chevron-down Created with Sketch Beta.
February 06, 2019 Articles

Internal Investigations Best Practices, Part I: Protocols

Proper planning is critical to the success of a fraud investigation.

By Paul Rodrigues and Thomas Wagner

 “If you tell the truth, you don’t have to remember anything.” —Mark Twain

As fraud examiners, we are generally hired by attorneys to investigate a suspected fraud at a company. However, sometimes we are contacted directly by a business owner, management team, security manager, or human resources director. If an attorney does not initially contact the investigator, we suggest that the investigator include the client’s attorney in the loop before proceeding.

Best Practice: Lawyer Supervision

As a best practice, a fraud investigation should always be supervised by a lawyer:

  • This will preserve the attorney-client privilege.
  • This will protect the attorney work-product doctrine.
  • This will ensure that applicable employment and other laws are observed.

Establishing a good working relationship with the attorney will help set the foundation for making a case. This should facilitate developing a logical theory of what may have occurred, establishing an appropriate investigation plan, determining the legal burdens of proof needed, and setting the client’s expectations with regard to budget and timeline.

A substantive conversation with the client and attorney is necessary and invaluable to the investigator in understanding the situation at hand. This includes determining the client’s needs and goals, from a business perspective and a legal perspective, as they pertain to the investigation. It might seem incontrovertible that the client wants to determine who the perpetrator was and have that person prosecuted. In reality, this is not always what the client wants or needs. Many businesses have no intention of pursuing a prosecution for numerous reasons, including a fear of bad publicity. Many cases end with the termination of an employee, although sometimes the perpetrator had already been terminated for other reasons prior to the discovery of the fraud. Some clients really just want to understand how the fraud occurred and fix the situation by creating specific checks and balances to prevent, or at least mitigate, further fraud and losses. 

Best Practice: Preparation for a Courtroom

As a best practice, these investigations should always cover every eventuality:

  • Proceed as if the case will eventually see a courtroom.

This is always advisable, not just for an internal fraud but for any case. This helps ensure that the investigator does not get sloppy—that is, that the investigator follows correct procedures, such as maintaining and documenting the chain of custody for any evidence. This also should help ensure that the investigator only accesses Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) information for the appropriate permissible purposes.

The investigator will want to learn about the workings of the business systems in place to shed light on how the fraud may have been committed. This may require becoming knowledgeable about areas such as inventory control systems, shipping procedures, accounting practices, accounts payable, purchasing, etc., depending on the industry involved and the nature of the client’s business. To gain this knowledge, the investigator may want to meet with the client, a trusted employee (especially if the subject is no longer employed), or an external person with knowledge of the systems used.

In some cases, the client may have already uncovered some documentary evidence needed to prove the fraud, such as check register transactions or other journals, audit trails or logs, and financial or bank records showing the money trail. The financial records may be backed up with time cards, surveillance recordings, entry lock logs, etc., that support the theory of who the perpetrator was. However, in many instances, it is up to the investigator / fraud examiner to determine exactly how the fraud occurred, quantify any damages resulting from the fraud, and locate the evidence or elicit evidence through witness interviews. The type of fraud may also require the investigator to either be familiar with the industry or find a trusted source who can quickly teach the investigator about the industry.

Best Practice: Focus

As a best practice, investigations should always be conducted with both eyes open:

  • One eye should be focused on suspected fraud(s).
  • One eye should be alert to anomalies.

In addition to staying focused on the scope of the case (e.g., obtaining and documenting material evidence regarding the incident under investigation), the investigator needs to be alert to detect other anomalies along the way, which may lead to or expose other frauds or collusion. Many times, the initial detection is just the beginning of more widespread fraud.

During the course of any thorough investigation, an investigator may be exposed to many types of collateral information and evidence. It is the investigator’s responsibility to resist being led down irrelevant and time-wasting paths.

Best Practice: Unrelated Issues

As a best practice, handle unrelated malfeasance or issues if they become apparent:

  • An investigator should always bring such issues to the attention of the attorney.
  • The attorney can determine if a separate investigation should be initiated.

As more issues come to the forefront and an investigation lingers at a company, investigators will incur curiosity. Just as any new employee in an organization will trigger a barrage of questions by existing employees, an investigator will need to know not only how to ask questions but also how to handle inquisitive employees who are not privy to the investigation. Additionally, strategies will need to be developed at a kickoff meeting to cover not only the legal but also the logistical aspects of the investigation.

Best Practice: Preinvestigation Meeting

As a best practice, prior to the on-site investigation, collaborate:

  • A private planning meeting should be held with the client, counsel, and investigator.
  • At this meeting, the following items, at a minimum, need to be identified:
    • Suspect(s)
    • Possible Suspects
    • Location of documents needing to be preserved
    • Suspect’s access to the company’s electronic devices needing to be preserved, such as computers, servers, cell phones, etc.
    • Whether the suspect(s) signed any human resource documents waiving any “expectation of privacy”
    • Whether a cover story is needed to prevent tipping off potential suspects

Because a fraud investigation typically boils down to an investigation of people and money, both items need to be addressed equally at the outset so that the investigation is not sabotaged. In other words, an investigator needs to gain an understanding of the people being investigated and any devices they have or had access to that may contain the money trail or evidence of impropriety.

Best Practice: Background Checks and Digital Proof

As a best practice, prior to the on-site investigation and interviews, do your homework:

  • Background checks should be run on the suspect(s).
  • Forensic images of the electronic devices of the suspect(s) need to be made and examined.

Background investigations on any known suspects can include criminal checks; litigation searches; and searches for assets, including hidden assets. Be careful to respect the applicable laws, such as the FCRA and GLBA. Sometimes, large amounts of information can be found via public records or open-source data. Types of assets that you may find range from the hunting cabin up north to small businesses registered to your subject, the subject’s relatives, or other business associates. In some cases, cross-checking the client’s vendors, contractors, and accounts payable ledgers might reveal that the client’s company is cutting checks to a business associated with the subject employee. Much of the background information that you will access is available via government websites and other publicly available internet sources. Some of the data that you may want to search includes corporate registrations, property and personal property taxes, property deeds, building inspection records, business licenses, general internet searches, and media searches. Some information may require a federal or state Freedom of Information Act (FOIA) request. Additional information, such as vehicle records, is available to investigators via proprietary databases with the appropriate permissible purpose. It is important that the investigator use any information obtained from these private databases as leads and does not simply accept it as fact.

Forensic images of electronic storage devices need to be made because these types of images will capture both saved and deleted information. In some cases, deleted information can be recovered and may reveal the “smoking gun” with regard to the subject matter taken while also providing an element of fraud scienter as a result of the suspect’s actions taken to conceal and destroy the evidence.


In summary, a properly planned investigation is critical to its success. After all, as Yogi Berra said, “If you don’t know where you are going, you’ll end up someplace else.”

Paul Rodrigues, CFE, CPA, CFF, CGMA, MST, is a senior director at The BERO Group LLC in Milwaukee, Wisconsin. Thomas Wagner, CFE, CLI, is the managing member at Wagner & Associates LLC in Milwaukee, Wisconsin.

Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).