Workshop on Fraud Investigation

Fraud
Investigations
NRC WORKSHOP | ICAP HOUSE, LAHORE
JANUARY 13, 2018
Northern
Regional Committee

Agenda
Description Timing
Module 1: Introduction and context 9:30 am – 10:15 am
Module 2: Common factors in reported frauds and local perspective 10:15 am – 11:00 am
Module 3: Perpetrator behavioral analysis 11:00 am – 11:30 am
Break: Tea 11:30 am – 11:45 am
Module 4: Fraud investigations 11:45 am – 12:30 pm
Module 5: Conducting fraud interviews 12:30 pm – 12:55 pm
Module 6: Report writing 12:55 pm – 1:15 pm
Break: Namaz and lunch 1:15 pm – 2:15 pm
Panel discussion: Forensic audit of housing societies 2:15 pm – 3:15 pm
Closing remarks by Chairman NRC 3:15 pm – 3:30 pm
Fraud Investigation Workshop | NRC, ICAP Lahore | Presenters: Zeeshan Shahid and Asad Ismail
2

“Fraud and falsehood only dread
examination. Truth invites it.”
Samuel Johnson, English poet
“At any given moment,
there is a percentage of our
population that is up to no
good.”
- J. Edgar Hoover, Former
Director of FBI
“Corruption, embezzlement,
fraud, these are all
characteristics which exist
everywhere. It is regrettably
the way human nature
functions, whether we like it
or not. What successful
economies do is keep it to a
minimum. No one has ever
eliminated any of that stuff.”
- Alan Greenspan, Former
Chairman, Federal Reserve
3

Module 1
INTRODUCTION AND
CONTEXT
4

“
”
Fraud is an intentional or
deliberate act to deprive
another of property or
money by deception or
other unfair means.
THE ASSOCIATION OF FRAUD EXAMINERS
Occupational fraud and abuse is defined as “the use of one’s occupation for personal enrichment
through the deliberate misuse or misapplication of the employing organization’s resources or
assets”.
The Institute of Internal Auditors defines fraud as “Any illegal acts characterized by deceit,
concealment or violation of trust. These acts are not dependent upon the application of threat of
violence or of physical force. Frauds are perpetrated by parties and organizations to obtain
money, property or services; to avoid payment or loss of services; or to secure personal or business
advantage.”
5

Fraud perpetrator dimensions
Type 1
•Wrongdoing
perpetrated by an
individual acting
alone where the
principal benefit
goes to the
individual.
Type 2
•Wrongdoing
perpetrated by
more than one
individual acting
collusively, where
the principal
benefit goes to the
individuals or the
organization.
Type 3
•Wrongdoing
perpetrated by an
outsider against the
organization, where
the principal
benefit goes to the
third party.
6

Types of fraud
Internal fraud
• Corruption
• Asset misappropriation
• Financial statements fraud
External fraud
• Customer frauds
• Vendor frauds
• Security breaches
• IP theft
Fraud against individuals
• ID theft
• Ponzi schemes; MLM schemes
• Phishing scams
7

The fraud tree
Occupational fraud and abuse classification system
8

Fraud frequency
7.6%
33.4%
86.7%
9.0%
36.8%
85.4%
9.6%
35.4%
83.5%
0% 20% 40% 60% 80% 100%
Financial statement fraud
Corruption
Asset misappropriation
Percentage of cases
Typeoffraud
2016
2014
2012
Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse
9

Why does fraud
occur?
The best and most widely
accepted model for
explaining why people
commit fraud is the fraud
triangle. Developed by Dr.
Donald Cressey, a
criminologist whose research
focused on embezzlers—
people he called “trust
violators.
10

The fraud triangle
Pressure
•Motivates crime
•Financial problem (personal / professional) unable to be solved by legitimate means
•Examples: Inability to pay bills/debt; Need to meet earnings / productivity targets; materialistic desires
Opportunity
•Defines the way crime can be committed
•Control weakness or some other opportunity allows abusing a position of trust without perceived risk of getting
caught
Rationalization
•Vast majority of fraudsters are first time offenders. They perceive themselves as ordinary, honest people caught in
bad set of circumstances
•Consequently, fraudster must justify the crime to himself in a way that makes it an acceptable or justifiable act
•“I was only borrowing money”; “I was underpaid, my employer cheated me”; “My employer deserves it.
11

The fraud diamond (food for
thought)
The fraud diamond
The three-pronged
framework expanded by
capability
12

How are the frauds identified?
In light of 2016 ACFE Report to the Nations on Occupational Fraud & Abuse
13

Initial detection of occupational
frauds
 Top three methods by which frauds are discovered by
organizations are (in order of significance):
 Tip (anonymous reports or complaints, formal complaints
etc.
 Accidental discoveries, sometimes through management
review
 Internal audit
 As per 2016 ACFE Report to the Nations, tips account
for initial detection in 39.1% of fraud cases reported by
respondents
14

Source of tips
15

Formal reporting mechanisms
used by whistleblowers
1.5%
9.8%
16.7%
23.5%
34.1%
39.5%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Fax
Other
Mailed letter / Form
Web-based / Online form
Email
Telephone hotline
Percent of tips
Formalreporting
mechanismused
16

Best practices for enhanced fraud control
Prevention, Deterrence, and detection
PhotobyarvinfebryonUnsplash
17

Anti-fraud better practices
 Training
 Fraud reporting mechanism
 Tone at the top / Code of
conduct
 Internal audit / Surprise
audit
 Data mining (proactively
looking for anomalies)
 Anti-fraud controls
 Segregation of duties
 Safeguard of assets
 Management authorization
and review
 Job rotation
 Mandatory vacation
 Background checks / Due
diligence
 Disciplinary actions
18

Whose responsibility is it anyway?
Fraud detection: Role of different stakeholders
Fraud Investigation Workshop | NRC, ICAP Lahore | Presenters: Zeeshan Shahid and Asad IsmailPhotobyNeONBRANDonUnsplash
19

Responsibilities for detection of
fraud
Responsibility
for detection
Board
and
manage
ment
External
audit
Internal
audit
20

Board and management
 Primary responsibility for fraud prevention
 Responsible for ensuring appropriate policies
and procedures are implemented in the
organization.
 Developing and maintaining an adequate
system of internal control as well as
maintaining accounts, records, and books
that accurately and fairly record and
represent company transactions are statutory
obligations.
 COSO principle: The organization considers
the potential for fraud in assessing risks to the
achievement of objectives.
PhotobyBenjaminChildonUnsplash
21

