photography, reporting and presentation of cases. f) Experience (Specialized). The type of experience should be related to the type of investigation to be performed. Some of the experience needed in one type of investigation would not be relevant to another type of investigation. Furthermore, specific experience in the relevant industry, in the business environment or in an investigative specialty is generally a plus— sometimes a significant one. This allows the investigator to bring not only expertise to the new position, but also a valuable suite of lessons learned and best practices, many of which can be transferred to enhance the effectiveness of the unit. Of course some “specialist” positions will require specialized experience as well. Fairly detailed information about specialized experience should be requested from applicants for positions which require those skills. g) Communications Skills. This is one of the most critical skills needed by an investigator. The ability to elicit information (the core of any investigation) from all sorts of people, both cooperative and uncooperative, with many different perspectives and at different levels is absolutely essential. In addition, the investigator must be highly effective at presenting information orally and in writing to senior executives, attorneys, prosecutors, law enforcement personnel, security professionals. They must be simultaneously concise and convincing, balancing facts with conclusions. Although communication skills are to some degree, a personal trait, they should more correctly be considered a professional qualification.

A.2 Personal Traits High Ethical Standards. Personal suitability for the position is key. Candidates must have a demonstrated background of trustworthiness and professional ethics. This trait will permeate every aspect of the individual’s relationship with the unit and everyone he/she comes in contact with as a representative of the organization. Persistence. An important trait of the successful investigator is an appropriate level of persistence. The investigative process often leads to apparent dead ends or other frustrations. The ability to forge ahead toward a successful case resolution or objective despite obstacles proves to be of significant value. Balance. At the same time, however, the individual must be able to draw an appropriate balance between aggressively pursuing a successful outcome and following established rules and protocols (so as not to threaten the legal basis of the case or unduly raise the liability risk to the organization). Maturity. A mature and realistic view of self and surroundings is an important trait for anyone who deals with investigative matters, private information, legal issues and activities that can affect people’s lives and careers—and the organization itself. It allows an individual to keep their activities in perspective and place information, events and situations within the appropriate context. 76

ANSI/ASIS INV.1-2015 Ability to Deal Effectively with People. Despite our techno-centric society, people form the core of almost every investigation worldwide. The ability to deal with all types of people, in every role, in a highly effective manner is absolutely essential to an investigator. Self-Motivating and Self-Starting. In most environments, investigators operate with very little direct management oversight (other than from a legal and regulatory perspective) and are expected to perform independently. The ability to motivate oneself in combination with an inherent inner drive is of extreme value. Ability to Multitask. The ability to manage several activities simultaneously is an extremely useful attribute for an investigator. Each investigation has numerous elements—and often a large number of information inputs. In addition, most investigators are assigned several investigations at any given time. Professional Demeanor. In all aspects of the investigative function including dealing with people, collecting and analyzing information and presenting facts and conclusions, the investigator must maintain a professional demeanor. To do otherwise will threaten his or her effectiveness as well as the unit’s (and the organization’s) credibility. Good Observational Skills. Skill-in-observation (curiosity is most important) of people, places, activities and situations is a key element of any investigation and feeds the information base for a particular case as well as helping direct future investigative steps and direction. People with excellent observation, interpretation and correlation skills often make good investigators. Flexibility. An individual who can operate smoothly in a wide variety of environments, is comfortable in a range of situations and can distinguish between when to yield and when to persist will be a far more effective investigator than an inflexible person.

A.3 Unacceptable Behaviors The following examples of unethical or dishonest behavior are unacceptable in professional investigations: a) Selectively opening, closing, rushing, or stalling investigations based on a relationship between the investigator or unit and the parties to the investigation, or other key player or based on a desire for personal gain; b) Inappropriately or improperly selecting interviewees to influence outcomes; c) Improper handling of evidence in order to influence the outcome of an investigation; d) Improper handling of evidence or investigative information through incompetence; e) Fabricating evidence or investigative information; f) Making threats or promises during an interview or interrogation; g) Compromising sensitive investigative information; h) Using scientifically unproven, unreliable, or inappropriate investigative techniques;

77

ANSI/ASIS INV.1-2015 i)

Mistreating liaison contacts (e.g., providing misleading or false information or inappropriately exploiting the relationship); and

j)

Lying during judicial or administrative proceedings.

Besides diminishing effectiveness, unethical behavior can leave an organization open to civil or criminal liability. The IUM and ITL must make ethics an underlying pillar of their operations, procedures, and relationships, as well as instilling the importance of ethical behavior in investigative personnel.

