Internal Investigations Playbook
A disciplined method for handling allegations, incidents, and internal risks with the rigor expected by regulators, counsel, and courts. Built on chain-of-custody principles, operational clarity, and intelligence-grade documentation.
This playbook converts uncertainty into sequence: intake → triage → scope → evidence → interviews → findings → remediation. Every step leaves a defensible trail.
01 — Intake & Triage
A standardized gateway that prevents early contamination.
Intake is the single most important moment in an investigation. This is where stories are still pure, systems remain untouched, and evidence hasn’t been sanitized or altered—intentionally or otherwise.
Establish the channel
- Whistleblower hotline or structured form preferred
- Allow anonymous submissions
- Capture metadata (timestamps, location, reporter role)
Immediate risk screening
- Threat to safety or assets?
- Potential spoliation of evidence?
- Regulatory deadlines triggered?
- Involvement of executives or protected classes?
Assign investigation tier
- T1: Compliance / HR minor
- T2: Policy violation or misconduct
- T3: Criminal, fraud, harassment, senior leadership
- T4: Enterprise threat / external coordination required
02 — Scoping
Define the boundaries before evidence disperses.
A strong investigation begins with a narrow, mission-specific scope. The aim is discipline: identify the allegation, the actors, the systems, and the potential impact before any interviews begin.
Scope Components
- Allegation or triggering event
- Suspected policy or law violated
- Potential victims, witnesses, or involved personnel
- Systems, emails, logs, or physical evidence implicated
Control Risks
- Retaliation or intimidation risk
- Collusion among involved parties
- Digital spoliation or access misuse
- Press, regulator, or outside complaint exposure
03 — Evidence Strategy
Preserve first. Analyze second. Avoid collection bias.
Evidence handling should follow principles used in law enforcement and intelligence investigations: preservation first, controlled extraction second, analysis last.
Digital Evidence
- Email, chat, and access logs
- System audit trails
- File metadata and revision history
- Forensic images if manipulation suspected
Physical Evidence
- Documents, photos, physical assets
- Access badge logs and CCTV (pull early)
- Chain-of-custody tagging and logs
- Locked storage with restricted access
Human Sources
- First witness before story contamination
- Interview sequencing (avoid tipping targets)
- Conflict-of-interest screening
- Union or legal considerations
04 — Interview Model
A structured sequence that avoids coaching and contamination.
Archer Knox follows an intelligence interview model: neutral, chronological, and anchored in observable behaviors—not assumptions. The goal is clarity, not confession.
Preparation
Build a timeline before the interview, not a theory.
- Review logs & evidence
- Draft neutral questions
- Check conflict-of-interest
Opening
- Explain purpose and roles
- Set non-retaliation expectations
- Avoid showing evidence early
Exploration
- Ask broad → narrow questions
- Avoid leading phrasing
- Document exact quotes where relevant
Closure
- Summaries for confirmation
- Ask for overlooked individuals
- Advise confidentiality & next steps
05 — Findings & Remediation
Outcome must be credible, actionable, and reviewable.
Findings must withstand the scrutiny of HR, legal, regulators, auditors, or opposing counsel. Each conclusion must link directly to evidence—not inference or intuition.
Findings
- Fact statements tied to evidence
- Root cause analysis
- Policy or law violated
- Credibility assessment (if required)
Recommended Actions
- Corrective actions
- Control enhancements
- Personnel decisions
- Process or training updates
Documentation Package
- Investigation summary
- Evidence log & chain-of-custody
- Interview notes or transcripts
- Timeline and decision matrix
Related Governance & Risk Assets
Build a unified risk and investigations environment.