3. Investigation practices
3.1 Risk management
Persons, or groups of persons responsible for, and in control over an entity’s operations have both the opportunity and a responsibility to instil a positive risk culture. A positive risk culture encourages entities to identify and respond to potential threats, systemic weaknesses and vulnerabilities that undermine public confidence and the integrity of the government. All levels must be empowered to monitor and engage with risk in a manner consistent with the objectives and risk appetite of the organisation14,15.
Risk management is designed to coordinate activities to direct and control risk. Risk is reflective of the complexity, dimensions, and scale of an investigation and is inherently simultaneous across multiple stages: the report, receipt and acceptance, process of inquiries, a referral, rejection, termination/closure, finalisation, and review/audit of an investigation.
As part of instilling a strong risk culture, entities should establish an investigation’s Risk Management Framework and processes with a focus on:
- developing a triaging approach (use of a categorisation and prioritisation formula or model)
- outlining key responsibilities and accountabilities (positions, committees)
- establishing a reporting regime of investigation risks (internal and external) to inform the strengthening of investigation risk controls
- embedding continual risk assessment into investigation stages and processes
- implementing processes to demonstrate appropriate investigator risk decision making
- acknowledging shared and cross jurisdictional risk as part of an investigation.
Entities’ investigation’s Risk Management Framework should be aligned with and reflect an entity’s enterprise risk framework, standards, guidance, and policies alongside that of the Australian Government. Australian Government corporate entities should align, and non-corporate entities must comply with the Commonwealth Risk Management Policy16.
3.2 Investigation governance
3.2.1 Legislation and entity policies
Legislation, powers, and regulations in each entity may differ considerably. AGIS provides best practice noting variables may occur based on entity legislation.
In the context of federal criminal investigations, entities must comply with Commonwealth Director of Public Prosecutions (CDPP) guidelines or requirements in relation to engagement with the CDPP. This includes the provision of pre-brief advice and the preparation and referral of BoE’s for prosecution. Where a criminal investigation is being undertaken or contemplated, evidence must be obtained with a view to admissibility in criminal proceedings and assessment of a BoE in accordance with the Prosecution Policy of the Commonwealth17.
3.2.2 Legal adherence
Investigations must be conducted in a manner that is consistent with applicable laws. This is particularly relevant regarding collection, handling, and presentation of evidence and the application of powers. An investigator must be familiar with implications of relevant law on their ability to collect, manage and present evidence and investigate.
Investigators should consider the broad spectrum of legal requirements to ensure that any action taken does not jeopardise the investigation. Differing legal requirements across various jurisdictions involved should also be considered. Entity governance may also have implications for the conduct of investigations.
Investigators must be cognisant of the impact of LPP. Entities must have procedures and forms in place to deal with LPP during relevant types of warrants (i.e. search, monitoring) to cover:
- electronic and hard copy non-legal premises
- electronic and hard copy legal premises.
Entity LPP procedures must consider options for quarantining data or documents which is the subject of a LPP claim and the timeframe a LPP claimant should be given to advise of the option chosen.
Entities should have a process in place to outline who will be responsible for making entity LPP protective order applications.
3.2.3 Decision making
Decision making is a structured approach to identifying and analysing alternative approaches from which a choice can be made, and action taken to achieve an outcome. Any information available, assessment of risk and identification of options need to be provided in a decision-making process for it to be a considered decision and to apply accountability.
Entities should have a decision-making process in place for investigations involving options and actions that can be explained, justified, and documented. Using a decision-making process ensures decisions are effective, transparent and can sustain review and scrutiny. The individual governance of an entity should inform the type of decision-making process chosen for investigations, noting ethical complexities.
Decisions made during an investigation should be made by an appropriate person as determined by the entity. There are multiple forms in which a decision can be recorded/documented including (but not limited to) notebooks, diaries, emails, minutes, executive briefs, decision registers, and information management systems.
The recording of a decision should be proportionate to the seriousness and consequence of the decision. Documentation must include:
- the context of the decision
- the decision itself
- the reason/rationale for the decision
- person making the decision
- date of the decision
- any detail the actions associated with the implementation of the decision.
If a decision is not able to be recorded prior to action it should be recorded as soon as practicable after the fact.
