Internal investigations represent a highly versatile tool that a company can use for a variety of purposes. In general, internal investigations can serve internal or remedial purposes and external or procedural ones.
The former consist of: a) verifying the adequacy of risk prevention and management tools, or identifying any organizational shortcomings that need prompt correction; b) ensuring compliance with internal procedures and protocols, aiming for integrated compliance, and identifying the person responsible for the violation, who may thus be subject to disciplinary sanctions; c) managing whistleblower reports that do not appear manifestly unfounded.
The external or procedural purposes, on the other hand, consist of: a) acquiring information about events involving the company or its employees, which are subject to verification by the judicial authorities; b) subsequent development of the defensive strategy (including for possible remedial actions); c) seeking evidence useful for defending the entity or, conversely, for pursuing civil or criminal actions against the perpetrator of the crime.
The initiation of internal investigations is typically prompted by an in-house body (such as the internal audit, legal affairs, or compliance departments) and specifically by the Supervisory Body when the verification concerns facts (e.g., reported by a whistleblower) that could lead to criminal liability for the company.
In the absence of specific regulations governing internal investigations, defining objectives and developing the investigative activity is left to practice. Best practices in this area are derived from ISO 37008 „Internal Investigations of Organizations – Guidance, an integral part of organizational management,“ which states that investigations should be carried out in three main phases:
The pre-investigative phase (the “preliminary assessment”), which involves an initial evaluation of the credibility of the allegations, the scope of the investigation, and the subsequent action plan;
The actual investigative phase, which includes activities that the individuals responsible for carrying out the investigations can undertake to gather the necessary documentation and information, also through conducting interviews (while respecting the privacy of those involved and maintaining confidentiality of the documentation collected);
The post-investigative phase, which consists of reporting the activities carried out and proposing appropriate corrective measures based on the investigation’s results to minimize the impact of violations and improve internal controls, remedying the violations that triggered the investigation itself (the “remediation plan”).
In more detail, the phases of the investigative activity consist of:
Planning the investigative objective and forming the team to investigate. The company can rely on internal resources (internal audit or compliance) or hire an independent consultant when the investigation requires specific technical or scientific expertise. In case of a potential criminal risk, it is common – for the reasons we will discuss – to involve a lawyer to carry out the preventive investigative activities under Article 391-bis of the Italian Penal Code;
Detailed analysis of the information and documentary evidence collected. This activity, which may involve access to emails, corporate chats, or physical or digital archives managed by employees, must be conducted in compliance with labor law and privacy regulations;
Interviews with involved individuals and witnesses to facilitate a deeper understanding of the already acquired documentation. These are, of course, purely informational interviews, to which the employee must participate actively, without hiding any relevant information they possess, while retaining the right to refrain from providing details that may implicate them in the facts under internal investigation. Any question by the interviewer that implies an assessment of the employee’s involvement will take on the characteristics of a disciplinary charge, with all the legal consequences that follow. The situation changes if the employee is already under criminal investigation for the same facts being investigated. In such cases, the individual may exercise the right to remain silent, similar to the right against authorities, and may also request legal assistance;
Drafting a detailed report that accounts for the facts and evidence collected and proposes, if necessary, corrective or disciplinary actions;
Follow-up, identifying measures to prevent similar situations in the future.
Once the investigation is completed, the results must be managed.
The key issue is safeguarding the confidential information acquired by the investigative team, particularly when it concerns potentially criminal conduct. There is no specific rule governing possible collaboration with the judicial authorities or providing incentives for entities conducting internal investigations.
In the Anglo-American context, internal investigations serve defensive purposes, often aiming to close a deal with the public prosecutor to delay or prevent criminal action or, at the very least, mitigate its potential sanctions. This collaborative approach, however, is foreign to continental legal systems: not only are there no self-reporting mechanisms or negotiated justice, but there are also no equivalents to the American attorney-client privilege or the British legal advice privilege.
It is true that in our procedural system, the information gathered by a lawyer with a mandate during preventive investigations (Article 391-nonies of the Italian Penal Code) is protected from possible investigative intrusions by the judicial authorities (inspections, searches of legal offices, seizure of defense materials, interception of communications, etc.) under the guarantees provided by Article 103 of the Penal Code. However, this does not apply to the results of internal investigations conducted by company function heads or in-house counsel (who lack the requirement of independence), whose documentation can be seized by the judicial authorities (in the form of evidence seizure under Article 253 of the Penal Code) and used in court as documentary evidence.
If registered with the professional register, in-house lawyers may, at most, claim professional secrecy in testimony under Article 200 of the Penal Code or oppose the request for document production under Article 256 of the Penal Code, but their legal status does not allow them to enjoy the privileged protections that the Italian legal system recognizes only for the appointed defense lawyer. On the other hand, legal privilege is not a privilege of the lawyer per se, but a guarantee of the fiduciary nature of the relationship between defense lawyer and client, protecting the confidential information that inevitably emerges during defense investigations.
Given these circumstances, the risk is that the information collected during the investigations by internal audit or in-house counsel may be obtained by the judicial authorities and used to launch criminal actions against the company itself.
The only way to preserve the information and data acquired through internal investigations is, therefore, to resort to defensive investigations under Article 391-bis of the Penal Code if a criminal proceeding is already pending or to rely on the preventive investigations mentioned under Article 391-nonies of the Penal Code if the opening of a criminal proceeding seems plausible.
In this case, the appointment of a lawyer by the entity represents the only tool that can ensure, on the one hand, legal privilege for communications and materials shared during the investigation and, on the other hand, the future use of the evidence collected. The lawyer has the option (but not the obligation) to present evidence to the public prosecutor and, in some cases, directly to the judge, in favor of their client. The documents (e.g., interview transcripts that are beneficial to the company’s legal position) will be included in the prosecutor’s file and can therefore be used in court for contestations and trial readings.
