European Audit Committee Leadership Network, January 2020
Boards and audit committees periodically find it necessary to lead or oversee investigations of cyber breaches, alleged misconduct among executives, and other significant matters. Such investigations are often part of a broader crisis response, requiring speed and agility. The ultimate success of an investigation often depends on a range of factors, including what the company and board did to prepare in advance, how they assigned oversight responsibility, and who they worked with to conduct the investigation.
On November 15, 2019, members of the European Audit Committee Leadership Network (EACLN) met in Paris to discuss board oversight of special investigations.1 They were joined by Luke Dembosky, partner and co-chair of cybersecurity and data privacy at the law firm Debevoise and Plimpton, and Brenton Steenkamp, managing partner of EY Forensic & Integrity Services for the Western Europe and Maghreb region.
Special investigations can be complex undertakings, presenting issues to resolve in each of their successive phases:
- Positioning the company and the board ahead of time. The success or failure of an investigation, especially during a crisis, depends heavily on the work that management and the board have done before it begins. The risks that could lead to crises must be understood and remediated as much as possible, and boards should contribute their judgement and perspective on addressing these risks. Documenting the assessment and remediation efforts is also important.
- The preliminary inquiry. If an investigation becomes necessary, the board should decide on the degree of its involvement. In some cases, that means active leadership, but in most cases the board oversees the efforts led by others. Boards should consider how to delegate leadership or oversight, either to the appropriate committee or the full board. While the company’s own resources, such as internal audit, can be helpful, appointing the right independent, external team of lawyers, investigators, and other professionals is critical.
- Overseeing the investigation. Overseeing the investigation entails thorough but efficient communication with the team regarding both scope and progress. Board members leading or overseeing an investigation should also be sure to communicate with other board members and senior management as well as the external auditor. In addition, legal violations must be reported to regulators, while disclosures to shareholders and the public can benefit from the advice of communications specialists.