Our Expert in USA
Understanding how to conduct a corporate internal investigation in USA is now a baseline competency for every general counsel, compliance officer, and C‑suite executive. A corporate internal investigation is a company‑directed inquiry, typically triggered by a whistleblower complaint, audit finding, regulatory inquiry, or media report, designed to establish facts, assess legal exposure, and determine whether misconduct occurred. In 2026, the DOJ’s evolving Corporate Enforcement Policy places heightened emphasis on the speed and completeness of a company’s response, meaning the internal investigation process must be faster, more forensically rigorous, and better documented than in prior years.
This guide walks through each stage of that process, from the first 72 hours of evidence preservation through witness interviews, privilege management, regulator engagement, and post‑investigation remediation, with the timelines, document checklists, and cost benchmarks practitioners need to act immediately.
A corporate internal investigation is a fact‑finding process conducted under the direction or oversight of a company’s legal function. It is distinct from a government‑led criminal grand jury investigation or a regulatory examination, although its findings often shape, and are shared with, both. The investigation may be triggered by a variety of events: a hotline complaint, a qui tam filing, suspicious transaction monitoring, a subpoena, or a routine audit that surfaces irregularities.
The internal investigation process applies to any U.S.‑incorporated entity or foreign company with U.S. operations that faces an allegation of potential misconduct. This includes publicly traded companies subject to SEC reporting obligations, privately held firms, and non‑profit organisations. Common subject matters include fraud, bribery and corruption (FCPA), sanctions violations, antitrust conduct, cybersecurity breaches, trade‑secret theft, and workplace harassment.
The possible outcomes range from a finding of no wrongdoing and case closure, through internal discipline and policy remediation, to voluntary self‑disclosure to the DOJ or SEC. Under JM 9‑28.000 (the Justice Manual’s Principles of Federal Prosecution of Business Organizations), a company’s willingness to conduct a thorough internal investigation and self‑report misconduct is a core factor in charging and resolution decisions. Industry observers expect the 2026 enforcement environment to reward companies that compress timelines, preserve digital evidence comprehensively, including AI‑related data, and engage regulators early.
Before a single document is collected or a witness is interviewed, three prerequisites must be addressed. Getting these wrong, or ignoring them, can compromise the entire internal investigation process.
The first decision is whether the investigation can be led by in‑house counsel or requires outside counsel. If the allegation involves senior management, board members, or the legal department itself, independence demands outside counsel. Even where no obvious conflict exists, engaging experienced outside counsel early creates a stronger foundation for attorney‑client privilege and work‑product protection. The retained counsel should have substantive expertise in the relevant area (e.g., FCPA, securities fraud, sanctions) and, ideally, experience with DOJ cooperation credit processes.
Evidence preservation is the single most time‑sensitive prerequisite. Within the first 24–72 hours, the company must issue a litigation hold notice to all relevant custodians, individuals likely to possess documents, electronically stored information (ESI), or physical evidence related to the allegation. The hold must suspend routine document‑deletion policies, back‑up tape recycling, and auto‑purge schedules. Custodians should include the subjects of the allegation, their direct reports, relevant IT administrators, and any employees identified by the initial complaint. The evidence preservation checklist should cover email servers, cloud platforms, mobile devices, messaging applications, access logs, and, increasingly, AI model logs and training datasets.
Attorney‑client privilege and work‑product doctrine protect communications and materials prepared in anticipation of litigation or for the purpose of providing legal advice. However, privilege can be waived inadvertently, for example, by sharing privileged memoranda with non‑legal business teams, third‑party consultants without a common‑interest agreement, or regulators without a negotiated non‑waiver agreement. Establishing clear privilege and waiver protocols at the outset, including document‑marking conventions and distribution controls, is essential.
