Internal Investigations: A Roadmap For Organizations

1. What does it mean?

The term ‘internal investigations’ has become an increasingly common part of organisational vocabulary. This is driven by two main factors. The first is legislative developments in recent years across a wide range of areas, such as (i) fighting corruption, financial fraud and money laundering; (ii) tackling harassment and discrimination; (iii) regulating lobbying activities aimed at public decision-makers; (iv) improving data governance and information security; and (v) responding to personal data breaches and cybersecurity incidents. The second factor is growing institutional and reputational concerns in the face of various highly public cases of companies and individuals being held accountable for unlawful or unethical actions within their organisations.

Regardless of whether they are driven by legal obligation, moral imperative or reputational concerns, the fact remains that the most well-prepared organisations can no longer avoid investigating any suspicious incidents brought to their attention. Prudent organisations have already realised that this is an essential preventive tool.

Internal investigations are very common and have a long history in other jurisdictions, and they are growing in popularity here. They play a central role in the legal health of any organisation and in preventing or mitigating the liability of companies and their stakeholders.

We have therefore conducted an initial examination of the subject and its associated challenges and merits.

The first challenge is to define what an internal investigation is.

It is often easier to define something by what it is not than by its own characteristics. To a certain extent, this description fits internal investigations. This makes them easier to understand than the far better-known external investigations conducted by public bodies such as the police, tax authorities, public prosecutors and regulators and supervisory bodies.

External investigations are research and examination activities initiated by entities outside the organisation. They aim to establish facts and allegations in order to potentially determine the liability of various parties for legal, regulatory, or ethical breaches. Internal investigations involve the same process of fact-finding, but are driven by the organisation itself, which could potentially be the target of an external investigation.

Essentially, it is a process of verification and self-analysis carried out by the organisation regarding its own actions, procedures, and conduct within its structure, or by employees or third parties in its immediate vicinity, for example, suppliers in the supply chain. They must therefore play a central role in compliance processes, ensuring integrity and enforcing the law, as well as the organisation’s own policies and regulations.

While they can be carried out using in-house resources, it is common to engage external consultants or experts. Acting on behalf of the organisation that commissions them, these consultants or experts conduct impartial and technically rigorous investigations – without which they would lose their usefulness.

It is a process of verification and self-analysis carried out by the organisation regarding its own actions, procedures, and conduct within its structure, or by employees or third parties in its immediate vicinity,

In Portugal, however, internal investigations remain a neglected aspect of business and legal practice. This is due to various factors, such as cost and a lack of structures equipped to conduct them, but above all a lack of awareness of their strategic value.

Nevertheless, legal, institutional and reputational demands are placing internal investigations at the forefront of organisations’ concerns. They are seen not only as a compliance tool, but also as a means of self-awareness and of preventing or mitigating the organisation’s own liability, while also defending its governing bodies and strategic decision-makers.

Until recently, internal investigations merely followed external investigations, such as police searches or regulatory inspections. However, a new paradigm has now emerged: the autonomous internal investigation. These are used as a means of prevention, to hold offenders to account, and to ensure compliance. The aim is to prevent or stop any action that violates the law, best practice, or the organisation’s own rules and principles.

Our exploration of this topic merely contributes to the practice of investigation within organisations, the relevance of which is becoming increasingly evident. This is only the beginning of a body of work that will constantly evolve and be refined.

2. Legal and institutional environment

The development of various legal instruments requiring organisations to conduct internal investigations has been one of the main drivers of this practice.

Organisations are now legally compelled to have adequate internal resources in place, either because they have an explicit legal obligation to conduct an internal investigation or because they are required to adopt mechanisms that encourage whistleblowing. Where such resources are lacking, organisations must seek specialist external support to ensure the effective conduct of investigations.

At the same time, the institutional and regulatory environment has become increasingly demanding. Several factors have established these investigations as an important management and control tool. These include protecting corporate reputation as a sign of good practice, and creating – and, in some cases, mandatorily establishing – compliance departments. Another factor is the growing interest in verifying compliance with internal policies, particularly within more complex corporate structures.

Firstly, we will briefly examine the legal and institutional factors that most frequently lead to external investigations.

2.1. WHISTLEBLOWING

Strengthening internal reporting systems is one of the main drivers of internal investigations. Organisations are required to set up secure reporting channels and clear triage procedures, as well as defined deadlines for following up on reports.

In Portugal, Law 93/2021, which transposes Directive (EU) 2019/1937, has established a detailed framework for the protection of whistleblowers. It requires public bodies and a wide range of private entities to establish internal reporting systems. These channels must ensure the confidentiality of the whistleblower’s identity, as well as that of any third parties mentioned, and they must prevent any acts of retaliation. They must also comply with procedural deadlines (e.g. acknowledgement of receipt and provision of feedback) when handling reports.

