Hiring outsiders to investigate your management team for wrongdoing is like hiring outsiders to evaluate your environmental performance or to make recommendations on executive pay - possibly useful if you genuinely want to act on their findings, but equally often used to add a sheen of 'independent' legitimacy to whatever result you want.
Outsiders know what answer you want, and know it's unprofitable to have a reputation for biting the hand that feeds them.
To take a british example, back in 2006 the news of the world hired harbottle & lewis to do an internal investigation of phone hacking. Guess what, they didn't find anything.
Edit: Clarified that if the person paying for the investigation doesn't have a conflict of interest or plans to act on the recommendations, independent (or even non-independent) investigations can produce results.
Someone hired to do a security audit has a huge incentive to find security flaws- frankly, they'll get a better reputation for alerting the company to them.
Finding bad news when you're a security auditor is good.
Someone hired to do an investigation like this has an incentive to downplay any results. If they agreed with the accusations, GitHub would either have to hide the results, or publicly say "Yeah, we think we were likely legally liable for a hostile and sexually abusive work environment". They would not be taking those auditors out for celebratory drinks.
If the consultant says "Yep, you're in the clear", GitHub can announce publicly how great everything is.
Finding bad news when you're investigating a PR disaster is bad.
You know a company hire another companies to perform a check. They usually expect everything ok. Audit comes, it turns out there is a security hole in the software, or your books are off or you threat employees badly. Nobody wants these, yet everybody hires external companies. You think that you can bribe a legal firm to give you a green flag on harassing employees and they gonna risk their reputation on 50K USD? I don't think so...
Accounting firms provide a pretty good counter-example here. Everyone thinks of Andersen, who actually had to close as a result of their "customer-focused" service at Enron, but actually all the "big" firms were implicated to varying degrees in the subsequent unpleasant business with CDOs. Any service business will hesitate to piss off the guy who hires them every year.
This is an exception and a single case does not prove that all of the companies are like that. There is enough money to bribe anybody. As i said, 50K (or so) is not enough for that.
It's a well-known problem with auditor/audited relationships. What the customer wants is a clean bill of health after an easy audit. The auditor needs to be tough enough to maintain a good reputation, but beyond that they are looking to maximize volume. The Economist mentions this every year or two [1], and they're especially concerned when auditing firms do a lot of financial consulting for the audited firms. Then there's an even stronger incentive to make the audit generous.
Another good analogy is medical marijuana cards in states where marijuana is supposedly only for medical purposes. In theory, doctors are careful gatekeepers. In practice, the doctors doing those certifications have a strong financial incentive to certify as many people as quickly as possible. I've lived in San Francisco, and I've never heard of anybody getting turned down for one of those cards.
Another example from the financial crisis is the fact that many credit rating agencies gave triple-A ratings to CDOs that were later downgraded to junk status. Guess who selects and pays the credit rating agency? As it happens, the very financial firms who originated the CDOs and want them triple-A rated to sell.
It is widely-believed in the investment banking industry that you can find a firm that will provide a fairness opinion for virtually any transaction. They are a little bit more costly than $50K, but not more than an order of magnitude for small transactions. Mergers and Inquisitions says, "As you might guess, banks never say a deal is 'unfair' – the Opinion is just a rubber stamp to justify the deal to investors."[1]
(For the record, I never saw any unethical fairness opinions while I was in investment banking)
The consulting industry has similar dynamics. They are mainly there to provide evidence in favor of a plan proposed by whomever is their primary contact. See, for example, the article by the BCG consultant at [2]: "What I could not get my head around was having to force-fit analysis to a conclusion. In one case, the question I was tasked with solving had a clear and unambiguous answer: By my estimate, the client’s plan of action had a net present discounted value of negative one billion dollars. Even after accounting for some degree of error in my reckoning, I could still be sure that theirs was a losing proposition. But the client did not want analysis that contradicted their own, and my manager told me plainly that it was not our place to question what the client wanted."
Ugh. It is precisely the contractor's place to question the client. "Not my problem" or "just following orders" is the worst thing about consulting. I have, on several occasions, refused to force analysis into expected results. And look at me! I'm still alive! I made more money this year than the previous two combined. Ethics must always be forefront. And if you slip, get back on it, mistakes in the past do not excuse more mistakes.
Oh, it doesn't have to be anything so brazen as them finding a problem then covering it up. It's simply that you agree to a certain number of hours at a certain price, and they run out of hours before finding any evidence of wrongdoing.
Legal firms have lawyer-client confidentiality rules, so if they do find anything, with a bit of care you can bury or lie about their findings with impunity.
Outsiders know what answer you want, and know it's unprofitable to have a reputation for biting the hand that feeds them.
To take a british example, back in 2006 the news of the world hired harbottle & lewis to do an internal investigation of phone hacking. Guess what, they didn't find anything.
Edit: Clarified that if the person paying for the investigation doesn't have a conflict of interest or plans to act on the recommendations, independent (or even non-independent) investigations can produce results.