The following internal investigation steps represent the standard lifecycle from triage to remediation. Timelines are indicative; complex cross‑border or cyber matters will extend durations.
| Step | Who Does It | Typical Duration |
|---|---|---|
| Triage & preserve (issue litigation hold, identify custodians) | GC + in‑house IT + outside counsel | 0–72 hours |
| Assemble team & investigation plan | GC + outside counsel + HR + IT + forensics | 24–72 hours |
| Forensic collection & evidence mapping (ESI, cloud, AI logs) | Forensic vendor + outside counsel + IT | 3–14 days (scope‑dependent) |
| Witness interviews (initial fact witnesses) | Outside counsel (or counsel + HR) | 1–3 weeks (rolling) |
| Analysis & privilege log drafting | Outside counsel + forensic analyst | 1–3 weeks |
| Decision / reporting (discipline, remediation, voluntary disclosure) | Board / GC + outside counsel | 1–4 weeks (complexity‑dependent) |
| Draft final report & regulatory liaison | Outside counsel + GC | 1–2 weeks |
| Remediation & monitoring implementation | Compliance + HR + outside counsel | Ongoing (30–180 days) |
Upon receiving an allegation, the general counsel (or designated compliance officer) must triage the report within hours, not days. Triage involves assessing credibility, identifying the subject matter and potential legal exposure, defining an initial scope, and issuing the litigation hold. The hold notice should be in writing, sent by email with a read‑receipt request, and accompanied by a brief explanation of custodian obligations. Sample opening language: “You are required to preserve all documents, electronic files, messages, and records that may relate to [description of subject matter]. Do not delete, alter, or discard any such materials.
” The triage phase also includes securing physical access to relevant offices, locking down relevant IT accounts (without tipping off subjects prematurely), and notifying the company’s D&O insurer where policy terms require it.
A well‑scoped investigation plan is the backbone of the internal investigation process. The team typically comprises outside counsel (lead), in‑house counsel (liaison), HR (for employment‑related matters), IT or a forensic vendor (for evidence collection), and a communications adviser (if public‑facing risk exists). The investigation plan should specify: the scope of the inquiry, custodians and data sources, interview sequences, reporting lines (typically to the board or audit committee), budget parameters, and a preliminary timeline. This plan is itself a privileged document prepared at the direction of counsel. Keep distribution narrow, the wider it circulates, the greater the waiver risk.
Forensic collection must be defensible. This means engaging a qualified forensic vendor to create bit‑for‑bit images of relevant hard drives, mobile devices, and cloud repositories, with hash‑value verification to confirm data integrity. The chain‑of‑custody record must be contemporaneous and unbroken. In 2026, the scope of ESI has expanded significantly: investigators must consider messaging platforms (Slack, Teams, Signal), collaboration tools, SaaS application logs, and, where AI is involved, model training data, inference logs, and version histories. Cross‑border data collection introduces additional complexity. Where evidence resides in a foreign jurisdiction, local data‑protection laws (such as the EU’s GDPR or country‑specific blocking statutes) may restrict direct transfer.
Counsel must evaluate whether to use Mutual Legal Assistance Treaty (MLAT) channels, rely on corporate authority to compel employee compliance, or negotiate data‑transfer agreements. The SEC Enforcement Manual addresses cross‑border assistance mechanisms that may apply in parallel proceedings.
The witness interview plan determines who is interviewed, in what order, and by whom. Best practice, reflected in guidance from the Association of Corporate Counsel, is to interview peripheral fact witnesses first and subjects of the allegation last, so that counsel enters each subsequent interview with a more complete factual picture. Every interview should begin with an Upjohn warning: the interviewer explains that they represent the company (not the individual), that the conversation is privileged, that privilege belongs to the company (which may choose to waive it), and that the individual may retain personal counsel. Sample language: “I represent [Company]. This interview is part of an internal investigation.
Our conversation is protected by attorney‑client privilege, but that privilege belongs to the company, not to you personally. The company may decide to disclose this conversation to third parties, including regulators.
Employees should not speculate about matters outside their personal knowledge, discuss the investigation with colleagues, or destroy any documents. What employees should not say to HR or investigators includes guesses about others’ motives, unverified rumours, or legal conclusions about whether conduct was “illegal.” Stick to firsthand observations and contemporaneous records.
Once evidence and interview data are collected, counsel analyses the facts against the applicable legal framework. A factual matrix, a spreadsheet or database mapping each allegation element to supporting or contradicting evidence, is a critical deliverable. Simultaneously, the team builds the privilege log. Each entry should record the document date, author, all recipients, the basis for the privilege claim (attorney‑client communication, work product, or both), and a brief non‑privileged description of the document’s subject matter. The privilege log must be maintained contemporaneously; retroactive logging is less defensible and more expensive. Documents needed for the internal investigation at this stage also include forensic vendor reports, sanctions and AML screening results, and any expert analyses.
