The question that gets asked at the end of every internal investigation, when the report is on the table and a decision is required, is not whether the investigator tried hard. It is whether the process holds. Whether the findings can be explained to a regulator, a jury, or a plaintiff’s attorney without the room going quiet in the wrong places. Whether the documentation supports the conclusion, or just narrates it. Whether the person who conducted the investigation had a real reason to reach the result they reached, or whether the result preceded the process.

Legal defensibility is not about achieving a predetermined outcome. It is about building a record that can withstand the examination that comes after. That examination happens in arbitration. It happens in federal court. It happens in regulatory proceedings before the EEOC, the SEC, or a state agency. It happens when a whistleblower’s attorney files discovery requests and starts pulling the threads on how the investigation was actually conducted. And it happens before any of that, the moment leadership has to explain to the board why a senior employee was not terminated, or why they were.

Most internal investigations fail this test quietly, without anyone noticing until the failure matters. This article describes what a defensible investigation actually looks like, and what the record has to show at each stage.

The Standard Is Scrutiny, Not Outcome

Legal defensibility does not mean the investigation found what the organization hoped it would find. It means the investigation, when examined by someone hostile to it, cannot be shown to have been slanted, incomplete, or procedurally compromised. That distinction matters more than it appears. Investigations that reach correct conclusions through flawed processes can still be dismantled. Investigations that reach defensible conclusions through sound processes will stand.

The International Organization for Standardization issued ISO/TS 37008 in 2023, an international standard on internal investigations. Its framework identifies the core principles that govern whether an investigation can be characterized as credible: impartiality, independence, fact-based analysis, timeliness, and confidentiality. These are not suggestions. They are the categories under which investigations get evaluated when they are challenged. An investigator who cannot demonstrate independence from the subject of the investigation is not going to be able to explain the outcome credibly, regardless of whether the outcome was correct.

NAVEX’s internal investigations research, drawn from analysis of thousands of compliance reports across global organizations, identifies the central test as whether the investigation “can withstand scrutiny from regulators, boards and employees over time.” The question at the end is never how fast the investigation moved. It is whether the investigation can be clearly explained: why certain steps were taken, why others were not, what evidence was gathered, how conflicts were assessed, and how the final conclusions were supported by the underlying record.

Preparation and judgment are inseparable. Defensibility cannot be added after the fact. An investigation that closes without adequate documentation is not retroactively salvageable by a well-written summary report. The record either holds from intake to conclusion, or it does not hold at all.

The Investigator’s Relationship to the Subject Is the First Question

The single most reliable indicator of an investigation’s credibility is the independence of the investigator from the subject of the investigation and from the institution’s interest in a particular outcome. This is also the most frequently compromised element in organizational investigations, because the people who have the most operational knowledge of the situation are usually the people with the most significant conflicts.

Independence has two dimensions. The investigator must be free from structural conflict, meaning they must not report to, be supervised by, work alongside, or have a documented relationship with the subject that would give them a motive to reach a particular conclusion. And the investigator must be free from institutional pressure, meaning the organization commissioning the investigation must not be in a position to determine the outcome by controlling what the investigator is authorized to examine.

Organizations need clear criteria for who conducts investigations, how conflicts of interest are assessed, and when outside expertise is required. This framework needs to exist before an investigation is triggered, not after. When a senior executive is the subject of an investigation, the institution’s own legal team frequently has a conflict. General counsel reports to the CEO. The CEO reports to the board. The investigation’s conclusion has consequences for the institution’s exposure, its regulatory standing, and its leadership structure. In those circumstances, outside counsel who does not typically represent the organization provides a layer of independence the in-house team structurally cannot.

Bringing in external legal assistance is also a mechanism for avoiding the appearance of a conflict of interest. A new firm, especially one with deep resources in the area of the alleged misconduct, often attains thoroughness and objectivity that would be difficult for the company’s internal team or its primary counsel to achieve. When government or regulatory involvement is anticipated, the credibility of an independent outside investigation with the relevant government body can determine whether the organization is treated as having acted in good faith.