78

ANSI/ASIS INV.1-2015

Annex B (informative)

B USE OF EXTERNAL RESOURCES B.1 General Using outside resources to assist with or conduct one’s internal workplace investigation is an acceptable practice. Some investigations are too complex to be conducted by resources internal to the organization. At times, the use of an external, independent investigator is necessary to ensure fairness, objectivity, and confidentiality, in order to produce a credible investigation. When top management are the subject of allegations the use of an external investigator may be preferable. High profile sexual harassment investigations would fall into this category. Another example would be employee substance abuse where the only investigative solution might be an undercover investigator. Regardless of the issue, sometimes it makes more sense to have someone external to the organization perform the investigation than expending the time and resources to do it internally. In addition to a cost-benefit analysis, the most important consideration should be whether or not the organization has the skill and experience necessary to do the job properly. Investigative firms contemplating undertaking a complex investigation should consider: a) If they have the necessary skills and experience to do the job properly; b) If they have the equipment and technology to do the job properly; c) If they have an investigative plan that is committed to writing; d) If undertaking an investigation is the best use of the firm’s time and resources right now; e) Is a contingency plan in place if something goes wrong? f) If someone else is more qualified or better suited for the job; and g) If the firm is prepared to handle the matter if it turns out to be more complicated or dangerous than anticipated.

B.2 Use of External Investigators and Technical Experts The IU and their investigators should consider the following issues when selecting a vendor for investigative support or technical experts.

B.2.1 Licensing In many jurisdictions, licensing is required for persons participating in the investigation and their agencies. Where licensing exists, a failure to be licensed can result in criminal charges against the investigation team and in some cases their investigative results rendered inadmissible. In some jurisdictions, attorneys may be allowed to conduct investigations if acting in their capacity as an attorney. 79

ANSI/ASIS INV.1-2015

B.2.2 Training The organization may provide orientation or training to assure an appropriate level of competence.

B.2.3 Experience Ensure the investigative firm as well as the employees they assign to the investigation have the experience necessary to do the job properly. If possible, interview them and demand answers to difficult questions regarding their knowledge and experience with investigations of the type under consideration.

B.2.4 Reputation Reputations vary widely in the industry. Qualified investigative firms are well known in the business community and are active in their professional associations. Request references and check them thoroughly. Inquire about the firm’s litigation and claims experience. A reputation of sloppy work, high profile lawsuits, and big settlements is undesirable and possibly indicates process deficiencies.

B.2.5 Willingness to Testify All investigators must be willing to testify and see their cases through to their fullest completion regardless of the circumstances. Sometimes that means testifying in court or before an arbitrator. An unwillingness to testify could be nothing more than fear and inexperience. Less experienced investigative firms sometimes claim they don’t want to compromise the identity of their undercover investigators; others claim it is too dangerous. Both claims demonstrate a lack of experience and professional sophistication.

B.2.6 Reports Reports are an important part of every investigation. The information provided in a report should be complete, concise and correct. Samples should be examined thoroughly before selecting a vendor.

B.2.7 Insurance Most quality investigative firms carry general liability, errors, omissions, and other types of professional insurance. In many jurisdictions licensed investigators are required to carry insurance in some form. However, bonding, allowed in some jurisdictions, may not provide enough protection. In order to be safe and protect the organization, require the investigative firm under consideration to provide a Certificate of Insurance naming the organization as an additional insured.

B.2.8 Willingness to Involve the Police Employee prosecution is not always necessary and is complicated and often expensive. As such, the decision to prosecute should be made for business reasons only. However, a good investigative firm knows its limitations and when to involve law enforcement. Investigations involving illegal drugs, for example, cannot be done without the assistance of the police. Ask the investigative firm to provide law enforcement references. Also, ask the investigative firm about their success with criminal prosecution. The answers will provide some idea as to how many cases the investigative firm has conducted and where problems arose. Evaluate the organization in its totality before making your selection and making a contractual commitment.

80

ANSI/ASIS INV.1-2015

B.2.9 Attorney Involvement Investigative firms often prefer the involvement of their client’s attorneys. This applies even when the client hires an attorney to conduct the investigation. That is, in-house or outside counsel still should be involved. The attorney’s role is an important one and the attorney should play an active role during most of the investigation. Sophisticated providers of investigative services know that an attorney will contribute to the smooth running of the investigation and coincidentally protect its interests as well as the interests of client.

B.2.10 Additional Considerations, Depending on the Type of Investigation: a) Does the organization provide information to the client (the security manager’s organization) and the subjects in compliance with applicable laws? b) Can the organization provide the client with regulatory guidance? c) Is the information supplied the most current and accurate available? d) Does the organization provide all the screening services needed by the client, or will the client need to use more than one vendor? e) Does the organization provide ease of access to their services? f) How long does it take to receive the information requested? g) What is the price for the services provided? How does the price compare to the price for similar services of competing organizations? h) What steps does the organization take to establish an applicant’s true identity? i)

What quality control procedures does the organization follow to ensure accuracy?

j)

Does the organization have appropriate insurance or other applicable coverage?

k) Does the organization have adequate procedures to ensure the security and confidentiality of the information? l)

Has the organization provided similar services to organizations in the client’s industry?

m) Will the organization provide references that the client can contact? n) What client satisfaction guarantees does the organization provide? o) Does the organization provide its clients with resource materials or updates relating to jurisdictional laws and regulations or other obligations and practical issues in preemployment screening? p) Will the organization provide a sample report?

