ARTICLE
1 June 2026

Internal Investigations: In A Nutshell

P
PLMJ

Contributor

PLMJ logo
PLMJ is a law firm based in Portugal that combines a full service with bespoke legal craftsmanship. For more than 50 years, the firm has taken an innovative and creative approach to produced tailor-made solutions to effectively defend the interests of its clients. The firm supports its clients in all areas of the law, often with multidisciplinary teams, and always acting as a business partner in the most strategic decision-making processes.
Explore Firm Details
Internal investigations serve as a critical compliance tool for organizations to verify their own actions, procedures, and employee conduct. This guide explores how these self-assessment processes differ from external investigations and function as a central mechanism for ensuring integrity and adherence to legal and internal policy requirements.
Portugal Corporate/Commercial Law
Marta Salgado Areias,Pedro Rosa, and Raquel Cardoso Nunes
Your Author LinkedIn Connections
PLMJ are most popular:
  • within Corporate/Commercial Law, Insolvency/Bankruptcy/Re-Structuring and Finance and Banking topic(s)

1. What does it mean?

Internal investigations have come to play a central role in organisational vocabulary and practice. Recent legislative developments in areas such as fighting corruption, financial fraud, money laundering, harassment and discrimination, lobbying public decision-makers, data governance and cybersecurity have driven the need for organisations to develop their own investigative capabilities. Alongside these legal requirements, institutional and reputational concerns have grown. This growth has been fuelled by high-profile cases of companies and individuals being held accountable for unlawful or unethical actions.

Internal investigations essentially involve verification and self-assessment processes carried out by an organisation concerning its own actions, procedures, and the conduct of its employees, stakeholders, and third parties interacting with the organisation in various capacities. Unlike external investigations, these processes are driven by the organisation itself. They serve as a central tool in compliance processes, ensuring integrity and the application of the law and internal policies.

Internal investigations essentially involve verification and self-assessment processes carried out by an organisation concerning its own actions, procedures, and the conduct.

2. Legal and institutional environment

A wide range of legal and institutional factors now require or encourage the conduct of internal investigations. The most significant of these are:

2.1. WHISTLEBLOWING

Law 93/2021, which transposes Directive (EU) 2019/1937, has established a detailed framework for the protection of whistleblowers. It requires public bodies and a wide range of private entities to establish internal reporting systems. These channels must ensure the confidentiality of the whistleblower’s identity. They must also comply with procedural deadlines when handling reports. Effective compliance with these rules requires the capacity to plan and conduct internal investigations to a high standard. This includes defining the scope, preserving evidence, conducting risk assessments, and documenting decisions.

2.2. PREVENTING HARASSMENT

Article 127(1)(l) of the Labour Code imposes an obligation on the employer to bring disciplinary proceedings whenever it becomes aware of any alleged case of harassment. Employers must act diligently and proactively, investigating serious complaints supported by a minimum amount of credible evidence, even if the details are still vague. The obligation to adopt a code of good practice and harassment prevention also encourages the reporting of complaints. This requires companies to conduct internal investigations, which presents the challenge of striking a balance between thoroughly examining credible complaints and distinguishing them from spurious ones or those arising from employees’ biased perspectives.

2.3. THE GENERAL ANTI-CORRUPTION FRAMEWORK (RGPC)

In line with Law 93/2021, Decree-Law 109-E/2021 requires entities covered by it to adopt compliance programmes incorporating risk assessments, mitigation plans, codes of conduct, training and reporting channels. Consequently, the creation of these detection and prevention mechanisms requires proportionate, technically supported and documented investigation methodologies.

2.4. SECURITY INCIDENTS AND PERSONAL DATA BREACHES

Furthermore, following security incidents, including personal data breaches under the GDPR, companies must assess whether an internal investigation is necessary. This must be aligned with the reporting obligations set out in the GDPR and sector-specific frameworks, such as the NIS 2 Directive (transposed by Decree-Law 125/2025) and the DORA Regulation. In the event of an incident, a full investigation of the facts is required so that the causes can be identified and addressed. The aim is to prevent further incidents with potentially more serious consequences.

2.5. LEGITIMATE REPRESENTATION OF INTERESTS

Recent Law 5-A/2026 introduces an additional layer of scrutiny over interactions between businesses and public authorities. This creates an area of investigation centred on the institutional and relational aspects of business activity with public bodies and authorities. The aim is to prevent and expose conflicts of interest, the passing of inside information and practices involving undue influence.