3.2.4 Evidence and exhibit handling
Entities’ evidence and exhibit handling procedures must comply with applicable Australian laws of evidence, relevant case law, and Australian Government directions or guidelines on search and collection/seizure. Security and continuity must be maintained from seizure or collection to disposal to ensure admissible evidence in judicial and administrative proceedings. Entity procedures should cover (but not limited to):
- preserving evidence in a timely way and handling to avoid contamination;
- engaging persons for analysis and evidence management, with appropriate training and qualifications to ensure admissibility
- using recording systems in relevant circumstances to manage risk of impropriety accusations
- employing methodology for recording evidence found in search and seizure situations
- using formal property seizure and/or receipt records
- using an exhibit register and naming convention system (or use of unique bar code) to record seizure and movements
- creation of digital evidence for preservation of perishable items
- changing of case officer (acquittal or transfer or exhibits)
- maintaining the health and safety of investigators.
Entities should establish evidence or exhibit rooms that align with security requirements under the PSPF and relevant Australian building standards.
3.2.5 Exhibit registry
To maintain standards of proof, investigators should review their case holdings (evidence) once a month in the case of high-risk exhibits (i.e. hazardous substances, weapons)18.
An entity must have a documented procedure for conducting formal audits of its Exhibits Registry (commensurate with the type of investigation) to ensure:
- the accuracy of the records
- independent scrutiny of the procedures associated with possession of exhibits by an entity
- the security of the exhibits meets entity investigations policy and the PSPF
- continuity of evidence has been maintained.
The entity procedure must also ensure the audit regime incorporates:
- quarterly auditing of holdings (all or percentage)
- annual auditing of holdings (all or percentage)
- auditing of full holdings (timeframe).
3.3 Investigation planning
3.3.1 Function intersection
Investigations may have a relationship with an entity’s compliance and/or intelligence functions. Compliance is described as responsive regulation with variable support and enforceable sanctions. Entities may have different legislation and policies related to compliance.
Investigation planning should consider compliance activities and processes in respect of admissible evidence collection/use. Entities should obtain legal advice prior to collection and/or use of information sourced as part of a compliance activity if planning to use for another type of investigation.
An investigation can include intelligence activities and processes which may directly support the gathering of admissible evidence. Where relevant, entities should have a guide outlining the use of intelligence in identifying conduct which is allegedly or suspected to be a breach.
An entity should ensure compliance, intelligence, and fraud control functions are appropriately linked to investigations.
3.3.2 Reports, commencement to finalisation
The investigation function requires definitions, protocols, and information management processes. For the purpose of AGIS, ‘report’ is used and defined as a report, referral, or a notification of suspected wrongdoing or allegations in relation to breaches, noting entities’ definitions and processes may differ in line with legislative requirements or investigation policies.
For reports, entities should have the following:
- a public facing process for the public and entities to report
- electronic systems and procedures to record the receipt of reports
- electronic systems and procedures to record the transfer of reports.
An entity’s transfer of reports to law-enforcement entities should be informed by:
- a law-enforcement entity’s authority and prioritisation model (including thresholds)
- an entity’s capacity and ability to conduct the investigation
- the significance of harm to the community
- the integrity of the Australian Government
- whether the report involves Commonwealth Electoral Act 1918 alleged breaches
- any action required in relation to proceeds of crime
- conflicts of interest and political sensitivities19.
An entity should ensure an investigation life cycle (from commencement to finalisation) is a documented process and connected to investigation policies and risk management.
An entity should establish criteria for when an investigation is considered to be commenced, which may include the following circumstances:
- on direct receipt of a report
- informal assessment of a report warrants further inquiry and investigation
- intelligence activities have begun
- formal process of evaluation is conducted and completed, and acceptance of an evaluation has been conducted by decision makers.
An entity should establish criteria for when an investigation is considered to be finalised, which may include the following circumstances:
- an entity’s treatment of the allegations has concluded (prosecution including appeal, or other)
- the allegations have been referred to another entity for further action without joint participation
- disruptive action has been effective and considered as the primary treatment
- the subject of a report is deceased.
Entities’ resourcing for investigations should be commensurate with the type, complexity, and scale of an investigation including the breadth (or cross over) of the entity’s function.
Individual investigations should consider assigning two investigators for each commenced investigation, supplemented by specialists as required. This best practice is related to ensuring objectivity, minimising bias and maintaining investigation integrity.