81

ANSI/ASIS INV.1-2015

Annex C (informative)

C LEGAL ISSUES AND LITIGATION AVOIDANCE A benefit of a fair and thorough workplace investigation is the potential for litigation avoidance. Workplace complaints can give rise to a whole host of legal issues, both civil and criminal. The investigation itself can lead to legal action, especially if it is not done correctly. The potential legal issues which could result from improper investigation include, but are not limited to: a) Assault and battery; b) False Imprisonment; c) Invasion of privacy; d) Defamation, slander, libel; e) Extortion; f) Negligent hiring, supervision, retention, and investigation; g) Violation of statutory or constitutional civil rights; h) Discrimination and harassment ; i)

Retaliation for bringing a complaint or legal claim;

j)

Bullying; and

k) Interfering with legal rights such as free speech and collective bargaining. Conducting a fair and thorough investigation, and taking reasonable, fair and consistent action as a result of the findings of the investigation minimizes the likelihood of litigation that could arise from those facts and allegations. Acting on early notice of issues provides an opportunity to properly address the issues, perhaps before they become more severe. A thorough investigation gathers sufficient information to take appropriate action and avoid missteps that may lead to litigation. Even when litigation is not avoided, it is often easier to resolve that litigation when there has been a fair and thorough investigation since the relevant facts should have been uncovered in the course of that investigation, enabling the parties to evaluate the legal claims and come to a fair settlement.

82

ANSI/ASIS INV.1-2015

Annex D (informative)

D TYPES OF INVESTIGATIONS D.1 General Most IUs focus on a particular function or set of functions. They may range from relatively simple activities such as documenting facts surrounding a security force response to a workplace incident to complex procurement fraud investigations. These functions are generally referred to as types of investigations, and frequently the unit’s incident management system is organized according to incident types. The following are examples of typical types of investigations in the organizational arena: a) Incident or accident; b) Employee misconduct; c) Misuse or abuse of computer or IT system; d) Substance abuse; e) Due diligence; f) Regulatory compliance violation; g) Lifestyle or financial inquiries for organizational executives and personnel; h) Personnel security or background; i)

Theft, pilferage, or misappropriation;

j)

Lapping (crediting one account with money from another account);

k) Assaults and crimes against persons; l)

Property damage and vandalism;

m) Inventory discrepancies or unexplained shrinkage; n) Sabotage; o) Industrial espionage; p) Copyright and proprietary information violations; q) Embezzlement or defalcation (appropriation of property by a person to whom it has been entrusted); r) Fraud (general, procurement, insurance, travel, accounting, etc.); s) Product tampering (actual and hoax); t) Diverted, counterfeit, adulterated product; 83

ANSI/ASIS INV.1-2015 u) Skimming (keeping some of the cash); v) Communicating threats; w) Discrimination and harassment, including retaliation (e.g., sexual, race, religious, national original, age, disability, gender); x) Workplace violence (actual or potential); and y) Litigation support (varying according to whether the organization is the complainant or respondent in a particular case). Other types of investigations are conducted in various industries and environments. In some sectors an IU may be employed to directly support the core mission of the organization. For example, a real estate organization may use its unit to determine the whereabouts of unknown property owners or conduct difficult title searches. Similarly, IUs are sometimes used to support market research, competitive intelligence, and other organizational functions. The bottom line in many organizations is that the IU is seen as a resource and is employed in ways that support overall business objectives. IU managers (and security directors where applicable) must understand how the investigative capability fits into the organization and how the executive leadership envisions its application. Optimally, the investigations unit manager or security director plays a key role in defining that fit and the nature of the investigative functions. This role may vary from direct to subtle depending on the environment and leadership style, but wherever possible, investigations and security professionals should exert as strong an influence as possible, recognizing the overall business objective.

84

ANSI/ASIS INV.1-2015

Annex E (informative)

E DETERMINING THE NEED FOR AN INVESTIGATION E.1 General Investigations are not considered part of the core activities of most organizations in the public, not-forprofit and private sectors. However many organizations encounter events and situations that have a real, or perceived, negative effect on the achievement of objectives which may require an investigation. This annex provides guidance for organizations to establish criteria to assess the need for an investigation and determine the objectives, scope, timing, and criteria defining the conduct and resolution of investigations, whether conducted by the organization itself, contracted to an external organization or is the responsibility of law enforcement. This Annex provides a basis for organizations to develop and implement an Organizational Investigations Policy (OIP), in order to: a) Identify internal and/or external events and situations requiring an investigation; b) Know what actions are necessary, appropriate and adequate; c) Consider if the events and situations address issues in the civil, administrative or criminal domain or any combination of the three; and d) Define the parameters of the investigation that best support the interests of the organization. By establishing an OIP, the organization will proactively prepare for events that may require investigation. This will facilitate the decision-making process as to whether, how, and when to establish and conduct an investigation and what constitutes resolution. The OIP will assist the organization in understanding key parameters for a successful investigation, including, but not limited to: a) Legal, regulatory, and litigation considerations; b) Internal and external relations; and c) Logistics of managing the investigation and the persons who conduct it. Through the process of identifying the triggers and parameters for an investigation the organization will assess whether its policies are adequate to avoid undesirable and disruptive events, mitigate or resolve such events, identify needs for new or modified policies and procedures, elucidate information management needs, and review documentation requirements. An OIP will also help both the organization and the persons conducting the investigation to better understand the needs and expectations of the organization itself.