The analysis yields one of several paths. If the investigation finds no misconduct, the company documents the conclusion and closes the matter. If misconduct is confirmed, the company must decide on disciplinary action (termination, suspension, demotion), remediation (policy changes, enhanced controls, training), and, critically, whether to make a voluntary self‑disclosure to the DOJ, SEC, or another regulator. Under JM 9‑28. 000, the DOJ evaluates cooperation based on the timeliness and completeness of disclosure, the quality of remediation, and the company’s acceptance of responsibility. DOJ cooperation credit may result in reduced charges, lower fines, or a declination.
The likely practical effect of the 2026 Corporate Enforcement Policy is to further incentivise speed: companies that disclose promptly and demonstrate meaningful remediation before being contacted by law enforcement are expected to receive the most favourable treatment.
The final investigation report typically includes an executive summary (suitable for board or audit‑committee presentation), a detailed factual narrative, a legal analysis section (which may be maintained as a separate privileged document), and appendices containing key evidence. If the company opts for voluntary disclosure, outside counsel will prepare a presentation for the relevant agency, usually the DOJ’s Fraud Section, the relevant U.S. Attorney’s Office, or the SEC’s Division of Enforcement. The presentation should summarise the misconduct, identify responsible individuals, describe remediation steps already taken, and offer full cooperation. Counsel should negotiate a non‑waiver agreement or selective‑waiver protocol where possible to limit the scope of any privilege waiver to the regulator.
Closing the investigation does not end the company’s obligations. Remediation steps, updated compliance policies, enhanced training, improved internal controls, disciplinary consequences, must be implemented and documented. If a regulator imposes a compliance monitor, the company must cooperate with the monitor’s review programme, which can run for 30–180 days or longer. Periodic board reporting on remediation progress is advisable. Documenting every remediation action strengthens the company’s position in any future enforcement proceeding.
The documents needed for an internal investigation should be assembled and maintained throughout the process. The following evidence preservation checklist summarises the core deliverables.
| Document | Notes |
|---|---|
| Litigation hold / evidence preservation notice | Issued by GC or outside counsel; written email + letter to custodians; timestamped; retain copies of delivery confirmation |
| Initial investigation plan / scope memo | Prepared by outside counsel; covers scope, objectives, custodians, timeline; privileged |
| Chain‑of‑custody record | Forensic vendor or IT department; PDF log with hash values; maintains evidence integrity |
| Custodian data export (forensic image) | Forensic vendor; raw and processed copies; hash‑value verification stored separately |
| Interview memos / witness statements | Outside counsel; contemporaneous notes; mark privileged where appropriate |
| Privilege log | Outside counsel; fields: date, author, recipients, privilege basis, non‑privileged description |
| Final investigation report | Outside counsel; executive summary + factual matrix; separate privileged legal analysis |
| HR disciplinary files & remediation plans | HR department; document all actions, dates, and decision rationale |
| Third‑party vendor reports | Forensic, sanctions/AML, and expert reports; include scope and methodology |
| Board briefing memo | GC / outside counsel; restricted distribution recommended to preserve privilege |
The timeline for an internal investigation varies significantly based on scope, the number of jurisdictions involved, and the nature of the evidence. The table below provides realistic ranges.
| Case Size | Typical Investigation Duration | Key Internal Deadlines |
|---|---|---|
| Small (single department, minor misconduct) | 2–4 weeks | Preserve within 24–72 hrs; interviews within 1–2 weeks; report in 2–4 weeks |
| Medium (multiple employees, possible regulatory issue) | 4–8 weeks | Preserve within 24–72 hrs; forensic collection 3–14 days; interviews 2–4 weeks; report in 4–8 weeks |
| Major (multi‑jurisdictional, criminal exposure) | 3–9+ months | Immediate preservation; cross‑border MLAT / data requests may take months; early regulator engagement within 2–6 weeks |
Regulatory timing adds an additional layer. Under JM 9‑28.000, the DOJ does not prescribe a fixed deadline for voluntary self‑disclosure, but the speed of disclosure relative to when the company first learned of the misconduct is a significant cooperation factor. The SEC Enforcement Manual similarly emphasises prompt cooperation and references cross‑border assistance mechanisms, including MLAT requests and memoranda of understanding with foreign regulators, that may run in parallel with the company’s own investigation. Early indications suggest that, in practice, companies seeking full DOJ cooperation credit in 2026 should aim to engage prosecutors within the first two to six weeks of confirming potential criminal exposure.