Internal investigations essentially involve verification and self-assessment processes carried out by an organisation concerning its own actions, procedures, and the conduct.2.6. DEFENCE AGAINST CIVIL, CRIMINAL AND REPUTATIONAL LIABILITY

Internal investigations are a tool used by organisations to defend themselves, and they have far-reaching implications. In criminal and administrative proceedings, effective compliance programmes and cooperation in establishing the facts are considered when determining penalties. Furthermore, consistency between policy and practice — reflected in the ability to establish the facts, make evidence-based decisions and implement proportionate corrective measures — forms the core of an institutional response. This enables companies to prevent and mitigate reputational damage, allowing them to credibly assert that any unlawful or unethical conduct within their organisation is actively investigated and sanctioned by their own means before any other action is taken.

3. Types of internal investigations

There are many different proposed classifications of the various types of research. One of the most practical and pragmatic, which is based on the required areas of specialisation and oriented towards practice, divides them as follows:

  • Investigations into the workplace and working environment, which focus on human behaviour and organisational culture.
  • Compliance and fraud investigations in compliance with the law and internal policies.
  • Corporate security investigations to protect assets and operations.
  • Investigations into personal data breaches and cybersecurity.
  • Digital compliance investigations.
  • Government and regulatory investigations.

Rather than being of purely theoretical interest, this classification enables a common approach across the different categories, bringing together concerns of a similar nature within each group and the experts most familiar with each type.

In any case, investigations do not take place in isolation, and different types of investigation require teams with specific areas of expertise. A cross-disciplinary perspective is also required to enable them to anticipate the need for cooperation with specialists from other fields.

Investigations do not take place in isolation, and different types of investigation require teams with specific areas of expertise.

4. Liability

Liability lies at the intersection between the findings of an internal investigation and the potential legal, regulatory and reputational consequences resulting from them.

4.1. DUTY TO INVESTIGATE

In some situations, launching an internal investigation is not only advisable, but also legally required. This is particularly true in cases involving whistleblowing and allegations of harassment. Failure to fulfil this duty may give rise to administrative liability, even in cases where there is no subsequent breach warranting censure. Furthermore, it strengthens the causal link in civil liability claims relating to the failure to fulfil preventive duties, while also highlighting shortcomings in governance.

4.2. LIABILITY OF COMPANIES

A legal entity may be held liable for breaches of employment and regulatory laws, criminal offences, and breaches of contract or tort. Internal investigations serve two purposes here: they act as a diagnostic tool and as a means of assessing organisational culpability or due diligence. Conducting a credible investigation and sharing the obtained evidence with the authorities and the swift implementation of corrective solutions generally has a mitigating effect on the penalty. In contrast, superficial investigations or investigations aimed at confirming preconceived hypotheses may exacerbate the perception of risk and lead to heavier sanctions.

4.3. INDIVIDUAL LIABILITY OF DIRECTORS AND OFFICERS

Directors are bound by duties of care and loyalty, and they must ensure that internal control and risk management systems are in place. Management’s response to warning signs, authorisation of investigations, allocation of adequate resources and implementation of recommendations are often scrutinised as an indicator of individual accountability. For example, under the NIS2 Directive and the Digital Services Act, boards of directors are increasingly being held directly accountable for the digital systems compliance of the organisations they manage.

5. Evidence gathering

Organisations do not have the same powers as public investigative bodies. Given the need to ensure that evidence is properly collected and preserved, and that it remains valid, it is advisable to have the investigation supervised by professionals.

5.1. DOCUMENTS

Access to and analysis of documents must be based on the principles of necessity, proportionality, and minimising the amount of data collected. Clear internal policies must also be in place and communicated in advance. The selection and handling of documents must comply with the principles of integrity and chain of custody. This includes ensuring the traceability of who accessed the material, when, and for what purpose. Documents that are subject to professional secrecy impose additional restrictions, so the investigative strategy must include safeguards to protect that privilege.

5.2. PERSONAL DATA PROTECTION

A data protection assessment should precede any investigation, ensuring that the rights of data subjects under the General Data Protection Regulation are respected Access to emails, devices and cloud storage must comply with strict criteria and be based on communicated policies. Investigative findings may be rendered unusable, and an organisation’s liability may increase if evidence is obtained unlawfully due to breaches of personality rights or data protection rules.