85

ANSI/ASIS INV.1-2015

E.2 Identify Events and Situations Requiring an Investigation If the organization has implemented an enterprise-wide risk assessment and management program it should include an evaluation of the factors that may lead to conducting an investigation. ISO 31000:2009 Risk management — Principles and guidelines provides a process for conducting risk assessments that may be used in assessing the need for an organization to conduct an investigation.

E.3 Establishing the Context In order to establish an OIP it is important to understand how the organization operates and what internal and external factors may impact the achievement of its objectives and desired outcomes. Factors that should be considered include: a) Operational and decision-making structure of the organization; b) Legal, regulatory, and contractual obligations, as well as organizational policies that impact the parameters of an investigation (including jurisdictional triggers for requiring an investigation); c) Identify and characterize potential actions that may be required by law or policy to address the outcomes of an investigation; d) Consult legal counsel to determine what actions can and cannot be taken, potential liability issues; and impacts on reputation due to different courses of action; e) Identify internal and external stakeholders and organizational structures that need to be considered in an investigative process; f) Identify information and communication needs needed to support an investigation; g) Assess internal and external resource needs for the conduct of investigations; h) Conduct asset identification, valuation and characterization to identify tangible and intangible assets, human resources, programs, services, and activities that would be potential targets for intentional and unintentional actions that may result in an event requiring an investigation; and i)

Define criteria for risk appetite related to potential risk events requiring an investigation and establish the structure of the investigative process.

E.4 Conducting the Risk Assessment A risk assessment provides a basis for decision-making to determine the needs and parameters for conducting an investigation. Risk assessments are comprised of: a) Risk identification: The organization should consider what events may require investigations. This involves the identifying of sources of risk and understanding potential impacts. The organization should: i.

Identify the threats that may result in a risk event requiring an investigation. Scenariobased threat analysis may be used for each identified asset, program, service, and activity to determine the likelihood and consequences of a risk event impacting the organization and the potential need for an investigation. Threat analysis should

86

ANSI/ASIS INV.1-2015 consider both the capability and intent of any threat actors to better understand the potential for the threat to successfully materialize; ii.

Identify and analyze its vulnerability to a risk event and evaluate the efficacy of existing technical, operational and administrative controls; and

iii.

Identify and analyze the range of impacts that may be a consequence of a risk event materializing and the need for an investigation.

b) Risk analysis: Based on the threat, vulnerability, and impact analysis the organization should determine the likelihood and consequences of each identified risk. Based on the likelihood and consequence analysis the organization should: i.

Determine the level of risk; and

ii.

Rank the risks that may require investigative actions.

c) Risk Evaluation: Based on the risk ranking the organization should evaluate which risks fall within its risk appetite and which risks require treatment. The organization should evaluate: i.

Positive and negative internal and external implications of conducting or not conducting the investigation;

ii.

The need to proactively modify operations, functions and activities to minimize the likelihood of a risk event occurring that may require an investigation and bring the risk level into a range that is as low as reasonably practical;

iii.

The physical, operational, human, and financial resources needed to manage risk; and

iv.

The triggers for initiating an investigation and identify the investigative processes that may be needed.

The output of the risk assessment is typically summarized in a risk register which catalogues information including but not limited to: asset owners, risk events and their potential impacts, level of risk, line management of the persons who could be involved in the activity, and potential in-place information resources (e.g., cameras, access control records, paper files, trusted witnesses and knowledgeable individuals, and internal data bases/computer programs), trigger levels for a response, timeframe for managing the risk, and resources needed to manage the risk.

E.5 Treating the Risk The organization should establish procedures and guidelines to set the parameters for initiating an investigation. When establishing the procedures the organization should consider: a) Information that will be needed in order to conduct an effective and efficient investigation, where that information resides, and how to effectively access that information; b) The cost/benefit of applying various resources toward the investigation; c) Revision of policies and practices addressing identified risks to minimize the likelihood of an event occurring (e.g., improved management of access to assets, improved information management practices, clearer communication of organization policies related to interactions between people, improved physical asset protection measures, etc.); 87

ANSI/ASIS INV.1-2015 d) Legal and liability implications of what actions can and cannot be taken; e) Consensus with top management regarding which actions should or should not be investigated and how any information gained during the investigation will be managed; f) Top management commitment to make the necessary resources available; g) Establish an OIP defining which matters will be subjected to internal, outsourced and/or law enforcement investigations; and h) Determine the logistics of managing the investigation and the persons who conduct it.