Internal audit
 International Standards for the Professional Practice of
Internal Auditing (IPPF Standards) require:
 1210.A2 Internal auditors must have sufficient
knowledge to evaluate the risk of fraud and the
manner in which it is managed by the organization…
 2120.A2 The internal audit activity must evaluate the
potential for the occurrence of fraud and how the
organization manages fraud risk.
 2210.A2 – Internal auditors must consider the
probability of significant errors, fraud, noncompliance,
and other exposures when developing the
engagement objectives.
 Additionally other IPPF Standards also include fraud,
including standards relating to role of internal audit in
evaluating organization’s ethics and values.
PhotobySamuelZelleronUnsplash
22

External audit
 ISA 240: an auditor conducting an audit in
accordance with ISAs is responsible for obtaining
reasonable assurance that the financial statements
taken as a whole are free from material
misstatement, whether caused by fraud or error.
 Due to significant inherent limitations in case of
misstatement from fraud, particularly management
fraud, auditor is responsible for maintaining
professional skepticism throughout the audit,
considering the potential for management override
of controls.
 Auditor is expected to identify and assess the risks of
material misstatement due to fraud and design
procedures to detect such misstatement.
PhotobyHelloquenceonUnsplash
23

Wrap-up
 Fraud is any and all means a person uses to gain an
unfair advantage using deception to make personal gain
for oneself / create a loss for another.
 In corporate environment, fraudulent activity usually
violates the perpetrator's fiduciary duties to the victim(s).
 Fraudulent activity, by its very nature, does not lend itself
to being scientifically observed holistically or measured in
an accurate manner.
 Primary responsibility for fraud prevention rests with the
Board and management. Both internal and external
audit are required to consider risk of fraud in designing
and conducting their respective audits.
24

Module 2
COMMON FACTORS IN
REPORTED FRAUDS
25

Surveys of reported frauds
(2016 ACFE Report to the Nations)
2,410
Cases
114
Nations
Most trends in
Reported Frauds
ReportBasis
1)
Fraud
Schemes
Types
2)
Perpetrator
Characteristi
cs
3)
Similar anti-
fraud controls
regardless of
where the
fraud
occurred
26

Selected findings
 The industries with the greatest number of reported fraud cases
are financial services, manufacturing, and government & public
administration - around 36.1%.
 On other side, the lowest frequency of fraud cases included in
communications and publishing (0.7%)
 The industries with the largest reported median losses are mining
and wholesale trade
 Fraudulent financial reporting fraud was less than 10% of frauds
studied, but had a much larger average loss of $975,000
 Corruption schemes were 35% of the frauds and had a median
loss of $200,000
27

Selected findings (cont’d)
 Asset misappropriations are the most common type of fraud
representing 83% of the frauds reported and had average losses of
$125,000
 Asset misappropriations are the most common type of fraud
representing 83% of the frauds reported and had average losses of
$125,000
 The median occupational fraud lasted 18 months and cost $150,000
 Typical organization loses nearly 5% of annual revenues to fraud.
 In 94.5% of the cases the perpetrator made efforts to conceal the
fraud, most common concealment method being creating /
altering physical documents.
 The most common detection method in our study was tips (39.1% of
cases),
28

 Collusion results in significantly larger fraud losses and makes
fraud harder to detect as perpetrators can bypass internal
and anti-fraud controls.
 The study revealed that high-level perpetrators cause the
greatest damage to organizations because the higher the
perpetrator's level of authority, the greater fraud losses tend
to be.
 While owners and executives accounted for 19% of the
frauds, the median loss from owner and executives was
$703,000. Managers committed 37% of the frauds and had a
median loss of $173,000. Employees perpetrated 41% of
frauds but the median loss of their frauds was $65,000
29

 Organizations of different sizes tended to suffer differing fraud
activities. Corruption was more prevalent in larger organizations,
while check tampering, skimming, payroll & cash larceny
schemes were more common in small organizations
 In 40.7% of cases, the victim organizations decided not to refer
their fraud cases to law enforcement
30

Characteristics of reported
frauds
Fraud perpetrators
83% of the fraud perpetrators had
never been punished or terminated
by an employer for fraud-related
conduct and only 5% had previously
been convicted of fraud.
Prior to the fraud, more than 88% of
the perpetrators had never been
charged or convicted for a fraud-
related offense. This finding is
consistent with prior ACFE studies.
Most fraudsters work for their
employers for years before they
perpetrate a fraud.
A great deal of time and effort is
expended in efforts to recover
the misappropriated assets, often
with little success. About 58% of
the organizations studied did not
recovered any of their fraud
losses. Only 12% recovered all
the stolen money.
31

32

Anti-fraud efforts: What works
and what doesn’t
 2016 ACFE Report to the Nations on Occupational Fraud and Abuse contains a
"fraud factors' checklist that companies may use to evaluate and mitigate fraud
risks
 Code of professional controls alone are insufficient to prevent occupational fraud
fully. Though it is important for organizations to have strategic and effective anti-
fraud controls in place, internal controls will not prevent all fraud from occurring,
nor will they detect most fraud once it begins. However, anti-fraud controls help
reduce the cost and duration of occupational fraud schemes.
 Victimized companies that utilized the following controls had significantly lower
losses and shorter duration frauds:
 Anonymous reporting mechanisms
 Code of Professional Conduct
 Independent audit committee
 Effective internal audit
 Independent audits of the organization's internal controls over financial statements
 Management certification of financial statements and management reviews
 External audits
 Management proactive data monitoring and analysis
33

Anti-fraud best practices
 Conducting fraud training for managers, executives, and employees. Staff
members are an organization's top fraud detection method; employees
should be trained in what constitutes fraud, how it hurts everyone in the
company, and how to report any questionable activity.
 Employee support programs. Generally the more significant pressures that
motivates employees to commit fraud stem from 'financial challenges' that
they perceive a way to overcome. Emotional issues, such as low morale and
job dissatisfaction, also provide motivation for fraud. Programs geared
towards giving employees support in such situations has been found to lessen
the instances of fraud.
 Anti-fraud policies. Policies should be put into place to deter, prevent, and
detect fraud. These policies should be designed to inform employees as well
as to increase their perception of detection.
 Organizations should require periodic job rotations at operational level.
34

Anti-fraud best practices
(cont’d)
 Ongoing employee monitoring and understanding fraud risk factors and
warning signs more likely to identify ongoing fraud than pre-employment
background checks and screening.
 Fraud reporting mechanisms are a critical component of an effective fraud
prevention and detection system. Such reporting mechanisms should allow
anonymity and confidentiality, and employees should be encouraged to
report suspicious activity without fear of reprisal.
 Anonymous tips by employees / staff: Occupational frauds are much
more likely to be detected by an anonymous tip by employees / staff
than by any other means. Organizations that implemented hotlines to
receive tips from both internal and external sources experienced frauds
that were 50% less costly, and they detected frauds 50% more quickly
than those without them.
 Tips and fraud hotlines have historically been the best way to uncover
fraud.
35

