Initial Response to Suspicions or Allegations of Fraud
When responding to suspected and detected incidents of fraud, time is critical. Management and fraud examiners must be prepared to address a number of issues in a short amount of time, sometimes under stressful conditions.
Initially, when a suspicion or allegation of fraud arises, management must respond quickly. The failure to act quickly against suspicions of fraud could result in litigation, enhanced penalties, and enforcement actions by government regulators. The appropriate response varies depending on the facts, such as the underlying evidence, who is implicated, how the evidence came about (e.g., internal sources, civil lawsuit, investigation by the government), and so on. But generally, when evidence of fraud arises, management should respond by engaging in the following actions:
- Activate the response team.
- Engage legal counsel, if necessary.
- Consider contacting the insurance providers.
- Address immediate concerns.
- Conduct an initial assessment.
- Document the initial response.
Activate the Response Team:
When evidence of fraud arises, management must activate the fraud response team—the group of people tasked with responding to incidents of fraud. When activated, the response team should seek to answer the following questions:
- Is a formal investigation necessary?
- If a formal investigation is necessary, who will lead it?
- Is there a need for immediate police involvement?
- Is there an immediate need for legal assistance or advice?
- Is there a need for external support (e.g., forensics specialists)?
- Is there a need for additional support (e.g., access to IT facilities or a secure room, support from administration)?
- Is there a need to devise a media strategy to deal with the issue?
- Is there a need to report the issue to an external third party?
- Should the audit committee be informed?
Engage Legal Counsel:
Because incidences of fraud are riddled with legal uncertainties, management should consult with internal and possibly external local legal counsel before making any decisions or taking any action concerning the suspected conduct. Typically, the general counsel should be made aware of any significant fraud that might result in legal action.
Consider Contacting the Insurance Provider:
When evidence of fraud arises, it is generally impossible to know whether the incident will result in an insurance claim, but even so, many insurance policies require timely notice of potential claims. Therefore, an organisation should consider putting its insurer on notice to preserve a potential insurance claim.
Address Immediate Concerns:
Also, when evidence of fraud arises, management and the response team should address immediate concerns. Immediate concerns will vary, but they might include:
- Preserving relevant documents
- Identifying who should be informed
Preserving Relevant Documents:
When evidence of fraud arises, management should seek to preserve all relevant documents, especially those that an employee might want to hide or destroy. In a fraud investigation context, the term documents typically refers to, but is not limited to, contracts, invoices, correspondence, memoranda, weekly reports, presentations, telephone messages, emails, reports, performance reviews, performance improvement plans, medical records, and other written or recorded material.
When evidence is misplaced, lost, or destroyed, it becomes more difficult to conduct an investigation. Thus, the response team and management must take action to preserve evidence as soon as the decision to investigate is made. There are a number of steps that management should take to preserve relevant documents. For one thing, management should work with legal counsel to issue a litigation hold to notify employees to suspend the destruction of potentially relevant records.
Furthermore, management should suspend the organisation’s record retention policy temporarily to avoid a piece of evidence accidentally being destroyed.
Also, management could lockdown access to emails or digital files that employees might want to conceal or destroy. Digital information can be found in virtually any type of media, and it is more fragile than tangible evidence. Therefore, employees can destroy this type of information if it is not protected properly. Often, when fraudsters become aware of an investigation, they try to destroy evidence in their computers or sabotage other evidence that could be used against them. Accordingly, it is a good idea to have IT personnel involved in this process each time the organisation decides to conduct an investigation.
The failure to preserve documents could have several adverse consequences. First, the failure to preserve documents could result in the government’s questioning of the integrity of any fraud investigation. Second, documents destroyed when litigation is expected, or in progress, might give rise to claims of spoliation of evidence, which, if proven, could lead to monetary fines and sanctions, adverse inference jury instruction sanctions, or dismissal of claims or defences. Spoliation is broadly defined as the act of intentionally or negligently destroying documents relevant to litigation.