E.6 Monitoring and Review The organization should establish performance metrics and measure the effectiveness of the OIP. Performance monitoring and evaluations should include: a) Response and implementation of corrective and preventive actions to pre-emptively minimize risks that may result in the need for an investigation; b) Achievement of risk management objectives; c) Value-added to the organization by better managing the factors that may trigger an investigation as well as the effectiveness of an investigation in improving performance; d) Time and resource management of investigations; e) Resource management; f) Ability to achieve the objectives of the OIP; g) Competence and professionalism of persons affiliated with investigations and the decision to conduct an investigation and subsequent operational improvements; and h) Effectiveness of communication between all parties involved in the OIP and investigative processes.

88

ANSI/ASIS INV.1-2015

E.7 Example Template for OIP The following template is provided for illustrative purposes only. The organization should tailor it OIP to its needs. Organizational Investigations Policy Policy number Drafted by

Responsible person

Version Approved by Board on

Scheduled review date

Preamble This organization possesses both tangible and intangible assets which could possibly be the target of illegal or unethical action by internal or external elements. The organization’s security management plan has considered the risks to our assets and has provided for appropriate and adequate protection measures. However, full protection cannot be guaranteed and despite optimal planning, unwanted events could occur. Consequently this Organizational Investigation Policy (OIP) assesses potential situations that could require investigation and analysis, and establishes information and processes that should be available, if or when an investigation is warranted. The OIP contains guidance for assessment, pre-planning and the management of an investigation. Introduction [Name of organization] will endeavor to prepare for any situation that may warrant consideration of an investigative activity to protect the organization’s assets, minimize risk to operations, and resolve outstanding issues. Purpose This document sets criteria for assessing the need for an investigation and to determine the objectives, scope, timing, and parameters relative to the conduct of investigations; whether conducted by the organization, contracted to an external organization or the responsibility of law enforcement. Definitions The organization should provide definitions and comments, if deemed opportune, to understand the OIP Policy [Name of organization] has a duty to exercise due care over its assets and to be in a position to make timely decisions whether, and how, to conduct investigations. Our organization also has the duty to take pre-emptive steps to ensure that information, or other relevant elements that can be beneficial to the successful conclusion of an investigation are practically available and that legal and ethical issues have been duly considered. [Name of organization] will implement procedures that will, as far as is practical, ensure that investigations will not be hampered by insufficient preplanning.

89

ANSI/ASIS INV.1-2015 To this end, the following working groups are established and will meet regularly to review investigations and issues relevant to their charter: (the following list is not exhaustive.) a)

Workplace Violence Working Group (Organizational Security, HR, Legal).

b)

Ethics and Policies Working Group (HR, Legal, Organizational Security, IT, Internal Audit)

c)

External and Supply Chain Working Group (Logistics, Organizational Security, Legal)

d)

Financial Crimes and Fraud Working Group (Internal Audit, Finance, Organizational Security, IT, Legal)

90

ANSI/ASIS INV.1-2015 Responsibilities It is the responsibility of the Board, with the assistance of the CEO and the Investigations Management Officer to identify assets, the owners of the assets and the risks that the assets face. It is the responsibility of the CEO to ensure that: x

An Investigations Management Officer for the organization is nominated.

x

The Investigations Management Officer operates in cooperation with the Organization’s Risk Management Officer.

x

All employees and, where opportune, external operators and the general public, are familiar with the organization’s Organizational Investigations Policy

It is the responsibility of the Investigations Management Officer to ensure that: x

All relevant assets have been identified and classified according to their importance for the organization.

x

The owners of assets have been identified.

x

The owners of assets are aware of the importance of their role and have been consulted regarding the risks that the assets may incur and the elements that may be of use to investigations, if the assets should be subject to theft or malicious damage.

x

All appropriate departments, in particular legal and human resources have been consulted to ascertain what elements can be legally accessed and stored in advance by the organization, taking into consideration the jurisdictions involved.

x

Decisions have been taken as to which investigations can be carried out legally and efficiently using in-house resources and which would necessitate professional assistance, either private or public, and for which it would be compulsory to inform law enforcement.

x

Decisions have been taken regarding the resolution of the investigations and how the results of investigations will be used.

It is the responsibility of all employees to ensure that: x

They are familiar with the organization’s Organizational Investigations Policy management procedures applicable to their sector.

Procedures - Pre-emptive Investigations Management The Investigations Management Officer should: x

Maintain regular contacts with the owners of assets and discuss with them any changes in the status of the assets.

x

Maintain regular contact with relevant departments such as Legal and HR, in order to keep up to date with any relevant jurisdictional laws and regulations or other obligations or administrative issues that could impact investigations.

x

Consult with these departments and with Top Management if any changes in procedures would seem to be appropriate.

x

Maintain records of all procedures established and of all events.

x

Keep the records secure and only available to those who are authorized.