A data protection assessment should precede any investigation, ensuring that the rights of data subjects under the General Data Protection Regulation.

5.3. USING AI

Artificial intelligence tools can speed up the search for and filtering of large volumes of data. However, they require human supervision, explainability and accountability. The selection of suppliers and technologies, configuration of searches and handling of outputs must be carefully verified and documented.

Ultimately, it will be necessary to demonstrate the process and trace the steps that the tools took to produce the results. Otherwise, the results may be compromised by the possibility that the actions of the AI system have infringed the personal or fundamental rights of those targeted in the investigation.

5.4. CHAIN OF CUSTODY

Due to its nature, digital evidence is particularly susceptible to alteration. Therefore, formal procedures must be adopted to preserve the authenticity and integrity of the evidence from collection to assessment. Collection and examination should be carried out by forensic experts wherever possible.

6. Investigative interviews

Statements obtained through interviews constitute essential evidence. Their reliability depends on how the interview is conducted, the techniques employed, and the interviewer’s preparation. Interviews must follow a course of action appropriate to the specific case. There must be coherent prior preparation and planning, and interviewees must be treated with respect, integrity and fairness.

In addition to their value as a primary source of information, interviews should be viewed as an important complement to the contextualisation of information obtained from prior documentary sources.

Recording of audio or video is possible and facilitates the smooth running of the interview by ensuring the integrity of what is reported. However, any recording must be transparently disclosed to the interviewee and their consent obtained.

Statements obtained through interviews constitute essential evidence. Their reliability depends on how the interview is conducted, the techniques employed, and the interviewer’s preparation.

7. Forensic experts – secrecy and confidentiality

By their nature, effective internal investigations are multidisciplinary. Besides the legal and strategic guidance provided by lawyers, a variety of forensic specialists may be involved. These include digital forensics experts, IT and cyber security specialists, data and e-discovery analysts, and financial and accounting experts. Due diligence specialists, physical security experts and other sector-specific professionals may also be involved. When acting under the guidance of lawyers, these specialists are bound by the duty of professional confidentiality, in accordance with Article 92(7) of the Bar Association’s Statutes. This duty of confidentiality may be called into question when they are not operating under that ‘legal umbrella’.

Furthermore, the selection of those involved must always be proportionate to the purpose and needs of the investigation. Devising a plan and defining the scope is important in order to limit the resources required and the costs associated with the investigation.

8. Final report

The final stage of the investigation is the final report. This must:

  • Describe the context and triggers for the investigation.
  • Set out the methodology, scope, and limitations encountered during the investigation.
  • List the steps taken and sources of evidence.
  • Present a factual timeline and key conclusions.
  • Assess the credibility of statements and records.
  • Outline legal implications, breached standards, residual risks, and options for action Where appropriate, different versions (full and executive) should be produced to ensure the appropriate level of confidentiality for the various recipients.

Corrective measures arising from the report typically fall into three categories:

  1. Immediate remediation to cease misconduct and mitigate harm.
  2. Structural corrections to processes and controls.
  3. Individual and organisational accountability.

The implementation plan must include monitoring, review intervals and validation through independent testing.

9. Organisational culture and business sustainability

Organisational culture is the primary operating system of any compliance programme. A culture that values transparency, accountability and compliance reduces the incidence of misconduct and increases the organisation’s capacity for early detection and effective response. The leadership plays a crucial role: the tone at the top, reflected in consistency between words and actions, establishes clear boundaries and lends legitimacy to reporting and investigative mechanisms. Internal trust is a key cultural asset — credible reporting channels, effective protection for whistleblowers and impartial investigations create a virtuous cycle in which employees believe that “speaking up is worthwhile”.

Well-designed and well-executed internal investigations function as an organisational learning mechanism. They drive continuous improvement cycles that strengthen the compliance culture. When a company’s corporate culture and research processes reinforce each other, it strengthens its resilience, safeguards its reputation and paves the way for long-term, sustainable value creation.

A culture that values transparency, accountability and compliance reduces the incidence of misconduct and increases the organisation’s capacity for early detection and effective response.

 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Marta Salgado Areias
Marta Salgado Areias
Photo of Pedro Rosa
Pedro Rosa
Photo of Raquel Cardoso Nunes
Raquel Cardoso Nunes
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More