When it comes to the threat of occupational fraud, the position of many organizations is: “It will never happen here.” Unfortunately, reality bites hard, and wishful thinking won’t save you when you discover that a fraudster has victimized your organization. An organization’s actions in the hours immediately following the discovery can make the difference between a successful and a failed investigation.
This article will provide some best practices for organizations and investigative professionals on how to respond to incidents effectively in a timeline format that is tailorable to your organization’s needs.
The Fraud Incident Response Timeline
Prior to Incident
If you don’t know where you are going, you’ll end up someplace else.” – Yogi Berra1
An organization that is well prepared for a fraud incident is one that has already developed a plan that covers a high-level control environment appropriate to the organization, has already explored insurance considerations, and, most importantly, has developed an incident response policy for those “break glass” moments.
While organizations have unique needs, a well-developed incident response policy should have three major characteristics:
- It must be flexible, with the ability to adapt to various types of fraud incidents,
- Potential resources (people, tools, and partners) with the appropriate skill sets and capabilities need to be identified, and
- It should be revisited regularly and updated as necessary.
Zero Hour
The other shoe has dropped, and you’ve made the sobering discovery that your organization may be a victim of fraud. Despite the initial shock, it’s essential to avoid impulsive actions and begin communicating with the appropriate professionals identified.
Confronting the suspected fraudster is a tempting proposition. After all, this individual may be a close and trusted colleague. Still, it’s important to remember that prematurely alerting a fraudster that their scheme has been discovered is a major risk to any investigation.
Further, the well-intentioned effort to immediately collect and start to review evidence such as emails and other electronically stored information (ESI) can result in crucial evidence being destroyed and/or inadmissible. Best practice for mitigating evidence spoliation risk at this stage of an investigation is to leave clues as is, which may feel counterintuitive to the natural urge to secure the “smoking gun.” Instead, do your best to secure the potential evidence from outside interference until professionals with the right tools and experience can perform the collection properly.
First 24 Hours
A few hours removed from the initial discovery is the time to establish your investigative plan. While your incident response policy is the foundation for your investigation, facts specific to the fraud must be considered.
Examples of specific considerations for tailoring your investigation include the scale of the fraud, organizational responsibilities of alleged fraudster(s), legal risks to the organization, ongoing risks to assets and data, and reputational risks. With these considerations in mind, additional questions you should ask include:
- What is the objective of the investigation? The scope of an investigation will differ if your objective is to find evidence of noncompliance with rules and regulations rather than to recover misappropriated assets. Do you plan to involve law enforcement or focus on internal disciplinary measures?
- Who are the stakeholders? Documentation, communications, and evidentiary standards can vary depending on stakeholders. Is this a low-level matter with limited internal stakeholders, or does it involve regulators, law enforcement, business partners, or the broader public?
- Does my team have the requisite competence and independence? Employing experienced counsel provides valuable legal privileges to your investigation. It’s likely that counsel has experience working with experts across various skills and industries that may be necessary to the investigation’s success. Further, the credibility of your findings depends on your team’s independence in both fact and appearance.
- Has management been properly quarantined from the investigation? Leadership may be used to having unfettered access across their organization. When leadership is implicated in allegations or suspected of wrongdoing, isolating them is paramount to your investigation’s success.
- Will this investigation include a root cause analysis? Regulators are increasingly asking investigators why incidents happen, not just their extent. Procedures to answer “why” and “how” will likely differ from those designed to answer “what.”
First 48 Hours
With the necessary resources gathered and a plan in place, the time to execute is here. Now the fact-finding process should formally begin through the collection of evidence and conducting interviews. Whether evidence is in the form of paper documents or ESI, maintaining proper chain of custody is essential. Properly documenting collection procedures and storing information in secure repositories can help reduce spoliation risk for potential civil or criminal proceedings.
For ESI, special consideration should be given to who is collecting data and how that data is collected. Forensic technologists specialize in gathering data such as deleted files, temporary auto-save files, and file metadata, among other critical information. Forensic technologists also possess specialized tools that allow for the gathering of volatile evidence not typically available in most organizations.
When conducting witness interviews, the venue and timing have the potential to impact the quantity and quality of information gathered through the process. In general, in-person interviews are more effective (greater ability to read body language, less risk of third-party interference, etc.) than the virtual alternative. Like any other initiative, investigations have resource constraints, and prioritizing which interviews need to be in person can help increase the value you receive from this investigation phase.
Further, being intentional and strategic about the timing of interviews can help reduce the risk of collusion on answers among witnesses and suspects during the process. Best interviewing practices suggest ordering interviews to start with individuals perceived to be the farthest from the incident while working toward the investigation’s strongest suspects. As interviews are conducted, the need to follow up with prior interviewees may arise. Accordingly, be mindful of access constraints you may face, especially for high-ranking individuals or individuals in different locations.
First 72 Hours
The investigation is fully underway at this point, and as circumstances change, your strategy should, too. All investigations will encounter some data, resource, and timing challenges. Communication with stakeholders during the onset of the investigation and throughout the process will foster the ability to navigate the challenges inherent in the fact-finding process. Further, proactive communication also will help reduce the organizational impact your investigation may have.
Investigations are inherently lead-driven, and, as such, fact-finding may take you in a different direction over time. While it’s important to be adaptive to new information as it becomes available, you should not lose sight of the investigation’s scope and objectives you ultimately hope to accomplish. Revisiting your investigative plan at regular intervals is a good way to stay aligned with the scope of your procedures originally agreed to while documenting findings throughout the process.
Conclusion
Forensics professionals at Forvis Mazars have decades of experience conducting investigations and can help you think through these issues and more.
The information contained herein is general in nature and not intended to serve as professional advice. You should consult with your legal counsel and other professional advisors before commencing an investigation.
About Our Forensics Team
Our Forensics & Valuation Services (FVS) practice provides a wide variety of forensic accounting and investigative services to organizations and their legal counsel. Whether you’re facing a whistleblower report of potential fraud, have a regulatory inquiry, or are involved in complex litigation, our experienced team can help you assess the situation, develop a tailored plan, and execute efficiently. Our core team of forensic accountants is supported by our forensic technology professionals, SEC and financial reporting professional standards groups, and deep industry knowledge. In addition to forensic accounting and investigative services, our FVS team also provides litigation support, expert testimony, valuation, and alternative dispute resolution services.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars or use the Contact Us form below.
Download this checklist for your future fraud investigations!
- 1Quotationcelebration.wordpress.com, October 11, 2019