Wrap-up
 On the basis of 2,410 cases studied by Certified Fraud Examiners
(ACFE) of 114 nations revels that trends in frauds are Fraud
Schemes, Perpetrator Characteristics and similar anti-fraud
controls regardless of where the fraud occurred.
 The largest reported median losses are in mining and wholesale
trade sectors with greatest number of frauds reported in financial
services, manufacturing and government & public administration.
 Survey shows that 83% of the fraud perpetrators were never been
punished by their employer(s) and more than 88% were never
charged for fraud-related offense. Hence, 58% of the organizations
did not recovered their fraud losses.
 Code of professional controls, alone, are insufficient to prevent
occupational fraud however anti-fraud controls help to reduce
the cost and duration of occupational fraud schemes.
 Anti-fraud activities include Fraud Trainings, Reporting
Mechanisms, Employee support programs, Anti-fraud policies,
Understanding fraud risk factors and Warning signs.
36

Module 3
PERPETRATOR
BEHAVIORAL ANALYSIS
37

Who are the fraudsters?
PhotobyMalikEarnestonUnsplash
38

Characteristics of fraudsters
 How do fraudsters act? What do they look like “on the
surface”?
 What are some of the characteristics of fraudsters?
What are they like “beneath the surface”?
 Let’s brainstorm!
39

Typical Fraudster –
On the Surface
Long-time employee
Position of trust
Might not take vacations
Appears to be extremely
dedicated
Unexplained cash or other
wealth
PhotobyHuntersRaceonUnsplash
40

Typical Fraudster –
Beneath the
Surface
Gambler, entrepreneurial in
risky endeavors
Drug or alcohol problem or
other substance abuse,
Behavioral changes
Dubious character
Hostility to management
General disenchantment with
compensation
PhotobyAldricRIVATonUnsplash
41

Position of perpetrator -
Frequency
$65,000
$173,000
$703,000
$104,000
40.9%
36.8%
18.9%
3.4%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
$0
$100,000
$200,000
$300,000
$400,000
$500,000
$600,000
$700,000
$800,000
Employee Manager Owner / Executive Other
Medianloss
Position of perpetretor
Position of Perpetrator—Frequency and Median Loss
Median Loss Percentage of cases
Source: 2016 ACFE Report to the Nations on Occupational Fraud & Abuse
42

Who is the most damaging
fraudster?
43

“
”
Overall, a little more than three-
fourths (76%) of occupational
frauds came from seven key
departments: accounting,
operations, sales, executive/upper
management, customer service,
purchasing, and finance.
2016 ACFE REPORT TO THE NATIONS
Focused fraud risk assessment helps in inventorying,
analyzing and remediate fraud risks.
44

Profiling fraudsters
 Researchers have compared the psychological and
demographic characteristics of white-collar
criminals and the general public noted:
 White-collar criminals mirror the general public in terms
of education, age, religion, marriage, length of
employment, and psychological makeup. In other
words, there are few characteristics that can be used
to try to distinguish white-collar criminals from the
general public.
 Fraud triangle is the prerequisite:
45

Unpacking the triangle
46

Fraud triangle - Example
Secretary who stole £4m from her Bosses
in London
Motivation
 Seems Joyti originally started down her
fraudulent path because of financial
difficulties she found herself in before joining
the Bank. She had previously run her own
sandwich bar business, which was closed
down due to issues from finances.
 According to her defense, her first bitter
experience of financial turmoil coincided
with novel introduction to a world where
huge, unthinkable amounts of money stared
her in the face, day in and day out.
 The motive behind the fraud was primarily
greed. She has admitted that she did not
steal because she needed to, but because
she could. She first started taking money
simply to find out if she could get away with
it. She says that it became ‘a bit addictive’
and that she ‘got a huge buzz from knowing
my victims had no idea what I was doing.’
 Joyti, a secretary at a prestigious
investment bank was convicted of
stealing GBP 4.4 million from personal
accounts of multiple MDs (her bosses)
without them noticing over approx. 2
year period. She would add to the
fund transfer instructions her bosses
had signed and by forging the
signatures outright.
 She used the stolen money to fund an
extravagant lifestyle, buying luxury
cars, properties in Britain and Cyprus,
designer jewelry. She paid off her
debts from a failed business and her
mother's mortgage.
 She constructed a web of lies to gain
trust and conceal her thefts, including
claims that she suffered from cancer
and had been beaten by her
husband.
47

Fraud triangle – Example
(cont’d)
Opportunity
 In terms of opportunity, Joyti’s bosses trusted her and held her in high regard. She had
proved herself indispensable, on both business and personal fronts, and was given
access to their cheque books in order to settle their domestic bills and personal
finances.
 A little over a year after starting at the bank, she began forging her bosses’ signatures
on personal cheques to make payments into her own accounts. Realizing she had got
away with it, she continued to steal money by issuing forged cheques and making false
money transfers. Before long she was forging signatures on a string of cash transfer
authorities, siphoning off up to £2.5 million at a time from supposedly secure New York
investment accounts.
Rationalization
 She rationalized her actions by convincing herself that she had earned the money she
stole. She believed that she deserved the plundered amounts as a just reward for her
dedication, discretion and loyalty, and claimed that she had the consent of her bosses
to take money in return for her ‘indispensable services’. The fact that they were so rich
they did not even notice the money was missing, only served to fuel her fraudulent
activities. She justified her actions through the belief that her bosses had cash to spare.
48

Understanding fraudulent
behavior
Fraud Rationalizations by White Collar
Criminals
Factors (Incentives and Opportunities)
contributing the perpetrators in committing
fraud
• Everyone else is doing it, so it can't be
that wrong.
• They owe it to me for the work I do.
• I occupy an important position and am
above the rules.
• I am taking no more than what is
rightfully mine.
• No one will ever know.
• I am borrowing the money and will pay it
back.
• You'd understand if you knew how badly
I needed it.
• What I did was not that serious.
• No clear definition of what is ethical and
what is not
• Too much trust in certain key employees
• Collusion with other employees.
• Ability to override controls.
• Incompetent supervisory personnel.
• Inattention to granular details and
presumption that others have done their
job.
• Inadequate staffing.
• Lack of training.
49

