Best Practice: Preparation for a Courtroom
As a best practice, these investigations should always cover every eventuality:
- Proceed as if the case will eventually see a courtroom.
This is always advisable, not just for an internal fraud but for any case. This helps ensure that the investigator does not get sloppy—that is, that the investigator follows correct procedures, such as maintaining and documenting the chain of custody for any evidence. This also should help ensure that the investigator only accesses Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) information for the appropriate permissible purposes.
The investigator will want to learn about the workings of the business systems in place to shed light on how the fraud may have been committed. This may require becoming knowledgeable about areas such as inventory control systems, shipping procedures, accounting practices, accounts payable, purchasing, etc., depending on the industry involved and the nature of the client’s business. To gain this knowledge, the investigator may want to meet with the client, a trusted employee (especially if the subject is no longer employed), or an external person with knowledge of the systems used.
In some cases, the client may have already uncovered some documentary evidence needed to prove the fraud, such as check register transactions or other journals, audit trails or logs, and financial or bank records showing the money trail. The financial records may be backed up with time cards, surveillance recordings, entry lock logs, etc., that support the theory of who the perpetrator was. However, in many instances, it is up to the investigator / fraud examiner to determine exactly how the fraud occurred, quantify any damages resulting from the fraud, and locate the evidence or elicit evidence through witness interviews. The type of fraud may also require the investigator to either be familiar with the industry or find a trusted source who can quickly teach the investigator about the industry.
Best Practice: Focus
As a best practice, investigations should always be conducted with both eyes open:
- One eye should be focused on suspected fraud(s).
- One eye should be alert to anomalies.
In addition to staying focused on the scope of the case (e.g., obtaining and documenting material evidence regarding the incident under investigation), the investigator needs to be alert to detect other anomalies along the way, which may lead to or expose other frauds or collusion. Many times, the initial detection is just the beginning of more widespread fraud.
During the course of any thorough investigation, an investigator may be exposed to many types of collateral information and evidence. It is the investigator’s responsibility to resist being led down irrelevant and time-wasting paths.
Best Practice: Unrelated Issues
As a best practice, handle unrelated malfeasance or issues if they become apparent:
- An investigator should always bring such issues to the attention of the attorney.
- The attorney can determine if a separate investigation should be initiated.
As more issues come to the forefront and an investigation lingers at a company, investigators will incur curiosity. Just as any new employee in an organization will trigger a barrage of questions by existing employees, an investigator will need to know not only how to ask questions but also how to handle inquisitive employees who are not privy to the investigation. Additionally, strategies will need to be developed at a kickoff meeting to cover not only the legal but also the logistical aspects of the investigation.
Best Practice: Preinvestigation Meeting
As a best practice, prior to the on-site investigation, collaborate:
- A private planning meeting should be held with the client, counsel, and investigator.
- At this meeting, the following items, at a minimum, need to be identified:
- Possible Suspects
- Location of documents needing to be preserved
- Suspect’s access to the company’s electronic devices needing to be preserved, such as computers, servers, cell phones, etc.
- Whether the suspect(s) signed any human resource documents waiving any “expectation of privacy”
- Whether a cover story is needed to prevent tipping off potential suspects
Because a fraud investigation typically boils down to an investigation of people and money, both items need to be addressed equally at the outset so that the investigation is not sabotaged. In other words, an investigator needs to gain an understanding of the people being investigated and any devices they have or had access to that may contain the money trail or evidence of impropriety.
Best Practice: Background Checks and Digital Proof
As a best practice, prior to the on-site investigation and interviews, do your homework:
- Background checks should be run on the suspect(s).
- Forensic images of the electronic devices of the suspect(s) need to be made and examined.
Background investigations on any known suspects can include criminal checks; litigation searches; and searches for assets, including hidden assets. Be careful to respect the applicable laws, such as the FCRA and GLBA. Sometimes, large amounts of information can be found via public records or open-source data. Types of assets that you may find range from the hunting cabin up north to small businesses registered to your subject, the subject’s relatives, or other business associates. In some cases, cross-checking the client’s vendors, contractors, and accounts payable ledgers might reveal that the client’s company is cutting checks to a business associated with the subject employee. Much of the background information that you will access is available via government websites and other publicly available internet sources. Some of the data that you may want to search includes corporate registrations, property and personal property taxes, property deeds, building inspection records, business licenses, general internet searches, and media searches. Some information may require a federal or state Freedom of Information Act (FOIA) request. Additional information, such as vehicle records, is available to investigators via proprietary databases with the appropriate permissible purpose. It is important that the investigator use any information obtained from these private databases as leads and does not simply accept it as fact.
Forensic images of electronic storage devices need to be made because these types of images will capture both saved and deleted information. In some cases, deleted information can be recovered and may reveal the “smoking gun” with regard to the subject matter taken while also providing an element of fraud scienter as a result of the suspect’s actions taken to conceal and destroy the evidence.
In summary, a properly planned investigation is critical to its success. After all, as Yogi Berra said, “If you don’t know where you are going, you’ll end up someplace else.”
Paul Rodrigues, CFE, CPA, CFF, CGMA, MST, is a senior director at The BERO Group LLC in Milwaukee, Wisconsin. Thomas Wagner, CFE, CLI, is the managing member at Wagner & Associates LLC in Milwaukee, Wisconsin.