The Corporate Miranda Warning and Why It Has to Be Given Correctly

Internal investigations conducted by or at the direction of legal counsel generate documents and communications that may be protected by attorney-client privilege and the work product doctrine. Whether that protection is maintained depends on how the investigation is structured, and on whether the investigator correctly handled the privilege question in every employee interview.

The governing framework comes from the Supreme Court’s 1981 decision in Upjohn Co. v. United States, which held that communications between a company’s employees and company counsel during an internal investigation could be protected by attorney-client privilege. The critical holding is that the privilege belongs to the corporation, not to the individual employee. This distinction has enormous practical consequences that most people being interviewed in internal investigations do not understand and are not told.

The Upjohn warning, sometimes called the corporate Miranda warning, must be given at the outset of every employee interview. The elements of a complete and adequate Upjohn warning are specific. The investigating attorney represents the corporation, not the employee individually. The interview’s purpose is to assist the corporation in obtaining legal advice. The interview communications are covered by attorney-client privilege, but the privilege belongs to the corporation. The corporation can waive the privilege and disclose what the employee said to third parties, including the government, without the employee’s consent. The employee should not disclose the substance of the interview to others in order to preserve the privilege. The employee has the right to consult their own attorney.

The ABA White Collar Crime Committee’s task force on Upjohn warnings identified a consistent failure mode: watered-down warnings that imply the employee might have protection they do not actually have. The Fourth Circuit in In re Grand Jury Subpoena flagged exactly this problem in an AOL investigation, where outside counsel’s warning that it “could” represent the employee “as long as no conflict appeared” was characterized by the court as inadequate. Courts have also stressed that attorneys are required to clarify exactly whom they represent and highlight potential conflicts of interest as early as possible. Failing to do so cleanly creates the foundation for an employee to later claim they misunderstood their rights, which can destabilize the investigation’s record entirely.

The Scope Determines What the Investigation Can Find

The scope of an investigation is the boundary of what the investigation is authorized to examine. It is set at the beginning, usually by whoever commissioned the investigation. And it is one of the primary mechanisms through which institutional self-interest shapes results, because a scope written to exclude the central question produces a report that avoids the central finding, while still allowing the organization to say it investigated.

A defensible scope does three things. It defines the subject matter clearly: what conduct is being examined, for what time period, involving which individuals or business units. It identifies the fact-finding tasks required to address the subject matter, not the tasks required to reach a particular conclusion. And it documents the rationale for including or excluding specific areas of inquiry, so that scope decisions can be explained and defended if later challenged.

Scope creep in the opposite direction, an investigation that expands opportunistically to gather information beyond what the triggering allegation warranted, creates its own defensibility problems. If an investigation into one employee’s conduct is used to gather information about unrelated personnel matters, or to build a case against someone the organization already wanted to remove, the process taints the result. The scope must be calibrated to the allegation, documented at the outset, and adjusted only with recorded rationale when new information requires a change.

Spoliation Starts the Day the Duty Attaches

One of the most consequential and most frequently mishandled elements of an internal investigation is evidence preservation. The duty to preserve evidence attaches when an organization reasonably anticipates litigation or a regulatory proceeding, not when litigation is filed. In practice, this means the preservation obligation typically begins at or near the moment a significant allegation is made, which is also the moment when, without intervention, relevant evidence is most likely to be destroyed by routine document retention policies, normal data overwrite cycles, or deliberate interference.

The first 48 to 72 hours after an allegation surfaces are often the most consequential for preservation. During this window, preservation notices must be issued to relevant custodians, document retention policies must be suspended for relevant categories of records, and electronic evidence must be identified and secured. Failing to act in this window creates spoliation exposure that can follow the investigation for years.

Courts assess spoliation claims by examining when preservation obligations arose, the scope of those obligations, and whether reasonable steps were taken to preserve relevant materials. Intent is relevant but not always determinative, meaning that inadvertent evidence loss can still generate sanctions if the preservation duty was clear and reasonable steps were not taken. An Ohio case from Q4 2024, analyzed in Morgan Lewis’s eDiscovery case law review, produced a court ruling that oral litigation holds were insufficient and that failure to preserve text messages led to sanctions, including allowing the opposing party to present the spoliation issue at trial and recover attorneys’ fees.

