WHEN SHOULD A COMPANY CONDUCT AN
INTERNAL INVESTIGATION?
LEGAL OBLIGATIONS, DEFENSE STRATEGIES,
AND OFTEN OVERLOOKED RISKS
Authored by:
Juventhy M. Siahaan, S.H., M.H.
Managing Partner, JBD Law Firm
I. Introduction
An internal investigation is one of the most powerful yet dangerous risk management tools a company can employ. It is powerful because it can identify violations before regulators or law enforcement agencies discover them, building a solid foundation for defense if legal proceedings subsequently commence, and demonstrating to authorities that the company is acting cooperatively. It is dangerous because if not managed correctly, an internal investigation can create new incriminating evidence, trigger unanticipated disclosure obligations, and weaken legal positions that otherwise could have been defended.
The question of “when a company should conduct an internal investigation” contains two equally important dimensions: when an investigation must begin, and when a formal investigation is unnecessary or even counterproductive. Companies that face the severest consequences are almost always not those that committed the most serious violations, but those that made the wrong decisions about when, how, and by whom an investigation is executed. Ironically, errors in investigation decisions are often costlier than the violations that triggered them: incorrectly drafted documents, wrongly interviewed witnesses, or premature disclosures to regulators can transform a manageable issue into a full-scale legal crisis.
This article outlines the legal obligations underlying such decisions, trigger criteria that must not be ignored, situations where a formal investigation should be avoided, the framework determining the legal value of an investigation, and the three fatal errors most commonly undermining a company’s position during an investigation process intended to protect it.
II. Legal Foundation: Silence Does Not Mean Safety
The obligation of directors to act in good faith and with prudence pursuant to Article 97 paragraph (2) of Law No. 40 of 2007 concerning Limited Liability Companies (UUPT) is a basis for actual personal liability, not merely an ethical norm. If directors know or should know of indications of a violation and fail to take action to prevent the occurrence or continuation of losses, the liability exemption clause in Article 97 paragraph (5) of the UUPT, known as the Business Judgment Rule (BJR), cannot be invoked. This doctrine cumulatively requires two things: directors must obtain adequate information, and based on that information, must act in good faith. In Decision No. 2249 K/Pdt/2012, the Supreme Court affirmed that directors who possessed material information regarding company losses but chose to take no action could not hide behind the BJR, because the second component was not met: the information existed, but the action was not taken.
This is the critical distinction in the context of internal investigations: it is not ignorance that strips away BJR protection, but the conscious choice not to follow up on information already possessed. Consider a common scenario in a public property sector company: a Finance Director receives an internal memo from the head of the accounting division noting discrepancies between down payments to an affiliated contractor and the verifiable value of work, a difference that, in aggregate over two quarters, reaches a material range for a company of that scale. The Finance Director chooses not to follow up, reasoning that the contractor is a long-standing partner and that escalation could disrupt business relations currently in the contract renewal process. Six months later, the OJK commences an examination into suspected inaccuracies in financial reports affecting the issuer's stock price. During that examination, the internal memo that was not acted upon is discovered on the company server. The Finance Director cannot use the BJR as a shield, not because he did not know, but precisely because he knew and chose to remain silent.
For public companies, the layers of obligation increase. POJK No. 33/POJK.04/2014 requires directors to run the company with good faith, prudence, and full responsibility. Commissioners, based on Article 114 of the UUPT, have an active oversight obligation, and if losses occur due to the commissioner's oversight negligence, Article 114 paragraph (4) threatens joint and several liability with the directors. In the anti-corruption sector, Articles 2 and 3 of Law No. 31 of 1999 in conjunction with Law No. 20 of 2001 open the door to corporate liability if a criminal act is committed for the benefit of or on behalf of the corporation. Supreme Court Decision No. 788 K/Pid/2018 in the case of PT Duta Graha Indah serves as a concrete precedent that a corporation can be directly sentenced.