The Investigations Management Officer should participate in any Risk Management exercise to ensure consistency of approach.

91

ANSI/ASIS INV.1-2015 Authorization





E.7.1 Guidance for Use of Template E.7.1.1 Preparatory Phase E.7.1.1.1 Step One - Awareness a) Identify, classify, and rank the assets, programs, policies, and activities that are potential targets for criminal, civil, or other unauthorized and inappropriate actions; b) Identify, classify, and rank the potential criminal or unauthorized and inappropriate acts that could impact the assets, programs, and activities; c) Identify, classify, and rank the potential impacts to the organization of criminal or unauthorized and inappropriate acts; d) Be aware of the actions that may be necessary if an investigation is conducted following criminal or unauthorized and inappropriate acts; e) Be aware of the jurisdictional laws and regulations or other obligations of conducting the various types of investigations that could be needed; f) Be aware of the positive and negative internal and external implications of conducting or not conducting the investigation; g) Be aware of the information that will be needed in order to conduct an effective and efficient investigation, where that information resides, and how to effectively access that information; and h) Assess the tangible and intangible cost/benefit of applying various resources toward the investigation. E.7.1.1.2 Step Two - How to React a) Choose a potential case type, either from internal experience or from knowledge of other organisations; b) Develop an appropriate desktop plan for each criminal, unauthorized, or inappropriate activity envisaged in Step One. This will include identifying the asset owners, line management of the persons who could be involved in the activity, and potential in-place information resources such as cameras, access control records, paper files, trusted witnesses and knowledgeable individuals, and internal data bases/computer programs; c) Conduct a desktop exercise during which all alternatives are discussed. Include crisis communications, media reporting and public relations. The desktop exercise will possibly bring to

92

ANSI/ASIS INV.1-2015 light situations that had not been contemplated during Step one. Document lessons learned from the exercise for future consultation. E.7.1.1.3 Step Three - Getting Organized a) Use the experience gained in Steps One and Two to review both internal policies and external influences; b) Ensure that policies address the permitted and prohibited conduct of persons that have access or influence to assets; c) Ensure that policies provide appropriate access to information regarding persons, programs, and systems needed during an investigation; d) Ensure that legal counsel has advised what actions can and cannot be taken; e) Ensure consensus with management regarding which actions should or should not be investigated and how any information gained during the investigation will be managed; f) Ensure management has agreed to make the necessary resources available; and g) Establish a general policy regarding which matters will be subjected to internal, outsourced and/or law enforcement investigations.

E.8 Policy The development of a framework for the risk assessment of the organization’s assets and a methodology for their classification should entail: a) Establishing the context of the organization and its assets, both tangible and intangible. Remember that reputation may be the organization’s key asset; b) Conducting a risk assessment including risk identification, analysis, and evaluation including classifying the assets according to relative importance, vulnerability to illegal or improper behavior, and the motivations. Tip #29: OIP Risk Assessment Considerations The probability of illegal / improper behavior occurring will depend on the level of opportunity, how easy it is to attack and how important it is for the attacker (motivation), not just for the organization. The risk assessment needs to consider both these factors.

c) Getting prepared. Make a general assessment of the assets at risk. Identify the person(s) with the potential opportunity and, where possible, motivation for committing illegal / improper actions. Identify the owner(s) of the assets. Discuss with them the prospective methodologies of a potential attacker. Consult HR and Legal Counsel to determine what counter actions (investigations) are legal and feasible if such action were to occur. Take into consideration whether it would be preferable to conduct internal enquiries or to involve public or private

93

ANSI/ASIS INV.1-2015 external assistance. Decide the course of action you intend to take against the person found guilty. e.g. Keep it private or seek a civil and/or criminal solution? Tip #30: Creating Working Groups Avoid consulting legal counsel at the last moment and possibly losing essential time before commencing the investigation or worse always being in a reactive mode instead of having one or more proactive remedies or solutions to address issues that may require an investigation; i.e. create a working group(s) that meets quarterly to discuss issues and risks to various assets. The group(s) would discuss what has happened across the organizational footprint the previous quarter, what has happened across ‘the industry’ the previous quarter and what is being done to prepare for events that may require addressing by management or an investigation.

The pre-emptive steps should include: a) Elements needed. Investigations need information in order to be successful. On a case by case basis the organization needs to evaluate and provide for, in advance, whatever direct or discreet access to information will be vital to decide whether and how to investigate, as well as to actually conduct and resolve the investigation. b) Organizations, especially large corporations, should review internal policy regarding contractors. If the procedures for engaging the services of new contractors are long and complicated, as is often the case, then the organization should consider identifying and certifying in advance, as a contractor for investigative services, a qualified professional person or entity, so that precious time will not be lost if the need for an urgent investigation should arise. Tip #31: Collecting Vital Information Organizations are often taken by surprise and discover, when it’s already too late, that vital information such as the names and contact information of family members, employment/criminal history, and personal financial information are not readily or even legally available without disclosing the matter to the suspect. These matters should be addressed in advance with legal counsel and human resources.