Spoliation of evidence is defined as the intentional or negligent alteration, hiding, withholding, or destruction of evidence relevant to a proceeding. It can occur before or after filing or data preservation notices. It is not uncommon for custodians to engage in improper data collection during self-directed collections that significantly impact the validity of evidence, which is one reason evidence preservation should be managed by or under the direct supervision of counsel rather than by the individual whose conduct is under examination.

Sequencing, Credibility, and Why Group Interviews Are Always Wrong

The witness interview phase of an internal investigation is where most process errors are made and where most credibility problems originate. The sequencing of interviews, the consistency of the interview process, the method of credibility assessment, and the documentation of what was said all determine whether the interview record will hold up when examined. Each of these is a controlled variable. Getting them wrong is a choice, usually a choice made in the name of speed or convenience.

Interview sequencing matters because witnesses who are interviewed after other witnesses have been interviewed are in a position to have their accounts shaped by what they know, or suspect, about what others said. The general principle is that the subject of the investigation is interviewed last, after the factual record has been substantially established through documentary review and witness accounts that cannot be rebutted by advance knowledge of the investigator’s findings. Mayer Brown’s internal investigations checklist explicitly identifies this as a strategic decision: investigators should carefully consider the timing and sequencing of interviews to ensure the credibility of both the witnesses and the wider investigation.

Group interviews produce tainted evidence. They allow witnesses to hear each other’s accounts and calibrate their own. They create records in which it is impossible to distinguish independent recollection from account alignment. They are almost never defensible regardless of convenience, and they should not occur in any investigation where the findings will need to stand up to external scrutiny.

No single credibility factor is determinative. Investigators making credibility findings between conflicting accounts must show their work. An investigation report that concludes one witness was more credible than another without explaining why is not a defensible document. It is a conclusion without a record.

The Preponderance Standard and Why Investigators Have to Apply It Explicitly

Internal investigations are not criminal proceedings. The standard of proof that governs whether an allegation is substantiated is not “beyond a reasonable doubt.” For virtually all internal investigations, including workplace misconduct, regulatory compliance, and institutional misconduct proceedings, the applicable standard is the preponderance of the evidence: more likely true than not, meaning the evidence supports the conclusion that the alleged conduct occurred at a level above 50 percent probability.

Federal agencies use this standard across misconduct contexts. The FBI’s Office of Professional Responsibility defines the standard as “the degree of relevant evidence that a reasonable person, considering the record as a whole, would accept as sufficient to find that a contested fact is more likely to be true than untrue,” citing the federal merit systems protection standard at 5 C.F.R. § 1201.56(c)(2). Research misconduct proceedings under the Office of Research Integrity use the same standard. Title VII enforcement relies on it. Nearly all law enforcement agency internal affairs proceedings use it as the baseline.

The investigation report must state the standard of proof applied, and the findings must be expressly anchored to that standard. Findings that simply say “the allegation is substantiated” without reference to the evidence that tips the scale past 50 percent are not defensible. The analytical step, the explicit weighing of evidence for and against the allegation under the preponderance standard, has to appear in the written record. Conclusions that materially exceed what the preponderance standard would support, or that fall short of even a preponderance and are characterized as substantiated anyway, are the category of error most likely to cause a complete collapse of the investigation under examination.

Some organizations apply a higher standard for significant disciplinary actions. Some public employment settings use “clear and convincing evidence” for terminations, demotions, or severe suspensions. Whatever standard is applied, it must be the same standard applied consistently across comparable investigations. Inconsistency in the standard used for similar cases creates the appearance, and frequently the reality, of disparate treatment based on the identity of the subject rather than the nature of the conduct.

The Record Is the Investigation

Documentation is where most investigations that were conducted reasonably end up becoming indefensible. The interview happened. The documents were reviewed. The conclusions were reached. But none of it was recorded in a way that demonstrates how decisions were made, what evidence was evaluated, and why the findings are supported by the underlying facts rather than the organization’s preferences.