What gives these precedents a concrete operational impact is Supreme Court Regulation (Perma) No. 13 of 2016 concerning Procedures for Handling Criminal Cases by Corporations. This Perma explicitly regulates how a corporation can be designated as a suspect, indicted, and tried, including criteria that the criminal act was committed by management holding a functional position in the corporation, or committed in order to fulfill the corporation's objectives. For management considering whether to investigate internal indications of violations, the framework of Perma 13/2016 is a normative context that cannot be ignored: it defines the conditions under which inaction can lead to the corporation becoming a defendant.
III. Five Situations That Require Immediate Investigation
Not every report or indication of a violation requires a formal, comprehensive investigation, but the following five situations, if ignored, create legal risks that cannot be mitigated later.
A. Specific and Verifiable Whistleblower Reports
Reports that identify specific individuals, transactions, times, and amounts are investigation triggers that should almost never be ignored, not because every such report is necessarily true, but because the standards applied by the KPK, OJK, or prosecutors in assessing company cooperation depend heavily on the initial response. Imagine the following scenario: an employee reports through a whistleblower channel that the head of the procurement division has received gratifications from a specific vendor for two years, naming the vendor, contract value, and payment dates. The company chooses not to follow up because it deems the report insubstantial. Three months later, the KPK begins an investigation into the same case based on information from a different source.
In this scenario, the company not only faces risks from the initial violation; it faces additional risk because it can be shown that it possessed a substantial internal report and chose not to act on it. There is also an often-overlooked labor dimension: if the reporter subsequently experiences actions that qualify as retaliation, demotion, transfer, or termination, and the company cannot demonstrate an independent investigation into the submitted report, the company's legal position in an ensuing labor lawsuit becomes very weak.
B. Unexplained Financial Anomalies
Transactions lacking adequate documentation, involving unusual parties, or with payment patterns inconsistent with established business practices are indicators that must be pursued. The Business Judgment Rule requires that directors have obtained and considered adequate information before making a decision; directors who are aware of transaction anomalies and fail to investigate them cannot later claim that their decisions were made with adequate prudence. This standard is not only relevant for civil trials; in the context of an OJK audit or KPK examination, a track record showing that directors knew of an anomaly but failed to act is one of the most incriminating facts.
C. Requests or Inquiries by Regulators
The moment a company receives a document request, summons, or an examination visit from the OJK, KPK, prosecutor’s office, or police, even if informal, a parallel internal investigation must immediately commence. The goal is to understand what will be discovered beforehand so the company can proactively manage disclosure. “Managing disclosure” does not mean hiding facts; it means ensuring that presented facts are accompanied by adequate context, that the rights of involved individuals are respected, and that the company does not provide admissions broader than necessary. Companies that discover violations themselves and report them to authorities before or during an investigation generally receive substantially more favorable treatment than those that wait for investigators' findings.
D. Unusual Employee Terminations or Resignations
The termination or resignation of an employee in a sensitive position, finance, procurement, compliance, accompanied by indications of substantive conflict is often a signal of a deeper problem. Two actions must be taken immediately: first, a litigation hold on all potentially relevant documents, including emails, transaction documents, and communication records under that employee’s control or access, as failure to secure documents later proven relevant can be qualified as spoliation of evidence. Second, an investigation into the scope of knowledge and access held by that employee, as terminated employees often take information later used in whistleblower contexts or legal processes, and it is better to understand this exposure before the information is utilized by outside parties.
E. Media Coverage or Public Information Regarding Alleged Violations
If alleged violations become public information through media reports, NGO reports, or public platforms, an internal investigation is not just a legal risk management tool; it is an inseparable component of reputation management. The absence of an investigation will be interpreted by investors, regulators, and business partners as an implicit admission of the truth of the allegations. Equally important: a regulator reading about alleged violations in a company that has never filed any report to them will almost certainly commence their own investigation, a condition far less favorable than a company that has already started an internal investigation and can demonstrate the steps it is taking.