Understanding fraudulent
behavior (cont’d)
Most common behavioral Red Flags
identified by the ACFE
Some interesting factors re fraud based on
surveys
• Living beyond their means
• Experiencing financial difficulties
• Unusually close association with vendors
or customers
• Exhibiting control issues or an
unwillingness to share data
• Wheeler-dealer attitude
• Divorce or other family problems
• Irritability, suspiciousness, or
defensiveness
• Addiction problems
• Past employment-related problems
• Refusal to take vacations
• Most perpetrators spend all of their ill-
gotten gains.
• Once perpetrators start the fraud, it is
very hard for them to stop.
• Perpetrators generally become more
confident in their schemes grow careless
/ overconfident / greedier / increase the
amounts they take over time.
• Most employee fraud involves the theft
of assets
• Executive / upper management fraud
involves the overstatement of assets or
revenues / corruption.
50

Fraud impact contributors
Fraudster’s level of
authority
Time the fraudster has
worked for the victim
organization
Collusion - number of
Fraudsters
Executives - FS Fraud/
Corruption
Junior staff - Asset
Misappropriation
Factors
influencing
economic losses
due to fraud
51

Wrap-up
 Fraudulent activity may be analyzed in terms of the ‘Fraud Triangle’ effects
– Pressure, Opportunity & Rationalization. Most organizations focus on
‘Opportunity’ aspect predominantly / exclusively in assessing fraudulent
activities
 Factors contributing to perpetrators in committing fraud include lack of
ethical tone at top, too much trust in certain employees, ability to override
controls, incompetent supervisory personnel, inattention to granular details,
inadequate staffing, etc.
 Fraud perpetrators exhibit ‘Red Flags like : experiencing financial or
personal difficulties, living beyond their means, unusually close association
with vendors /customers, repeated control issues and tend to manifest odd
behaviour traits like wheeler-dealer attitude, suspiciousness or defensiveness
when asked on trivial matters, refusal to take vacations, etc.
 Fraud perpetrators tend to justify their dishonest action with their personal
views of integrity. The common examples of fraud realization include:
 Everyone else is doing it, so it can't be that wrong.
 They owe it to me for the work I do.
 I occupy an important position and am above the rules.
 I am borrowing the money and will pay it back.
 You'd understand if you knew how badly I needed it.
52

Module 4
FRAUD
INVESTIGATIONS, A
PRACTICAL
APPROACH
53

Key points
 A fraud investigator needs solid business operations
insight as well as accounting expertise.
 In fraud investigations, perpetrator's identity is often
suspected / known. The job of the fraud auditor is to
prove that the perpetrator's actions resulted in
fraud.
 There usually are no transaction trails for the actual
activity perpetrated (no smoking guns) and clues to
fraud cases usually come from small, seemingly
insignificant inconsistencies in records, data,
suspect's speech or actions.
54

Objective of fraud
investigation
 Fraud investigator needs to gather and analyze necessary
evidence required by a management and/or legal authorities
to determine the facts and circumstances surrounding the
fraud / suspected fraud. The investigation may include legal
advisors.
 A fraud investigation seeks to answer the following questions:
 Who did it?
 Why did he/she did it?
 How did they gain from the fraud? What assets were taken and
how were they converted into benefits?
 How, when and where was the fraud perpetrated and
concealed?
 What is the extent of losses?
 Were any laws broken?
55

The Fraud Audit / Investigation
Process
Brainstorming
•Identify parties,
investigation
parameters and risks as
input to the plan.
Planning:
•Thorough planning
determines focus and
helps manage the
investigation
Collection phase:
•Information gathering in
a forensically sound
manner
Evidence gathering
through analyses:
•issue-tailored analyses
performed to obtain
evidence
Reporting and
closure:
•Reporting of findings
Analyze data;
create and
test hypothesis
Refine and
amend
hypothesis
Problem recognition and definition
56