Clear records show how decisions were made, how evidence was evaluated, and how conclusions were reached. Documentation does not mean capturing everything. It means capturing enough to demonstrate thoughtful, consistent judgment. That distinction matters because it distinguishes between a complete record and a paralyzed one. Investigators do not need to transcribe every conversation or preserve every draft of every document. They need to create a record from which a subsequent examiner can reconstruct the reasoning at each stage of the investigation.

What Confidentiality Actually Means and What It Cannot Promise

Whistleblower protection requirements are a legal floor, not an organizational policy preference. Title VII of the Civil Rights Act prohibits retaliation against employees who report harassment or discrimination. Sections 301 and 806 of the Sarbanes-Oxley Act require procedures for receiving and investigating anonymous employee complaints about securities fraud and financial misconduct. The Dodd-Frank Whistleblower Protection Act protects employees who report securities violations to the SEC. Senate Bill 497, effective January 1, 2024 in California, strengthens this further by creating a rebuttable presumption of retaliation if an adverse action occurs within 90 days of a protected activity.

Any adverse action taken against a complainant during or after an investigation requires documented justification that is clearly independent of the complaint itself. This is not a difficult standard to describe. It is frequently a difficult standard to meet, because organizations that receive inconvenient complaints tend to respond to them in ways that are not clearly independent of the complaint.

Confidentiality during an investigation is a legitimate and important interest. Interview contents should not be shared beyond those with a genuine need to know. The investigation should not be discussed openly within the organization in ways that could influence witnesses or compromise the subject’s rights before findings are made. But confidentiality has limits that are legally significant. Employers cannot order employees not to discuss work-related matters with each other under the National Labor Relations Act. More limited directives to keep interview communications confidential may be justified by privilege and other interests, but employees must be informed that they can discuss the facts of what happened even if they cannot discuss the substance of the interview itself. Overpromising confidentiality, telling complainants or witnesses that their identities will be kept secret when that cannot be guaranteed, is a recurring failure mode that destroys trust in the process and creates its own legal exposure when the promise cannot be kept.

What the Findings Document Has to Actually Contain

The investigation report is the record. It is the document that will be examined if the investigation is challenged. It is what the board will read, what the regulator will request, and what opposing counsel will subpoena. Its adequacy is not determined by its length or its confidence. It is determined by whether it contains, in traceable form, the analytical path from evidence to conclusion.

How to Read a Compromised Investigation from the Outside

If you are on the receiving end of an investigation’s findings rather than the producing end, the question is not whether the organization says the process was fair. The question is whether the record supports that characterization. The investigation’s defensibility can be assessed from the outside, using the same framework that governs it from the inside.

Start with independence. Who conducted the investigation? What was their relationship to the subject and to the institutional leadership that had an interest in the outcome? If the investigator reported to the subject, supervised by someone with a stake in the result, or was the organization’s primary outside counsel with an existing relationship to protect, the independence question does not have a clean answer. The absence of a clean answer is itself information.

Then look at scope. What was the investigation authorized to examine? If the triggering allegation was specific and the investigation’s scope excluded obvious adjacent questions, who made that decision and why? Investigations scoped to exclude the central issue produce reports that answer a question nobody was asking. That is a design feature, not a coincidence.

Look at timing. How long did the investigation take? Investigative speed that appears optimized for organizational convenience rather than evidentiary completeness is a signal. An investigation that closes in 72 hours on a complex allegation either had very simple facts or very constrained scope. Usually the latter.

Look at what the report does not say. Every investigation with a genuine evidentiary record has gaps, contradictions, and unresolved questions. A report that presents its findings without acknowledging any of these is not a comprehensive report. It is a narrative. The difference is visible once you know what to look for.

The record is usually obtainable. In litigation, through discovery. In regulatory proceedings, through production requests. In employment matters, through public records requests if a government employer is involved. Knowing what to ask for, and recognizing what the absence of a document means, is the skill. The investigation either holds or it does not. The documentation tells you which.