Further guidance points: a) An indication regarding preliminary steps. As mentioned in the getting prepared stage; consider creating working groups to address various issues that may eventually require an investigation. For example depending on the size of the corporation and the core business process create a working group addressing potential insider threats and/or workplace violence issues that may be facing the organization. Another example is industries reliant upon a large and varied supply chain should ensure that all aspects of the chain are protected and review/analyze past and recent events to help determine patterns that may need investigation or inquiry to find a solution. b) The assessment, case by case, whether to conduct internal, external or both, investigations. The organization needs to act both legally and in its own interests. The choice between handling the investigation as an internal affair, with or without external private sector assistance, must take into consideration whether reporting the event to the authorities is mandatory or not. In order to act efficiently in a timely manner and, above all, legally the organization must be aware 94

ANSI/ASIS INV.1-2015 of what is mandatory or not. Only if the matter is not mandatory can the organization consider the pros and cons of a public or private investigation. c) Pitfalls to be avoided. (Refer to the ANSI/ASIS/RIMS RA.1-2015 Risk Assessment standard for practical advice.) Always be consistent in following organizational policies and procedures when conducting an internal investigation to avoid future allegations of possible discrimination or special treatment for select personnel. External investigators should be made aware of organizational policies and procedures which may apply to their investigation. Attempt to keep the investigation as covert as possible by only sharing information with those that have a need to know. When conducting interviews advise the interviewee not to discuss the interview and situation with anyone else, if this is compliant with jurisdictional laws. Conduct the investigation as quickly as reasonably possible for the situation; document everything done during the investigation. Conclusions reached should be documented and answer Why, Who, What, When, Where, and How. This will provide the deciding member of management with the information needed to make a decision that is supported by clearly documented facts and evidence. Place authority to conduct each investigation with a single person/department. No investigation profits by having more than one case supervisor. d) Evidence management. Investigators, in both the public and private sectors must know how to handle and not compromise evidence. Evidence that has been mishandled could end up being useless in a court of law or an administrative action and could be a boomerang for the organization. Tip #32: Handling Evidence As a rule of thumb all evidence should be handled in accordance with documented jurisdictional legal requirements, even if no legal action is anticipated. Do not touch evidence before a professional has had the opportunity to evaluate and advise (e.g., the organization may possibly have the legal right to consult an employee’s computer but the simple act of just switching it on could invalidate evidence).

E.9 Responsibilities It will depend on the size and complexity of the organization where, within the organization, this role resides and whether this will be a full time role or added to other duties. Typically, it will be the responsibility of loss management, human resources, or security management. Awareness and cooperation are fundamental to the success of all security related functions, including investigations. The OIP should be presented and explained to all relevant persons and the organization should be prepared to discuss, as opportune, its contents and purpose. The first two points, in the policy template, have been addressed in the section “Pre-emptive steps.” If the organization promotes employee knowledge of, and pride in, ownership of assets, it will achieve major protection from, and increased assistance, following an illegal/improper act. 95

ANSI/ASIS INV.1-2015 It is advisable to create adequate documentation of the information gathered and establish file maintenance and retention policies. This can be done by talking through potential scenarios and reaching overall decisions as how to classify them. If opportune seek assistance and advice from public or private sector professionals. All employees must be informed in a way that is understandable for them and records kept of when and how this has been done.

E.10 Procedures The establishment of regular, friendly contacts and making constructive use of information gathered can be decisive in the prevention of illegal/unethical acts. This is particularly important when the organization diversifies activity and/or begins operations in new jurisdictions, or for change management, and could be of use in legal proceedings as a demonstration of the organization’s ethical conduct.

96

ANSI/ASIS INV.1-2015

Annex F (informative)

F TYPES OF QUESTIONS An interview is a conversation in which one or more persons question, consult, or evaluate another person. It is important that investigators develop good interviewing techniques to maximize reliability and minimize pitfalls, and to establish a rapport with the interviewee to promote the sharing of information. Interviews are conducted to obtain factual information. The interviewer may use various types of questions, including: a) Open-ended: Require more than one word answers. They encourage the person being asked the question to think, reflect, and describe a situation. The respondent provides an answer that may include facts, opinions, and feelings about a subject. b) Probing: A follow-on clarifying question, typically an open-ended question. It is intended to help the person being asked the question to think more deeply about a subject or specific issue. c) Closed-ended: Can be answered in only one word or short phrase. Respondents answer from limited number of choices (e.g., “yes” or “no”). They are direct questions that ask for specific bits of information. d) Leading: Prompts or encourages the desired answer. They suggests to the person being questioned how to answer the questions or embeds the answer in the question. Leading questions should not be used as they bias the response. Type of Question Open