Identification of Parties
• Parties involved
• Engaging management
• Relevant Stakeholders and
oversight
Other Considerations
• Regulatory and legal
requirements
• Privilege
• Data Privacy
• Insurance
Preliminary Scoping and
Restrictions
• Extent of matter
• Geographic and business
locations
• Technical and Data restrictions
• Risk and restrictions
A
B
C
Scope acceptance
• Independence and conflict
checks
• Management considerations
• Scope considerations
D
01. Initiation
Identify parties, investigations
parameters and risks as inputs
into the plan
Purpose and Strategy
• Relevant issues and
hypotheses (for investigation)
• Forensic strategy, tactics and
techniques
• Potential outcomes
• Interim remedies
• Business predicaments
Establish Project
Management
• Timing, priorities,
dependencies and milestones
• Budget and Finance
• Workplan and Workstreams
• Work protocols and project
cadence
• Case management
• Evidence trackers, Forensic log
Skills and Resources
• Necessary knowledge
• Non-forensic specialists
• Geographical locations
Data Preservation and
Retention
• Legal notices and preservation
• Protocols for data collection
and retention
• Accessibility, chain of custody
and multi purpose use of data
A
B
C
D
Communication
• Communication protocols and
confidentiality
• Stakeholder management
• Triage protocols
• Reporting routines and
progress updates
E
02. Planning
Adequate preparation determines
the focus of the investigation as
well as assists in managing it
Information landscape
• Planning collection of relevant
information sources (data,
documents, human)
• Forensic rigor and evidence
trail (preserve, secure, extract
and process)
• Regulatory or legal
requirements
Third party information
• Plan
• Collect
• Report
Hardcopy documents
• Plan
• Collect
• Report
• Retain
A
B
C
Human information
• Plan
• Collect
• Report
• Retain
D
E
Electronic information
• Plan
• Collect
• Process
• Report
• Retain
03. Gathering of information
Information gathering with a view
towards Forensic due process
A
B
C
D
Information (data) analysis
• Develop and document rules,
tests and sets
• Linking to Hypotheses and
lines of enquiry
Financial analysis
• Perform Financial Analysis
• Completeness and accuracy
Non-financial analysis
• Electronic data review
procedures
• Hard copy data review
• Third-party information
• BIS results review
• Chronology analysis
• Visual analyses
• Information consolidation
Triangulation of information
• Hypotheses testing
• Verbal declarations
• Perceptions from interviews
• Weighing contradictory
evidence
• Principles of analyses
E
Evaluation of work
performed
• Summary of findings
• Confirm findings
• Assess adequacy of findings
04. Analysis & interpretation
Different types of analyses
(tailored to the issues investigated)
are to be performed to obtain
evidence
A
B
C
Reporting
• Type of report
• Reporting (use and format)
• Managing (large) reports
• Quality review procedures
• Country specific
• Distribution
Enforcement and Regulators
• Respond to requests
• External reliance
• Access to working papers
Litigation
• Dispute and court conditions
• Witness/testimony preparation
D
Root cause analysis and
remediation
• Identify other specialists
• Determine remediation needs
(if any)
E
Project wrap-up
• Closure coordination
• Financial closure
• Logging and archiving
• Debrief
05. Reporting & closure
Reporting of findings and use of
report, including project closure
Identification of Parties
• Parties involved
• Engaging management
• Relevant Stakeholders and
oversight
Other Considerations
• Regulatory and legal
requirements
• Privilege
• Data Privacy
• Insurance
Restrictions
• Extent of matter
• Geographic and business
locations
• Technical and Data restrictions
• Risk and restrictions
A
B
C
Scope acceptance
• Independence and conflict
checks
• Management considerations
• Scope considerations
D
01. Initiation
Identify parties, investigations
parameters and risks as inputs
into the plan
Purpose and Strategy
• Relevant issues and
hypotheses (for investigation)
• Forensic strategy, tactics and
techniques
• Potential outcomes
• Interim remedies
• Business predicaments
Establish Project
Management
• Timing, priorities,
dependencies and milestones
• Budget and Finance
• Workplan and Workstreams
• Work protocols and project
cadence
• Case management
• Evidence trackers, Forensic log
Skills and Resources
• Necessary knowledge
• Non-forensic specialists
• Geographical locations
Data Preservation and
Retention
• Legal notices and preservation
• Protocols for data collection
and retention
• Accessibility, chain of custody
and multi purpose use of data
A
B
C
D
Communication
• Communication protocols and
confidentiality
• Stakeholder management
• Triage protocols
• Reporting routines and
progress updates
E
02. Planning
Adequate preparation determines
the focus of the investigation as
well as assists in managing it
Information landscape
• Planning collection of relevant
information sources (data,
documents, human)
• Forensic rigor and evidence
trail (preserve, secure, extract
and process)
• Regulatory or legal
requirements
Third party information
• Plan
• Collect
• Report
Hardcopy documents
• Plan
• Collect
• Report
• Retain
A
B
C
Human information
• Plan
• Collect
• Report
• Retain
D
E
• Plan
• Collect
• Process
• Report
• Retain
03. Gathering of information
Information gathering with a view
towards Forensic due process
A
B
C
D
• Develop and document rules,
tests and sets
• Linking to Hypotheses and
lines of enquiry
Financial analysis
• Perform Financial Analysis
• Completeness and accuracy
• Electronic data review
procedures
• Hard copy data review
• Third-party information
• BIS results review
• Chronology analysis
• Visual analyses
• Information consolidation
• Hypotheses testing
• Verbal declarations
• Perceptions from interviews
• Weighing contradictory
evidence
• Principles of analyses
E
Evaluation of work
performed
• Summary of findings
• Confirm findings
• Assess adequacy of findings
04. Analysis & interpretation
Different types of analyses
(tailored to the issues investigated)
are to be performed to obtain
evidence
A
B
C
Reporting
• Type of report
• Reporting (use and format)
• Managing (large) reports
• Quality review procedures
• Country specific
• Distribution
Enforcement and Regulators
• Respond to requests
• External reliance
• Access to working papers
Litigation
• Dispute and court conditions
• Witness/testimony preparation
D
Root cause analysis and
remediation
• Identify other specialists
• Determine remediation needs
(if any)
E
Project wrap-up
• Closure coordination
• Financial closure
• Logging and archiving
• Debrief
05. Reporting & closure
Reporting of findings and use of
report, including project closure
57

Brainstorming
 Objective:
 To identify relevant parties,
 Understand and confirm scope, and
 initiate the investigation based on initial understanding.
58

Identify parties
 Confirm the parties involved
 Understand their role and activities related to the
allegations
 Identify stakeholders of the investigation report and
understand their objectives from the exercise.
 Identify team members to assist in the engagement.
Identify resources, internal or external to assist in the
investigation.
59

Restrictions
 Confirm the initial extent of the matter (the alleged issue, the objective)
 Determine what investigative work, if any, has already been completed
and by whom.
 Scope should be agreed upon with the management and their
attorneys/legal counsel, if applicable. It is also important to note that the
scope of the investigation may change as the investigation progresses.
 Confirm the geographic and business locations where the forensic
engagement will take place (noting any possible restrictions).
 Confirm data sources and technologies from which we may need to
collect data, including local and hosted sources, hard copies, and
archives.
 Identify risks and restrictions, such as timing constraints and context of the
investigation (part of a regulatory action, management led or board
oversight activity). Some preliminary thoughts may include: who is aware of
the investigation and what activities, if undertaken, could undermine the
investigation (and avoid these).
60

Identify other relevant attributes
 Identify regulatory and legal requirements that could impact
how the scope is planned. Advise management on pre-
investigation topics for discussion (e.g., handling employees
under investigation, communication protocols, etc.).
 Determine the privilege requirements of the engagement.
Privilege is extremely important as it generally protects
information that is discussed or uncovered during the course of
the investigation. The attorneys/legal counsel on the case should
be consulted about privilege and how to maintain it throughout
the course of the investigation. Be aware that management is
generally inexperienced in dealing with investigations and may
not have given sufficient regard to privileged considerations.
 Confirm data privacy requirements and advise management on
data preservation risks.
61

Scope acceptance
 Evaluate information from the initial scoping to determine
whether we are able to move forward with the plan.
 Understand that the problem statement is clearly defined
with known expectations from the procedures
 Consider whether there are any public interest, press or
political risks associated with the engagement and
evaluate how these risks might be mitigated.
 Distill all information and understanding obtained for
engagement plan.
 Evaluate the need for any contractor agreements for
experts, if required.
62

Planning
 Planning is essential to help ensure that the investigation has clear
objectives and that the strategy aligns with the objectives.
Investigations, by nature, can grow rapidly and lead an investigation
team in many directions - therefore it is important that each step in the
investigation process is properly considered in terms of what is going to
be completed and what will be achieved.
 Planning enables the investigation team to answer critical questions:
 What are the engagement’s objectives?
 What are the fraud hypotheses which are to be tested?
 What is the engagement strategy (i.e., what actions must be taken to achieve
the objectives)?
 What is the progress towards achieving our objectives during the engagement?
 Have we achieved our objectives at the conclusion of the engagement?
 What other service providers may we be working with on this engagement (e.g.,
Counsel, discovery service providers, etc.) and have we defined the roles and
responsibilities of each party (and evaluated related direct and indirect
marketplace business relationships)?
63

Planning (cont’d)
 The work plan needs to be cognizant of specific
jurisdictional issues, as well as specific limitations or
requirements that are unique to the area. When
planning an engagement and preparing to
formulate a work plan, the following issues should be
considered:
 Issues surrounding or inherent in the facts of an
investigation
 Management's needs
 Nature of the evidence/information to be collected
 Professional standards and regulatory/legal standards
64