IV. When an Investigation is Actually Dangerous
The question of when to conduct an investigation is incomplete without addressing the opposite conditions. An unnecessary formal investigation not only wastes resources; it can create risks disproportionate to the issue faced and, in certain conditions, actively worsen the company's legal position. Not every employee complaint, not every minor anomaly, and not every media article mentioning the company name requires the mobilization of the formal investigation machinery.
First, if indications of a violation are very minor and isolated, for example, suspected misuse of office facilities involving an immaterial amount and not involving officials with access to sensitive information, a formal investigation involving external legal counsel and an independent investigative team is disproportionate. An adequate response is well-documented HR management action. A formal investigation that is too large for an offense that is too small can actually raise questions about why the company felt the need to deploy such massive resources.
Second, if legal proceedings involving the same substance have already been initiated by authorities, KPK investigators have moved in, or suspects have been designated, a parallel internal investigation whose scope overlaps with the ongoing inquiry carries serious risks. Generated documents and obtained statements can be used by investigators. Interviewing witnesses who will also be examined by investigators can be qualified as obstruction of justice pursuant to Article 21 of Law No. 31 of 1999 in conjunction with Law No. 20 of 2001, which threatens criminal penalties for anyone who intentionally prevents, hinders, or thwarts the investigation, prosecution, and examination of a corruption case. In non-corruption contexts, Article 221 of the Criminal Code (KUHP) threatens criminal penalties for parties who hide perpetrators or destroy evidence after a crime is committed.
In these conditions, tight coordination with legal counsel regarding non-overlapping scopes is an absolute prerequisite before any investigation begins. A company that finds itself having given its adversary a complete map of what it knows and does not know while an investigation is ongoing faces risks far exceeding the substance of the initial violation.
V. How an Investigation Must Be Conducted to Hold Legal Value
Deciding to conduct an investigation is only half the battle. The other half, which is often more decisive, is how that investigation is executed. A procedurally flawed investigation not only fails to provide expected benefits; it can actively worsen the company's legal position. The following three parameters determine whether an investigation will have defensible legal value before regulators and courts.
A. Independence as a Prerequisite for Credibility
Independence determines whether investigation results will be believed by regulators and courts. An investigation led by internal officials who are the subjects of the investigation, the superiors of the subjects, or who have an interest in the parties concerned, lacks the credibility necessary to function as evidence of the company’s good faith. For high-risk violations, involving independent external legal counsel as the investigation lead is not a luxury; it is a strategic necessity. The practical consideration is simple: if the investigation results later need to be presented to the KPK, OJK, or a judge, the first question asked will be who led the investigation and what their relationship is to the examined parties.
B. Protection of Legal Privilege in the Indonesian Legal System
Legal privilege in the Indonesian legal system needs to be understood with higher precision than is often assumed. The advocate's right to refuse to testify (verschoningsrecht) regulated in Article 19 of Law No. 18 of 2003 concerning Advocates protects advocates from the obligation to testify about matters entrusted to them in a professional capacity, but this protection traditionally operates in the context of trial testimony, not as a barrier to the seizure of physical documents in a criminal investigation.
This means: KPK or prosecutor investigators who seize a server or investigation documents do not face a barrier as strong as a prosecutor in a common law system trying to compel an advocate to testify. Realistic protection is not found in claiming a privilege whose scope is uncertain in the Indonesian legal system, but in document discipline, controlling which documents are created, in what format, and by whom, so that documents containing sensitive legal analysis do not circulate outside of legitimate attorney-client communication channels. This is the difference between a defensible protection and a protection that depends on a claim that may not survive before an Indonesian judge.
C. Proportionate and Accountable Scope
The correct scope is not the scope determined by management's comfort in being examined. An investigation that is too narrow creates the impression that the company chose not to look too far; an investigation that is too broad exposes issues unrelated to the initial alleged violation and provides additional ammunition to investigators who might not have otherwise known of those issues. An accountable scope is one that is proportionate to existing indications and possesses a clear methodological basis, a basis that can be explained to a regulator if asked. Setting this scope is one of the most important strategic decisions in the entire investigation process and should not be delegated to an investigative team without explicit direction from top management and legal counsel.