Closed

Advantages

Disadvantages

Establish a broad topic area

May be very time consuming

Serve a variety of purposes

Open to a variety of interpretations

Allow more freedom of choice in responses

Rely heavily on questioning and interpretative ability of interviewer

Gather a broad spectrum of information

May elicit irrelevant information

Require less time

Limited choice of responses

Can be clearly phrased

May solicit biased answers

Direct and easily understandable

Limited interpretation

Restrict range of responses

97

ANSI/ASIS INV.1-2015 Examples of open-ended questions include: a) b) c) d) e) f) g) h)

Who What Where Why When How Show me Tell me

Note that sometimes it is difficult to get the person to open up with broad open-ended questions. In such cases it may be prudent to narrow the questioning with a probing question and then return to broader questions after getting them into the conversation.

98

ANSI/ASIS INV.1-2015

Annex G (informative)

G EXAMPLES OF DIFFERENCES IN REGULATORY, ENFORCEMENT, AND PRIVATE SECTOR INVESTIGATIONS

LAW

Regulatory, law enforcement, and private sector investigations may differ in jurisdictional legal authorities, resource allocation, and use of the outcomes. Jurisdictional differences may exist between public and private sector investigations. Some examples may include: a) Powers of Arrest: Designated individuals in law enforcement and the criminal justice system (e.g., police, prosecuting attorneys, and judges) can under a host of circumstances arrest people, subject them to custodial interrogations, and even incarcerate them. Within defined jurisdictional legal parameters, the public sector has the power to detain and interrogate. The authority of private sector investigators to detain individuals varies widely across jurisdictions; therefore legal counsel should be sought. To forcibly question or hold another against their will may constitute false imprisonment and may be actionable under jurisdictional laws. b) Search and Seizure: Within the parameters set by jurisdictional laws, the public sector has at its disposal the power to search people, seize property, and compel testimony. While limits to the use of this authority exist and vary by jurisdiction, one’s person, property and papers can be searched and/or seized by the government. The public sector uses this critical tool in criminal investigations and enforcement of public law. The private sector’s ability to conduct search and seizure is bound by jurisdictional limitations and an employer’s search policy. Typically, workplace searches of desks, computers, lockers, and other work areas are permissible only where an employee does not have a reasonable expectation of privacy. The employer can substantially reduce the expectation of privacy by: advising employees that such areas are subject to inspection, with or without notice; restricting private use of these areas by issuing its own locks and retaining duplicate keys; and by establishing policies that limit workers’ expectation of privacy and permit searches under any circumstances. c) Testimony: Persons giving evidence in public inquiries and proceedings are obliged to tell the truth and provide full disclosure or they may be subject to criminal action. In private inquiries and proceedings, persons may have a contractual obligation to tell the truth and provide full disclosure or they may be subject to administrative action. d) Prosecution: Only the government can prosecute an individual for criminal violations. In many jurisdictions, the improper influence of the prosecution is in and of itself a crime. An employer’s threat of prosecution may constitute criminal extortion in certain jurisdictions. Representatives of the private sector can only file a complaint, then it is the duty of the government to determine if a law might have been broken and if so, what charges should be brought based on the evidence available.

99

ANSI/ASIS INV.1-2015 e) Due Process: The obligations for due process vary for public and private investigations depending on the jurisdictions in which the investigation is being conducted. Due process includes, but is not limited to: the right to know the offense(s) and crime(s) of which one is accused; the right to view and examine the government’s evidence; the right to face one’s accusers and examine them as well as any and all interviewees; the right to competent representation; and the right to protection against self-incrimination. f) Consequences: Successful public sector prosecutions may result in fines, sanctions, and/or incarceration. Consequences vary widely based on jurisdiction of the prosecution. Requirements and protections for reporting and records of the investigative process and disciplinary action also vary by jurisdiction. Private sector consequences may be subject to the employment contract, collective bargaining agreements, and relevant law.

100

ANSI/ASIS INV.1-2015

Annex H (informative)

H BIBLIOGRAPHY H.1 ASIS Publications3 ANSI/ASIS/RIMS RA.1-2015, Risk Assessment. ASIS GDL PBS-2009, Preemployment Background Screening Guideline. ASIS International, Professional Investigator’s Manual. ASIS International, Protection of Assets (POA).

H.2 ISO Publications4 ISO 31000:2009, Risk management – Principles and guidelines

3

Available at www.asisonline.org

4

Available at www.iso.org 101

1625 1625 1625Prince Prince PrinceStreet Street Street Alexandria, Alexandria, Alexandria,Virginia Virginia Virginia22314-2882 22314-2882 22314-2882 USA USA USA +1.703.519.6200 +1.703.519.6200 +1.703.519.6200 Fax: Fax: Fax:+1.703.519.6299 +1.703.519.6299 +1.703.519.6299 www.asisonline.org www.asisonline.org www.asisonline.org