Providing reporting channels alone is not enough. Effective compliance with these rules also requires the material and methodological capacity to impartially and effectively investigate the reported facts, in order to ensure the principles set out above are applied. In practice, this means that organisations must plan and conduct internal investigations to a high standard. They must define the scope of investigations, preserve evidence and establish risk matrices and materiality criteria. They must also document decisions and any limitations.

2.2. EMPLOYERS’ HARASSMENT PREVENTION OBLIGATIONS

Since 2017, Article 127(1)(l) of the Labour Code has required the initiation of disciplinary proceedings whenever cases of alleged harassment are reported.

The law refers to a disciplinary procedure which not only requires the identification of the accused, but also the identification and specific attribution of the facts in question. This could suggest that employers are only obliged to act if they are provided with concrete and almost complete knowledge of all these circumstances, effectively placing them in a passive position.

However, an overall analysis of the employer’s duties leads us to conclude that they have a duty to act diligently and proactively. Employers are required to investigate serious allegations of harassment that provide a minimum number of credible details, even if these details are still vague or not fully substantiated.

In 2017, the legislature also adopted a general prohibition on harassment, thereby strengthening the legal framework for this offence and its censure in the workplace. This clarified the right to compensation for harassed employees and expressly granted protection to complainants and witnesses in the event of a complaint regarding such behaviour.

Taken together with the duty of good faith in performing obligations and the duty to provide appropriate physical and moral working conditions, these elements lead to a clear conclusion. Employers must investigate allegations of harassment that are not manifestly unfounded. Where appropriate, this may require the use of a preliminary investigation procedure suited to the complaint submitted.

Therefore, whenever an employer receives complaints of harassment or descriptions of situations that may constitute harassment, they have a genuine duty to investigate such allegations diligently and impartially.

To prevent harassment, the legislature has also imposed an obligation to adopt a manual of good practice and harassment prevention under Article 127(1)(k).

This educational obligation is intended to enable employees to recognise and report unacceptable behaviour, whether affecting them directly or brought to their attention. Consequently, by fostering the reporting of abusive practices, it requires companies to carry out an increasing number of internal investigations in this area.

2.3. RGPC - GENERAL ANTI-CORRUPTION FRAMEWORK

The consolidation of cross-cutting regulatory frameworks for the prevention of corruption and related offences has introduced new requirements for risk assessment, as well as for the implementation of controls and continuous monitoring. This has a direct impact on the need to incorporate internal investigations into the integrity system.

Indeed, Decree-Law 109-E/2021 approved the General Anti-Corruption Framework (RGPC) and established an institutional framework, including the National Anti Corruption Mechanism (MENAC). This requires entities covered by the law to adopt compliance programmes that coherently integrate risk assessment and mitigation plans and measures. They must also disseminate codes of conduct and policies for managing conflicts of interest, as well as a training plan and whistleblowing channels, all in line with Law 93/2021.

The existence of detection mechanisms – ranging from internal control alerts to whistleblowing reports – necessitates proportionate, technically supported, documented investigation methodologies that preserve the chain of custody and respect legal limits regarding labour matters and data protection.

Furthermore, at an institutional level, authorities with powers to apply penalties emphasise and value the robustness of the post-event response, the quality of the investigative process, and the effectiveness of corrective measures. Consequently, internal investigations conducted independently and consistently stand as an essential element of evidence for a culture of compliance and organisational diligence.

2.4. SECURITY INCIDENTS AND PERSONAL DATA BREACHES

Following security incidents, including those that qualify as personal data breaches under the GDPR, organisations must immediately assess whether an internal investigation is necessary. This is particularly necessary where there are indications of internal malicious conduct or non-compliance with policies and procedures. The investigation must be coordinated with the reporting obligations set out in the GDPR and relevant sector-specific and cross-cutting regulations. In particular, these include the NIS 2 Directive, which has been transposed into Portuguese law by Decree-Law 125/2025, and the DORA Regulation.

Where there are indications of internal malicious acts or gross non-compliance with procedures, the investigation must combine technical forensic analysis with organisational and disciplinary analysis.

Even in the absence of evidence of malicious intent, the investigation must establish whether there has been a breach of policies or procedures and assess the impact, implementing appropriate corrective measures where necessary. Security incidents often trigger the need for a structured internal investigation to determine the causes, scope, and remedial measures. This investigation must be integrated into the incident response plan and involve the rapid activation of technical and legal teams.

