An organization that is well prepared for a fraud incident is one that has already developed a plan that covers a high-level control environment appropriate to the organization, has already explored insurance considerations, and most importantly, has developed an incident response policy for those “break glass” moments.
While organizations have unique needs, a well-developed incident response policy should have three major characteristics:
- It must be flexible, with the ability to adapt to various types of fraud incidents;
- Potential resources (people, tools, and partners) with the appropriate skillsets and capabilities need to be identified, and
- It should be revisited regularly and updated as necessary.
Zero hour
The other shoe has dropped, and you’ve made the sobering discovery that your organization may be a victim of fraud. Despite the initial shock, it’s essential to avoid impulsive actions and begin communicating with the appropriate professionals identified.
Confronting the suspected fraudster is a tempting proposition. After all, this individual may be a close and trusted colleague. Still, it’s important to remember that prematurely alerting a fraudster that their scheme has been discovered is a major risk to any investigation.
Further, the well-intentioned effort to immediately collect and start to review evidence such as emails and other electronically stored information (ESI) can result in crucial evidence being destroyed and/or made inadmissible. Best practice for mitigating evidence spoliation risk at this stage of an investigation is to leave clues as is, which may feel counterintuitive to the natural urge to secure the “smoking gun.” Instead, do your best to secure the potential evidence from outside interference until professionals with the right tools and experience can perform the collection properly.
First 24 hours
A few hours removed from the initial discovery is the time to establish your investigative plan. While your incident response policy is the foundation for your investigation, facts specific to the fraud must be considered.
Examples of specific considerations for tailoring your investigation include the scale of the fraud, organizational responsibilities of alleged fraudster(s), legal risks to the organization, ongoing risks to assets and data, and reputational risks. With these considerations in mind, additional questions you should ask include:
What is the objective of the investigation? The scope of an investigation will differ if your objective is to find evidence of noncompliance with rules and regulations rather than to recover misappropriated assets. Do you plan to involve law enforcement or focus on internal disciplinary measures?
Who are the stakeholders? Documentation, communications and evidentiary standards can vary depending on stakeholders. Is this a low-level matter with limited internal stakeholders, or does it involve regulators, law enforcement, business partners, or the broader public?
Does my team have the requisite competence and independence? Employing experienced counsel provides valuable legal privileges to your investigation. It’s likely that counsel has experience working with experts across various skills and industries that may be necessary to the investigation’s success. Further, the credibility of your findings depends on your team’s independence in both fact and appearance.
Has management been properly quarantined from the investigation? Leadership may be used to having unfettered access across their organization. When leadership is implicated in allegations or suspected of wrongdoing, isolating them is paramount to your investigation’s success.
Will this investigation include a root cause analysis? Regulators are increasingly asking investigators why incidents happen, not just their extent. Procedures to answer “why” and “how” will likely differ from those designed to answer “what.”
First 48 hours
With the necessary resources gathered and a plan in place, the time to execute is here. Now the fact-finding process should formally begin through the collection of evidence and conducting interviews. Whether evidence is in the form of paper documents or ESI, maintaining proper chain of custody is essential. Properly documenting collection procedures and storing information in secure repositories can help reduce spoliation risk for potential civil or criminal proceedings.
For ESI, special consideration should be given to who is collecting data and how that data is collected. Forensic technologists specialize in gathering data such as deleted files, temporary auto-save files, and file metadata, among other critical information. Forensic technologists also possess specialized tools that allow for the gathering of volatile evidence not typically available in most organizations.
When conducting witness interviews, the venue and timing have the potential to impact the quantity and quality of information gathered through the process. In general, in-person interviews are more effective (greater ability to read body language, less risk of third-party interference, etc.) than the virtual alternative. Like any other initiative, investigations have resource constraints, and prioritizing which interviews need to be in person can help increase the value you receive from this investigation phase.
Further, being intentional and strategic about the timing of interviews can help reduce the risk of collusion on answers among witnesses and suspects during the process. Best interviewing practices suggest ordering interviews to start with individuals perceived to be the farthest from the incident while working toward the investigation’s strongest suspects. As interviews are conducted, the need to follow up with prior interviewees may arise. Accordingly, be mindful of access constraints you may face, especially for high-ranking individuals or individuals in different locations.
First 72 hours
The investigation is fully underway at this point, and as circumstances change, your strategy should too. All investigations will encounter some data, resource and timing challenges. Communication with stakeholders during the onset of the investigation and throughout the process will foster the ability to navigate the challenges inherent in the fact-finding process. Further, proactive communication also will help reduce the organizational impact your investigation may have.
Investigations are inherently lead-driven, and as such, fact-finding may take you in a different direction over time. While it’s important to be adaptive to new information as it becomes available, you should not lose sight of the investigation’s scope and objectives you ultimately hope to accomplish. Revisiting your investigative plan at regular intervals is a good way to stay aligned with the scope of your procedures originally agreed to while documenting findings throughout the process.
Erik Lioy, Pat Hoan and Zach Powers are CPAs with FORVIS.