Is the internal investigation process part of your internal audit program? Does your internal audit team have access to a central database (if existing) of potential compliance cases (on the basis of need to know)? Is the investigation process itself governed by one function (i.e. Legal & Compliance) or is it scattered (i.e. HR for people related cases)?

The ethics hotline is owned by Compliance. Internal employee investigations are completed by Security. HR related items are delegated to HR.

In the various organizations I’ve been part of, the compliance/conflict of interest “database” (sometimes just a simple Excel worksheet) has typically been managed by either HR or the Legal department. The investigations process has generally been a shared responsibility among Legal, HR, and Audit, with Internal Audit stepping in to conduct investigations only at the request of HR or Legal.
That said, on several occasions, whistleblowers have reached out directly to Internal Audit with tips. In those cases, we’ve initiated preliminary fact-finding efforts. Once we’ve gathered sufficient information, we coordinate with HR or Legal, as appropriate.
My recommendation is that, even if the investigation process is managed by different departments, there should at least be a formal policy and standard operating procedure (SOP) in place. This should provide clear guidance on the process and include a decision tree to help determine when and which department should lead or support the investigation.

Our Special Investigations team used to be part of Internal Audit but we moved it to Legal several years ago. That team handles all investigations. Control failures or deficiencies are referred to the Financial Assurance or Internal Audit teams as appropriate.