Define purpose and strategy
 The first step in the planning phase is to determine the purpose of the
investigation, as well as, the strategy to be used. Usually the purpose
and approach is preliminarily determined during the engagement
initiation/brainstorming phase and detailed in the scope. The approach
is further detailed in an investigation strategy (i.e., the engagement
work plan).
 Relevant issues and hypothesis (for investigation): Identify the matters that are
understood to be of relevance to the management - what is it that we are
investigating.
 Forensic strategy, tactics and techniques: Our approach to testing the issues
and hypotheses (e.g., 'overt/covert,' data universe, interview number/style,
independent or company aligned, adversarial or non-adversarial, civil or
criminal, potential for internal conflict of interest, privilege considerations).
 Potential outcomes: Stakeholder/audience analysis (e.g., regulator, litigation
(civil or criminal), defamation risk; issues that will influence the reporting style;
impact analysis - "Have you thought about where this may end up?")
 Interim remedies: Discuss with the management whether interim remedies are
considered necessary.
 Business predicaments: Impact on business as usual (e.g., senior
management, disclosure to market). Be aware that these assessments will
likely change over time / as evidence unfolds.
65

Establish project management
 There’s a well known quote often used in project management literature: “A
poorly planned project will take three times longer that the original plan. A
well-planned project will only take twice as long.”
 Project management is of utmost importance, especially when performing
large and/or cross border investigations. Project management includes the
following elements:
 Setting up project management roles and responsibilities
 Establishing work protocols for the team
 Designing the work plan – What are the engagement objectives? What is
the strategy to achieve the engagement objectives? What are the roles
and responsibilities in the strategy?
 Monitoring progress of the activities in the work plan
 Revising the work plan based on the progress and new information (if
needed).
 Communicating progress
 Managing production of deliverables – what report(s) and/or other
deliverables will the management require and when?
66

Establish project management
 A work plan allows the investigation team to do the following:
 Establish timing, priorities, dependencies and milestones.
 Identify the necessary skills and resources required to conduct the
investigation.
 Schedule sufficient time for the work to be completed. Assess the
financial considerations (budget, billing, limitations).
 Assure that the management has provided sufficient access to relevant
individuals and information.
 Establish work streams that support the delivery methodology in a
structured way - connected to the strategy, tactics and techniques,
while remaining cognizant of potential outcomes.
 Create documentation logs and evidence trackers.
 Establish the method and regularity of reporting.
 The content of the work plan and the structure of the investigation team into
work streams highly depends on the size and nature of the investigation.
67

Identify and obtain necessary
skills and resources
 The staffing should be primarily driven by specialization and experience. The
strongest teams combine highly specialized skills in the areas of corporate
investigations, accounting, laws and regulations, technology, data analytics,
discovery, and public record research, among others.
 As noted during the initiation / brainstorming phase, information should be
obtained to determine the issues that are to be investigated to assess which
skills and resources are required. While planning the necessary skills and
resources, the following should be considered:
 Identify skill gaps that require subject matter specialists who may not
necessarily be forensic specialists (e.g., counsel, valuation professionals,
and tax accountants).
 Be mindful of geographical and location-specific requirements and
constraints (e.g., physical security, visas, language, culture, travel costs).
 Collaborate with non-forensic third parties as necessary. The types of
non-forensic professional services can vary from attorneys to tax experts
to even pharmacists. As previously mentioned, ensure the roles and
responsibilities of third parties are clearly defined.
68

Use of non-forensic professionals
 When considering the use of non-forensic professionals,
consideration should be given to:
 The increased risk exposure to the company if we recommend or engage
contractors who through their actions, whether within the terms of their
engagement or not, may place the company at risk of litigation or cause
damage to reputation.
 The capability, reputation, and integrity of the professional contractors.
 Monitoring and supervision over the professional contractors during an
engagement and the means by which clear division of responsibility and risk is
to be achieved.
 How the use of a particular non-forensic service provider will affect the risk
profile of the investigation, and the extent to which we are able to control it
and if so, how?
 Whether particular elements of the investigation are so critical/unique that it
cannot be adequately addressed without the input of a non-forensic
professional.
 Cost/benefit considerations as using a non-forensic service provider may
present a lower cost option (providing the same professional output levels).
69

Manage data preservation and
retention
 Data preservation and retention requires detailed planning and
usually requires specific skills and resources. The investigation
team should make sure that these skills and resources are
engaged when planning the data preservation and retention.
While planning the data preservation and retention, the
following should be considered:
 Engage data preservation and retention specialists and inform about
details of the investigation.
 Obtain a detailed understanding of the IT environment (including the
relevant sources of evidence).
 Liaise with management / counsel to ensure transparency on
responsibility for legal matters. Document key risks (e.g., data privacy,
data transfer, data accessibility).
 Manage protocols for data collection and retention and ensure that
the protocols are agreed to with stakeholders.
 Given the relevant legal and regulatory environment, consider how
data can be secured, accessed, handled and used.
70

Communication
 Being able to successfully communicate with
management is important to any project’s success -
especially large projects, where there may be multiple
work streams across several locations. Below are key
factors:
 Ongoing communication
 Communication protocols and confidentiality
 Reporting routines and progress updates
 Stakeholder management
 Triage protocols
71

Collection phase
 Objective: To assemble relevant evidence in order to focus the investigation, and readily identify
issues with respect to information gathering.
 The investigations team should work with the management to set expectations with respect to the
deliverable(s).
 The investigation team globally often utilize Discovery specialists to aid in the collection of data, as
their expertise in discovery will be able to provide the preservation, collection, processing, hosting,
review, and production expertise for data subject to the investigation. It is highly recommended that
the team engages Discovery specialists and Data Analytics specialists when gathering (digital)
information. There is a formal Discovery methodology with procedures for details on preserving,
collecting, processing, hosting, reviewing, and producing data.
 Hardcopy and electronic documents may be obtained, created, copied, stored, or transmitted by
the investigation team, and produced to third parties during the course of an investigation. It is
therefore vital to consider local regulations and laws, as well as company’s own policies.
 Begin the investigation "at the end" - consider what the engagement deliverable will be, what
information the deliverable will contain, and work backwards to determine how and where the team
will obtain the needed information. Once issues are identified, consideration can then be given to
time, costs, and budgets which is a continuous process.
72

Scope of collection phase
Hardcopy information
Human information
73

Understand the information
landscape
 Determine how best to obtain the different types of data, considering
legal constraints, cross border and resource planning and capacity,
and timing (how, when and where).
 If collecting electronic hardware, confirm with the IT Asset Register to
confirm custodian allocation of hardware.
 Determine the degree of forensic rigor required and identify the
evidence trail (preserve, secure, extract and process). Consider how
best to safeguard evidence.
 Consider case management requirements (provision, tracking and
retrieval of documents, version control).
 Many multi-national organizations maintain separate GLs across their
business. In these cases, it is helpful to understand the differences
between systems, reconciliation issues, reliability of data, and how
investigative analyses may differ from country to country.
74