Internal investigation costs are driven by scope, complexity, and geography. The following table provides order‑of‑magnitude budget benchmarks for U.S.‑based matters.
| Item | Typical Amount (USA) | Notes |
|---|---|---|
| Outside counsel (small matter) | $10k–$50k | Short‑scope triage and interviews; fixed or hourly |
| Outside counsel (complex matter) | $100k–$1M+ | Multi‑jurisdictional, DOJ/SEC exposure; retainer plus hourly |
| Forensic collection & analysis | $5k–$200k | Small ESI <$10k; cloud/AI/cyber forensics $50k–$200k+ |
| Expert witnesses / technical experts | $10k–$200k | Financial, IT, ML, or cyber experts as needed |
| External monitor (post‑settlement) | $50k–$500k+ | Where regulator requires an independent compliance monitor |
| Remediation programme | $5k–$500k+ | Training, policy updates, system controls, scale‑dependent |
To contain costs, consider a phased approach: a tightly scoped triage phase (fixed fee) followed by a second phase (hourly or capped) that expands only if the triage findings warrant it. Negotiate fee arrangements with forensic vendors before engagement, volume‑based pricing and pre‑negotiated hosting rates can reduce e‑discovery expenses significantly. From a tax perspective, legal defence and investigation costs are generally deductible as ordinary and necessary business expenses under U.S. tax law when incurred in the production of gross income or in connection with the taxpayer’s trade or business. Companies should document accounting treatment carefully and consult tax counsel for specifics.
Several enforcement developments in 2026 have direct operational consequences for the internal investigation process.
DOJ Corporate Enforcement Policy (CEP) updates. Commentary on the DOJ’s evolving CEP indicates a continued shift toward rewarding speed and meaningful remediation over volume of document production. The likely practical effect is that companies must compress the interval between learning of misconduct and making a voluntary disclosure decision. Triage‑to‑collection cycles that previously ran 7–14 days are now expected to close within 72 hours for digital evidence, with parallel witness identification.
AI, sanctions, and cyber evidence. Investigations involving AI systems require preserving model weights, training datasets, inference logs, and version‑control records, categories of evidence that many litigation‑hold templates do not yet address. Sanctions and anti‑money‑laundering (AML) screening must be integrated into the triage phase, not deferred to analysis. Industry observers expect enforcement agencies to treat the failure to preserve AI‑related evidence with the same severity as spoliation of traditional ESI.
Cross‑border cooperation. The DOJ and SEC have expanded coordination with foreign counterparts. For companies with operations in multiple jurisdictions, the internal investigation process must account for parallel regulatory inquiries, data‑localisation restrictions, and blocking statutes. Practical responses include engaging local counsel in each relevant jurisdiction at the outset, mapping data flows before collection begins, and negotiating data‑transfer protocols with foreign data‑protection authorities. MLAT requests, while available, can take months, making early corporate‑authority‑based collection (where legally permissible) the faster route.
Privilege and waiver in the cooperation era. The tension between demonstrating full cooperation and preserving privilege remains acute. Companies should negotiate non‑waiver or limited‑waiver agreements with the DOJ and SEC before making any production of privileged material. Documenting the scope and terms of any waiver contemporaneously is critical to preventing broader, unintended disclosures in parallel civil litigation.
Knowing how to conduct a corporate internal investigation in USA is no longer optional for any company with meaningful regulatory exposure. The 2026 enforcement landscape rewards speed, thoroughness, and documented cooperation, and penalises delay, spoliation, and improvisation. By following the internal investigation steps outlined in this guide, from the first 72‑hour triage and evidence‑preservation window through structured witness interviews, privilege‑log creation, and timely regulator engagement, general counsel and compliance teams can protect the company’s legal position while demonstrating the good‑faith cooperation that DOJ and SEC enforcement policies are designed to incentivise. Every investigation is fact‑specific, and the procedures described here are procedural guidance, not legal advice. Readers facing an active allegation should consult qualified counsel immediately.
Last reviewed: May 27, 2026. This guide is procedural and informational; it does not constitute legal advice. Consult qualified counsel for advice specific to your circumstances.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Jan Lawrence Handzlik at Handzlik & Associates APC, a member of the Global Law Experts network.
posted 34 minutes ago
posted 59 minutes ago
posted 1 hour ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