Each entity should conduct ongoing management and review of own investigation procedures, manuals, or instructions to ensure currency and accuracy to support capability and outcomes. The timelines for review should consider the changing operating environment regarding legislation, technical transformation, outcomes to investigations and risk.
3.3.4 Entity agreements
Alongside sharing of information under legislative provisions, entities should develop Memoranda of Understanding (MoU), Service Level Agreements (SLA) or investigation-specific Joint Agency Agreements (JAA) to assist with lawfully sharing information or conducting investigations that may cross jurisdictions or require specialist entity support.
3.3.5 Media management
Entities should have written procedures regarding liaison with the media and the release of media statements regarding investigations. These procedures should include reference to the following:
- media management strategies within investigation plans
- authority to release information to the media
- circumstances for briefing and use of media area or spokesperson
- level of release to the media
- management of multi-entity operations.
Information released to the media should not expose investigation sensitive methodologies, prejudice right to a fair hearing or the legal process, impinge upon the privacy or safety of others involved in the investigation, or prejudice any actions taken or future actions of the entity or other entities.
3.4 Investigation activities and tools
3.4.1 International requests
An entity investigator can seek information on an informal or formal basis from foreign authorities. Formal requests are required where information is sought when an investigation requires the exercise of a compulsory or coercive power, such as issuing of a subpoena or search warrant by foreign authorities, or where admissible evidence is required for the purpose of court proceedings.
Mutual assistance is an important part in the investigation planning process. The mutual assistance process can only be used to seek assistance to further an investigation or prosecution of a criminal matter or proceeds of crime proceedings20. Mutual assistance arrangements for civil or administrative investigations are governed by state or territory court rules and other relevant legislation.
The types of information and assistance sought will be dependent on the investigation. They may include travel records, taking witness statements, identification records, court documents, business and bank records, and communications service provider records.
Entities must use the Australian Government’s mutual assistance regime request for the formal process of obtaining information for an investigation. That is unless specific entity legislation allows for requests via alternate means or advice by an administering Australian authority.
Entities should have written procedures for making informal requests to foreign authorities. These procedures should consider the use of Australian law-enforcement entities to assist.
Entities should additionally have written procedures for responding to both formal and informal requests from foreign authorities. If there are capital punishment (including death penalty) implications in requesting and responding to foreign requests, entities must consult with Australian Government administrative and/or legal entities.
Further information can be found in the Mutual Assistance in Criminal Matters Act 1987 (Cth)21.
It may be necessary to use an expert witness for the purpose of an investigation or a proceeding arising out of an investigation. The selection of an expert should be made following consideration of the person’s professional standing, qualifications, publications, capabilities, and relevant experience. The following should be considered when using expert witnesses:
- ensure the expert opinion is impartial
- consideration of a non-disclosure agreement (material with security classification)
- ensure compliance with the rules of evidence
- obtain and record relevant legal advice regarding using an expert
- review evidence legislation, court notes or case law relating to using an expert.
3.4.3 Specialist services
Investigations may require the use of specialist services, for example surveillance (physical/digital), coercive hearing, telecommunications interception, or use of human covert sources.
Entities with powers to conduct specialist services must have procedures in place in accordance with legislation, the Privacy Act 1988 and Australian Government security frameworks for handling information. Procedures should outline roles and responsibilities to conduct specialist services and all governance applied including the protection of sensitive methodology.
Entities must also have procedures in place to request specialist services from other entities with specialist services.
14 Department of Finance, Public Governance, Performance and Accountability Act 2013, Australian Government, February 2021
15 Department of Finance, Independent Review into the operation of the PGPA Act 2013 and Rule, Australian Government, February 2021
16 Department of Finance, Commonwealth Risk Management Policy, Australian Government, July 2014
17 Office of the Director of Public Prosecutions, Prosecution Policy of the Commonwealth, Australian Government, Canberra 2021
18 Federal Register of Legislation, Evidence Act 1995, October 2018
19 Australian Electoral Commission, Commonwealth Electoral Act 1918, Australian Government, February 2022
20 Attorney-General’s Department, taking-evidence-across-international-borders, Australian Government, March 2022
21 Attorney-General’s Department, international-relations/international-crime-cooperation-arrangements/mutual-assistance, Australian Government, March 2022