Consider “chain of custody”
 Assess the quantity of evidence to be obtained, the format (electronic,
paper, boxed, loose, etc.) and the particular jurisdictional requirements
for maintaining the continuity of possession, also known as “chain of
custody.” Retention requirements should also be considered.
 Regulations regarding collection and retention of evidence vary among
jurisdictions. However, it is always advisable to maintain a record of the
chain of custody in any investigation, regardless of the method utilized.
The chain of custody for an investigation may be documented in detail
or at a higher level in other work plans.
 Employ the use of a searchable document index. High-level information
relevant for the particular issues of the investigation should be captured,
such as:
 Type of document (e.g., e-mail, GL detail, hard copy)
 Source
 Dates (e.g., creation date, date received, date signed, termination
date).
 Other known key engagement information (e.g., target vendor,
contractor or individual)
75

Collect third party information
 Collection of third-party information can help investigation teams
uncover and assess data obtained from external databases, local
public records and a network of contacts. Specifically in
investigations, this information can assist in obtaining a more
comprehensive understanding of the background of the individual
or group as well as locating assets or persons.
 Based on the objectives and scope, develop a plan for obtaining
information from different types of databases and gaining access to
them and other third party sources, including social media.
 It is important to ensure that the objective of the data gathering is
clear which includes what types of events or activities are of
interest.
 Information often researched includes: background and adverse
media checks, affiliations with persons or groups, litigation history,
appearance on watch lists, etc.
76

Collect electronic information
 Technology has become more integrated into daily life
and more so in business activity, the need for gathering
and working with digital evidence has increased. Failure
to adequately document the steps taken to sample,
test, inspect, reconcile or verify eDiscovery processes
could result in court-imposed sanctions for multinational
organizations and failure in achieving investigation
objectives for local entities.
 Types of electronic information include and are not
limited to: emails, text messages, instant and other
electronic correspondence; financial records; internet
history; deleted files and other temporary or auto
recovery files.
77

(cont’d)
 Engage with Discovery professionals.
 Define the scope and objectives for the Discovery
team as well as identify and resolve non-technical
issues.
 Other possible considerations must be made for:
 The nature of the IT environment.
 Privacy issues that may impact what data can be
examined / obtained.
 Legal or professional privilege or other related issues that
may impact the acquisition process.
 The authority under which the evidence is to be
acquired.
 Develop plan to collect, process and produce various
types of electronic information.
78

(cont’d)
 Collect data so that it is admissible. Electronic and
documentary evidence are subject to the same rules. For
example but not limited to:
 Minimal handling of the original.
 Account for change.
 Comply with the rules of evidence.
 Do not try and examine the data in a new manner or in a way
that is beyond your current level of knowledge / skill.
 Define the process for converting data into a format
conducive to analysis.
 Retain and safeguard data.
 For external service providers, should management request
that all existing documentation be delivered to them and
destroyed with no copy to be maintained by the practice,
the request must be documented officially and own legal
input should be obtained.
79

Collect hard-copy information
 Investigations almost always require collection of hardcopy documentation. As
with collection of electronic data, the chain of custody of the collection is
imperative.
 Develop plan for collecting documents..
 It is important to determine tagging, labeling, transport and storage mechanisms
for collected data.
 Detailed information on how the data is collected is essential if the evidence is
used in court.
 It is also important to consider the following:
 Physical space required to hold these documents.
 Time required to hold these documents.
 Digitalization.
 Security, safeguarding and access to the documents.
 Retain and safeguard data for the agreed timeframe taking into account legal
requirements.
 For external service providers, should management request that all existing
documentation be delivered to them and destroyed with no copy to be
maintained by the practice, the request must be documented officially and own
legal input should be obtained.
80

Gather human information
 The decision of when to interview witnesses or suspects depends on the ultimate
goal of the management as well as the availability of other
information/evidence, the availability of the people to be interviewed, etc.
 Document and data collection interviews support existing information by
providing investigators with an understanding of the interviewee and his/her
objectives.
 Regardless of whether they provide new information, an interviewee is able to
reference, support, deny, or acknowledge the evidence at hand. Interviews also
provide a trained interviewer with the opportunity to identify deceptive behaviors
or subject matters that require further inquiry.
 Plan for interviews by defining the purpose of the interview and determining
whether it is process or purpose driven, as well as identifying interviewers and
interviewees. It is important that the interviewer understands the desired
outcome of the interview.
 It is helpful to identify themes / areas that one would like to cover and approach
during the interview. These should be listed in a chronological order if
appropriate. In doing this, may even be possible to draft interview questions and
prepare reference documents to accompany them. However, interviewers
should consider being flexible to allow the interviewee to expand on specific
topics.
81

Gather human information
(cont’d)
 Being prepared for an interview can often be the difference between
a good or bad interview. Interview binders are often prepared to
ensure that the interview outline is well thought out and considers all
available information and that there are proper references between
the supporting documentation and the interview outline.
 Retain and safeguard data for the agreed timeframe. Where the
engagement involves a regulatory authority, any specific
documentation requirements of the regulatory body are also
considered. In the event that there are no local / regulatory
requirements for the retention of working papers, the investigation
leadership should establish the process and timeline of retention.
 For external service providers, should management request that all
existing documentation be delivered to them and destroyed with no
copy to be maintained by the practice, the request must be
documented officially and own legal input should be obtained.
82

Evidence gathering through
analyses
 The objective of the analysis and interpretation phase is to
analyze the information that was collected during the
gathering information stage to assist in proving or disproving
the fraud hypotheses and to ultimately arrive at a factual
conclusion.
 It is important to revisit the key characteristics of the
investigation based on initial understanding.
 Before completing any analysis, the team should assess the
credibility, completeness, and accuracy of the source
documentation. Many times, electronic and even non-
electronic information can be incomplete and inaccurate due
to intentional or unintentional reasons.
 While completing the analysis it is important to remember two
important concepts: professional skepticism and information
bias.
83

 Before any information can be analyzed, it is necessary to define what analyses will be
completed on the different data sets (also depends on the matter being investigated). In the
planning stage, the general tests that were to be performed were discussed (e.g., testing of
transactions within the commissions account) and agreed upon. Now that the team has
gathered and performed a preliminary review of the documentation provided they should:
 Develop and document rules, tests and sets.
 Perform transaction selection.
 Link to hypotheses and lines of enquiry.
 Though the data to be analyzed during an investigation comes from a variety of sources, at its
core it can be broadly broken down into two categories:
 Financial
 non-financial.
 Both types of data (and the relationships between them) should be analyzed carefully to
determine whether there is evidence that proves or disproves the hypotheses. Data Analytics
expertise may be needed to assist with developing/performing the tests to ensure that any
documentation is reviewed efficiently.
84