Where there are indications of internal malicious acts or gross non-compliance with procedures, the investigation must combine technical forensic analysis with organisational and disciplinary analysis.

Furthermore, in incidents involving personal data or regulated sectors, the internal investigation informs decisions regarding notification to the relevant authorities and data subjects, the content of public communications and the definition of remedial actions. Following an incident, it is essential that there is a proper fact-finding process, as the underlying cause may persist and lead to further incidents with more serious consequences, particularly from an administrative and reputational perspective. There is also a risk of substantial financial losses to the company.

This issue is particularly pressing in the context of cybersecurity, as recent legislative changes mean it is now a central issue of governance and risk assessment, not merely a matter of technical implementation.

In this regard, internal investigations, whether following an incident or in the form of an audit – which is sometimes directly required by law – are essential tools.

2.5. FRAMEWORK FOR THE LEGITIMATE REPRESENTATION OF INTERESTS

The legitimate representation of interests is governed by Law 5-A/2026 of 28 January. This law establishes transparency rules applicable to private entities, both domestic and foreign, involved in the legitimate representation of interests. It introduces an additional dimension of scrutiny that teams responsible for conducting internal investigations cannot ignore.

Analysing interactions between the company and public authorities, particularly with regard to legislative or regulatory processes affecting the digital sector, may reveal conflicts of interest, the flow of inside information, or practices involving undue influence that intersect with the matters under investigation. In this regard, integrating compliance with the rules on the representation of interests into internal investigations is now an unavoidable requirement. This approach must also take into account the institutional and relational dimensions of business activity.

2.6. STRENGTHENING OF DUTIES OF CARE AND RISK MITIGATION

Regulators’ more frequent, vigilant and sophisticated approach across multiple sectors has raised the expected standard for internal compliance verification. Regulators value control maturity, prompt failure rectification and informed cooperation, presupposing credible internal investigations properly planned and carried out by competent, autonomous teams. In sectors such as finance, energy, telecommunications, healthcare, transport and competition, as well as those covered by Decree-Law 125/2025, there is a heightened expectation to identify root causes, quantify impacts, define remediation plans and monitor their implementation. Transparent reporting to the supervisor and consistent documentary evidence are also required.

This regulatory tightening translates into a greater duty of care being required of organisations, raising the standard of diligence expected in preventing, detecting and responding to irregularities. At the same time, the tightening of penalty frameworks across multiple administrative offence regimes intensifies the financial and reputational exposure associated with compliance failures. This reinforces the incentive to adopt internal verification mechanisms.

Consequently, the absence of an investigation, or the poor conduct of an investigation due to bias, methodological shortcomings, or incomplete documentation, may lead to more severe penalties and reveal governance weaknesses. Conversely, swiftly conducting investigations with chain-of-custody documentation, impartial interviews and rigorous document analysis, and implementing corrective measures promptly, constitute mitigating factors in determining penalties and are an indicator of accountability to the regulator. Consistency between reports and documentation from internal investigations is an element of institutional credibility and regulatory trust in itself.

2.7. DEFENCE AGAINST CIVIL, CRIMINAL AND REPUTATIONAL LIABILITY

Internal investigations are also an effective means of protecting organisations. They have far-reaching implications for civil, administrative and criminal liability, as well as for protecting corporate reputation.

In matters relating to criminal and administrative offences, effective compliance programmes, cooperation in establishing the facts, and prompt redress of loss and damage are valued criteria when determining and grading penalties. Technically robust internal investigations with an appropriate scope and transparent documentation strengthen an organisation’s position. Clarity regarding professional privilege and confidentiality, implementation of legal holds and appropriate segregation of sensitive information help protect the legal strategy and reduce procedural risks.

In employment and civil matters, the validity of measures depends on the lawfulness and proportionality of the evidence. This also depends on respect for fundamental rights, personality rights and data protection. Otherwise, the evidence may be excluded and compensatory obligations may arise. Consistency and traceability between the facts established, the decisions taken, and the corrective measures adopted are crucial for defence in court and for the robustness of disciplinary decisions.

Finally, consistency between policy and practice – reflected in the ability to establish facts, make evidence-based decisions and implement proportionate corrective measures – is at the heart of the reputational response. This signals to stakeholders and authorities a culture of integrity that mitigates present and future risks. Strategic communication based on documentation produced during internal investigations must be tailored to different audiences (e.g. employees, customers, markets and regulators) to demonstrate accountability without compromising legal positions.

Internal investigations are therefore increasingly being used to pursue the above described objectives. They are also driving the need to recruit staff and establish specialised internal departments in this area, as well as increasing the use of external consultants dedicated to this field.

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.