Planning Investigations in the New Normal, Part Three

More About | Forensics | COVID-19

This is the third and final piece in our series, Planning Investigations in the New Normal. Our first piece focused on considerations for planning and scoping an investigation. The second article discussed how to collect and preserve evidence while adhering to social distancing and stay home orders. In this final article, we will explore the final three stages of an investigation: Fact Finding, Reporting and Remediation. We hope you have enjoyed this series so far and are finding it helpful as you navigate investigations in the new normal.

Fact Finding

Probably no step is more unique to an investigation than the fact-finding stage. Although this phase will look different for each investigation, there are some practical steps that investigative teams can employ to maximize efficiency and minimize the disruption caused by the current COVID-19 environment.

Many investigative teams are currently and will likely continue to work remotely for some time. Even in the post-COVID-19 world, people are likely to work from home more and certain investigations, especially those that require extensive or high-risk travel, may continue to be performed by remote teams. The blocking and tackling of working remotely has previously been discussed in this series. We are all familiar with video conferencing, emailing and other means of electronic communication that facilitate working from home. The question is how to harness these (not so new) tools to maximize efficiency, mitigate risk and avoid disruption.

The key is to bring the team, data and work product together on a collaboration platform that:

  • Is secure and protects data,
  • Allows the investigative team to share documents and communicate confidentially,
  • Adheres to applicable document retention policies,
  • Facilitates transfer of data to third parties such as regulators

Obviously, security is a top priority. For many, leveraging existing third-party collaboration tools such as Microsoft Teams, Slack or others is a great starting point, especially if they allow for customization of security settings. Document sharing should be cloud based so that everyone is working from the same file, rather than emailing various versions of key analyses and reports. By sharing the same document, you reduce the risk of version control errors and the unnecessary retention of multiple versions of documents that may become discoverable. Finally, a platform that allows for the selection and controlled sharing of documents with third parties may expedite negotiations with regulators and other third parties.


Normally, reporting at the completion of an investigation is accomplished through an oral report/presentation, a written report or a combination of the two. The content and medium should be carefully considered. There are many considerations including maintaining privilege1, satisfying auditors and regulators need for documentation and protecting the organization from the potential damage of public disclosure. In the normal course, controlling the contents of an oral report and/or written documents was easy. For example, it is common to not create a written report and limit reporting to an oral presentation of findings or, in the event of a written report, collect paper documents after a presentation to prevent unintended disclosure.

Assuming that stakeholders cannot be present for an inperson meeting, some combination of video conferencing and distribution of a soft copy of materials is the logical alternative. However, there are unique risks in doing so. Even if you avoid distributing a soft copy of a report or other materials or limit reporting to a conference call or video conference, it is relatively easy for participants to record the presentation from their computers including documents that you intend to be shared only on the screen. There is no perfect answer to protect from unintended disclosure, but there are steps that can be taken to mitigate the risk. For example, you should limit any reporting to those individuals with a need to know and consider requiring confidentiality/non-disclosure agreements by third-party attendees.


Root cause analysis and remediation are the final steps for most investigations. Once the root cause is known, the organization must go about the work of remediating the issues identified in order to mitigate the risk of having the same issues reoccur. In many “routine” investigations, remediation is limited to fixing deficiencies in internal controls or implementing new ones. For some larger issues, extensive training, communication and cultural assessments may be required. The feasibility of completing remediation remotely will vary depending on the level of remediation required. This, coupled with the fact that the root cause of many frauds will likely be control weaknesses caused by the quick move to work from home by many organizations, adds to the challenges. Whether you can implement your remedial efforts directly upon completing the investigation or need to pause to allow people to return to work, this is an important step that should not be skipped because “those who forget history are doomed to repeat it.”


Investigations in the new normal will follow the same broad steps of those in the past. However, successful investigative teams will be required to improvise, adapt and overcome the challenges placed by COVID-19. We hope you have found this series helpful. If you have any questions about investigations in the new normal, please contact your DHG engagement partner or any of our Forensics and Valuation Services leaders.


  1. As we discussed earlier in this series, issues surrounding maintaining privileged over internal investigations should be addressed by legal counsel.

Related Knowledge Share