In today’s digital environment, digital spoliation is a major concern for organisations involved in litigation. When compared to the spoliation of tangible documents, digital spoliation carries additional risks. Management often lacks sufficient knowledge of the inventory of digital information, and electronic data might only be available for an evanescent time. Additional concerns include business practices designed to free up storage space by deleting digital information and the fact that electronic data can reside in numerous locations, as well as the fact that identifying relevant electronic data within today’s large and complex data systems can be challenging and costly.
Identifying Who Should Be Informed:
Management and the response team should identify whom to inform. Depending on the facts, several departments should be interested in fraud, including legal, human resources, internal audit, security, risk management, and loss prevention or security. When responding to an allegation of fraud, it is important to consider the interests of each of these departments. This is necessary to ensure that designated employees are notified immediately to enable a prompt response. Information about incidences, however, should be shared only on a need-to-know basis.
Human resources (HR) personnel address issues involving unfair treatment, discrimination, harassment, substance abuse, or concerns about corporate policies. Therefore, the HR department should be informed of fraud that affects any such areas.
Both the HR and legal departments should be involved to ensure that the right people receive information in a timely manner. Also, other departments, such as loss prevention and risk management, audit, and security might need to be involved. Although the development of information distribution rules requires the participation of several departments, it is best to have these rules set before investigation protocols are in place.
Another department that needs to be involved is the information technology (IT) department. The IT department might need to be part of an investigation to safeguard data until it can be analysed. IT personnel can also help identify what data are available and where, and they might be able to function as forensic investigators if licensed to do so.
Again, management must restrict access to certain pieces of information on a need-to-know basis.
Conduct an Initial Assessment to Determine the Appropriate Response:
Usually, when an allegation of fraud arises, there are not enough known and verified facts to begin a formal investigation; therefore, management and the response team should conduct an initial assessment to determine if an investigation is needed and what steps, if any, are required to respond in an appropriate manner. This is perhaps the most critical question that management must answer when an allegation of fraud arises.
An initial assessment should be quick and, unless complications arise, completed within a few days. Ideally, action should be taken within three days of learning about an incident.
The initial assessment should be a limited fact-finding analysis focused on the specific allegation or incident. It does not require an investigation plan or report, unlike a formal investigation. Thus, the initial assessment should seek to:
- Determine if fraud occurred.
- Identify the status of the fraud (e.g., When did it begin? Was it internal or external? Is it still occurring? If it is no longer occurring, when did it stop?).
- Identify potential claims and offences.
- Understand the context.
- Review any applicable policies and procedures.
- Investigate the allegations.
- Document the reasons for the decision.
Understand the Context:
Next, those responsible should gain an understanding of all of the circumstances leading up to the current situation. Often, the context is necessary to determine the best approach to dealing with a tip or suspicion, and it can provide clues that are helpful in other areas.
Efforts to understand the context should seek to obtain the initial facts and circumstances about:
- The manner in which the suspicions became known
- The date suspicions became known
- The areas to which the suspicions pertain
- The source of the information
- The allegations at issue
Review Any Applicable Policies and Procedures:
Those involved in the initial assessment must also review any applicable internal controls and organisational policies, including any anti-fraud auditing and testing policies and procedures, to determine the best method and processes for continuing the investigation.
Investigate the Allegations:
An initial assessment should be a limited, fact-finding analysis, and it should focus on investigating the specific allegation or incident. More specifically, to determine the appropriate response, the assessment should, if possible, seek to answer a number of questions, including:
- Is the allegation credible?
- Who is the subject of the allegation, and what is his relationship to the company?
- When did the alleged misconduct occur, and how often did it occur?
- What was the business purpose of the activity related to the allegation?
- How serious is the allegation?
- What levels of employees are alleged to be involved, if any, in the misconduct (i.e., officers, directors, or managers)?
- What individuals might have pertinent information about the matter that would tend to support or refute the complainant’s position, and what facts do these individuals purportedly know?
- Did any third parties receive any direct or indirect benefit from the misconduct, and if so, who are they?