VI. Three Most Common Fatal Errors
The first error is starting an investigation without first establishing a legal framework. Companies that react impulsively by immediately interviewing employees and requesting internal reports without legal counsel leading the process often find that the process produces documents explicitly recording violations, lacking privilege protection, and which must be surrendered to investigators if requested. Written admissions made by internal teams before a legal framework is established can become the strongest evidence in criminal proceedings against the company or its individuals. The first step in any investigation should not be fact-gathering, but consultation with legal counsel to set the correct framework, determine who leads, and identify what can and cannot be documented in specific formats.
The second error is failing to separate the investigative function from regular management functions. Managers investigating their subordinates not only potentially contaminate evidence through non-neutral questioning; they also place themselves in a position where statements they make during the investigation process can be used against them personally. An employee interviewed by their direct supervisor is under substantially different pressure than one interviewed by an independent investigator, and this difference will be glaringly obvious if the statement is later evaluated in a legal context.
The third error, the most dangerous because it often goes unidentified until it is too late, is reporting findings to regulators without fully assessing the legal implications. Voluntary disclosure can provide significant benefits, but only if done at the right time, with a full understanding of what is being disclosed and its implications for the individuals named in the report. Premature or uncoordinated disclosure can eliminate the benefits of cooperation while simultaneously creating unnecessary new legal exposure, especially if the report names individuals who have not yet been designated as suspects, as this can effectively expand the investigation's scope in directions the investigator might not have reached without the company's assistance. The solution is not avoiding disclosure, but ensuring every disclosure decision is preceded by a structured legal assessment: what is mandatory to disclose, what is strategic to disclose voluntarily, and what is best left undisclosed unless explicitly requested by the competent authority.
VII. Closing
The true value of an internal investigation lies not just in what it finds, but in how the process itself reflects the legal character and governance of a company. Regulators and courts assessing company behavior in the context of a violation do not only look at whether the violation occurred; they look at whether the company, when faced with indications of a problem, acted as a compliance-committed entity should act. A well-run investigation is concrete proof of that commitment; a poorly run investigation, or one not conducted when it should have been, is evidence of the opposite.
Three cross-situational principles are worth underlining. First, the decision to conduct or not conduct an investigation must be made based on structured legal analysis, not an instinct to avoid conflict or discomfort. In practice, pressure not to investigate often comes from within the organization itself, from individuals whose interests may be disrupted by investigation findings. Companies that have mechanisms to ensure investigation decisions are made by the right people, with the right information, without influence from potential subjects of the investigation, possess a significant structural advantage in crisis situations.
Second, no internal investigation provides full protection; it only provides a better position. And that better position only manifests if the investigation is executed within the correct framework, by the right people, with an accountable scope. An investigation with a flawed process does more than fail to provide benefits; it actively diminishes a legal position that might have actually been better if there had been no investigation at all.
Third, the most effective legal counsel in the context of internal investigations is not the one most aggressive in claiming privilege or the quickest to advocate disclosure to regulators, but the one who understands exactly where the boundaries of available legal protection lie within the applicable Indonesian legal system and can explain those boundaries to the client honestly. Honesty about what can and cannot be protected, about real risks versus mere concerns, is the most valuable asset legal counsel can provide in this situation, and that value ultimately determines whether the investment in an internal investigation yields a commensurate benefit.
Ultimately, a good internal investigation is not about finding the answer management wants, but about finding the truth before someone else finds it first, and ensuring that the process of discovery itself does not become a new problem. Companies that understand this principle do not view an investigation as a threat to be managed, but as a governance instrument that, when used with timely precision, the correct framework, and sufficient courage, becomes one of the strongest proofs of corporate integrity that can be presented to regulators, the court, and the market.