- If a third party is involved, is the third party a government official?
- How was the matter recorded on the company’s books and records, if applicable?
- Can it be determined if the person in question acted with fraudulent intent?
- Is it possible that the issue might be larger than expected?
- Were there any whistleblowers, and if so, how should they be dealt with?
- What measures should the company take to document how the initial evidence of wrongdoing was handled?
- Is the government already involved, and if not, is it likely that the government will become involved?
- Is it likely that the matter will have significant negative impact on shareholder value?
These questions are important because the response should be proportional to the potential scale of the fraud in terms of its value, frequency, potential damage, the individuals involved, the number of people involved, and so on.
In addition, the decision as to the appropriate response might be influenced by other factors.
As with any business decision, the cost of conducting the investigation must be considered, and management might also consider whether an investigation will interrupt business activity.
- Contacting the source, if the investigation was triggered by a report or complaint
- Interviewing key individuals
- Reviewing key evidence
CONTACTING THE SOURCE:
If the evidence came in through a tip from an identified source, those responsible should contact the source to find out additional information and confirm the source’s willingness to help throughout the investigation. When contacting the source, the interviewer should encourage the complainant to provide a narrative description of the report. After the source provides the narrative, the interviewer should ask clarifying questions and then summarise the key points.
An interview with the source should seek to determine:
- What does the individual know?
- How did the individual get the information?
- Who were the key individuals involved?
- When did the alleged events occur (e.g., dates, times, and locations)?
- What are the details (e.g., who, what, when, where, why, and how much) of the allegations?
- What are the dates (or period) of the key events?
- What evidence exists to corroborate the alleged events, where is the evidence located, and how can the evidence be accessed?
- What witnesses can corroborate the alleged events?
- Which individuals might have pertinent information about the matter that would tend to support or refute the complainant’s position, and what facts do these individuals purportedly know?
- What was the motivation behind the alleged events?
- Why were the alleged actions improper?
- If the scheme is ongoing, do the subjects know of the complainant’s report?
- What is the complainant’s motivation for making the report (e.g., What prompted you to report this?)?
When interviewing the source, the interviewer should seek to determine if there is any reason to suspect the complainant’s credibility. Also, if there are any weaknesses in the complainant’s information, the interviewer should ask the complainant to explain what he expects the subject would say in defence of the allegations and ask the complainant to explain why such a response is not sufficient to dispose of the matter. Additionally, the interviewer should ask the source what he wants the organisation to do about the complaint. The response to such an inquiry will help the team focus its efforts.
INTERVIEWING KEY INDIVIDUALS:
Those responsible should interview key individuals for information about the suspicious conduct and the subject(s). Interviewing individuals with personal knowledge is critical. Also, they should interview witnesses as early as possible because it will limit the harm arising from loss of memory, witnesses becoming unavailable, and inadvertent loss or destruction of key evidence.
REVIEWING THE EVIDENCE:
Those responsible should review relevant documents and files, which might include personnel files, the organisation’s employee handbook, accounting records, vendor activity reports, budget reports, fixed asset records, expense reimbursements records, leasing documents, rental agreements, payroll records, purchasing requisitions, purchase contracts, inventory records, shipping/receiving reports, emails, telephone records, and so on.
Obtaining and reviewing these documents will assist in understanding the chronology of events and might put the responsible parties on notice as to certain strengths or weaknesses of the investigation.
Document the Reasons for the Decision:
To avoid any real or perceived downplay of the matter’s significance and to avoid any attempts at wilful blindness, those responsible should document their actions and findings.
In addition, management must document its decisions and the reasons behind them. Thus, if management decides against conducting an investigation, it must document the reasons why.
Again, management should document the organisation’s initial response in an incident report log that serves as a record of the organisation’s response efforts. Once a suspicion of fraud arises, the issue should be recorded and detailed in the log. As the issue progresses, the log should be modified and, ultimately, it should contain details of actions taken and conclusions reached.
The incident report log should contain all information relevant to or created during the initial response that is used to support management’s decision making.