Financial analysis
 Dependent on the type of investigation, financial data may help the
engagement team to support or disprove their hypotheses. Because every
investigation is different, the type of financial data needed to analyze and the
analyses performed will differ.
 In order to appropriately design financial analysis procedures, it is important for
the engagement team to understand the business and its financial processes.
 Some procedures that may be performed on financial data include (again the
applicability will depend on the allegations):
 Relationship Testing: Looking for relationships between subsets of financial data and analyzing whether the
relationships make sense (e.g., if sales increase, it would make sense that the marketing expenses increase as well).
 Journal Entry Analysis: Understanding the flow of funds through a company’s books and records. This may entail
understanding which accounts were involved and where transactions were booked.
 Account/Accounts Payable Analysis: Calculating how much money was deposited or withdrawn from a specific
account or how much money was paid to a specific vendor/individual/third party.
 Accounting/Finance Procedures: Performing ordinary accounting/finance procedures, such as calculating
gross/net income, tax obligations, etc.
85

 While the analysis of financial information is generally important in the course of
an investigation, it is also important to analyze non-financial information. Non-
financial data can simply be defined as all information that is not of a financial
nature. This includes but is not limited to emails, company memos,
policies/procedures, attendance records etc.
 The following list contains some representative worksteps that may be conducted
when reviewing non-financial evidence:
 Analysis of statements/information obtained from witnesses
 Verify the accuracy of the information provided against other supporting documentation and
information provided by other interviewees.
 Identify inconsistencies in information provided by witnesses.
 Review of business intelligence search results: Discuss results, identify any red flags, and
assess whether any additional intelligence gathering is necessary.
 Testing Against Policies and Procedures: Review transactions in the context of a
company’s policies and procedures to determine whether transactions were in
compliance with said policies and procedures.
 Review of Email Correspondence: Use search terms to analyze email correspondence.
May want to involve a Discovery professional in this process.
86

Non-financial analysis (cont’d) –
Tips to remember
 Develop the picture emerging from evidence viewed and identify new areas of
enquiry.
 Be aware of the fact that a finding of fact is only as strong as the evidence relied
upon.
 Do no make assumptions of fact in assessment of evidence.
 Develop questions to test the robustness of the finding, logic of finding, level of
comfort that can be taken from relevance and completeness of information,
consideration of other interpretations, and strength and probability of such
interpretations.
 Determine alternative views and interpretations.
 Inconsistent evidence should be critically examined in order to sort out
inconsistencies.
 All relevant and complete evidence should be given equal consideration.
87

 Once the various types of data have been analyzed, the next step in the
investigation process is to triangulate all of the information and come to a
conclusion on your hypotheses.
 There are many different ways to manipulate information so that it is easier to
digest and easier to triangulate. Two of the most popular ways are:
 chronological and
 visual analyses.
 Chronological analysis involves creating a timeline of key dates/events and visual
analysis involves creating visual depictions of the data analyzed and relationships
between pieces of data.
 Ultimately, all of the information that is triangulated needs to support the
conclusion of whether the hypotheses were proved or disproved. The analysis
process should be clearly documented, so that anyone with or without
knowledge of the engagement, should be able to clearly determine how we
derived our results.
88

Evaluate work performed
 Once the conclusions have been reached and before the
report is written, it is important to evaluate the work performed
to determine whether all hypotheses have been
tested/investigated properly and thoroughly and to ensure
that the evidence corroborates the findings. This last point is
extremely important, as the factual evidence should support
the findings and the findings should not be based on an
opinion.
89

Reporting and closure
 Module 6 will cover report writing in details
90

Enforcement and regulators
 Respond to requests from government authorities, banks and
insurance companies.
 Provide access to the report to third-parties who were not
originally contemplated when the report was issued but should
have access, via an access letter.
 Provide access to working papers to external auditors, via an
access letter.
91

Prepare for potential litigation
 The reports, letters and affidavits may result in being used as evidence. Thus
quality of all documentation must remain consistent and be adequate to
withstand scrutiny.
 It is possible that during an investigation some personnel from the Investigation
team may receive legal notices or visits from police/other authorities where they
are required to provide information and/or documentation. In such instances, it is
recommended to refer all such queries to the leadership.
 In the event personnel are required to provide testimony, they may be required
to assist the court by providing the facts verbally. The testimony should preferably
be factual.
 Time should be made for sufficient preparation which may include meetings with
Counsel as well as other third parties (i.e., experts). Corroborating and supporting
documents should also be readily available during the testimony process.
92

Perform root cause analysis, if
required
• Drill further down into underlying causes that required the investigation. Engage specialists, if
required
• It is common to provide recommendations in the report which can vary depending on the
investigation. The types of recommendations may include:
• remedial recommendations to help the management recover from financial or other loss;
• Operational recommendations and
• Additional investigative procedures on specific issues identified.
• In the event that remediation recommendations are needed, it is important to work with the
management and / or counsel to determine what additional information is needed.
• Assess the costs and benefits associated with remediation processes to help the
management prioritize implementation
• Design a remediation implementation plan
• Consider change management requirements
• Implement continuous monitoring tools
• Determine and follow leadership reporting protocols
• Test implementation effectiveness at defined intervals
93

Project closure
 Coordinate project closure by setting up a sequence of
activities (e.g., return of documentation, assets, access
passes).
 It is important that engagement files are complete and
conclusive for internal quality review purposes as well as third
party reviews.
 Perform financial closure, if applicable.
 Log and archive files and work papers in a systematic manner
so that documents / issues can easily be identified.
94

Wrap-up
 Fraud investigator gather and analyze the necessary evidence required by
management and legal authorities.
 Fraud investigator answers the questions like extent of fraud and monetary
value, when & where the fraud take place along with violation of specific
laws.
 Fraud investigations follow a sequence of activities that initiate with
brainstorming and planning, follow through with information collection and
analysis and concludes with identification of findings and giving
recommendations.
 The process can be iterative and may lead to additional findings.
 The information collected and used need to be obtained, stored and
released based on strict traceable protocols to ensure the report withstands
scrutiny
 Link to fraud examination checklist sample by ACFE is included below.
http://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/s
ample-documents/fraud_examination_checklist_sample.pdf
95

Fraud example
Unauthorized production in pharmaceutical company
96
Photobyfreestocks.orgonUnsplash

Fraud example
Management fraud in a fast food chain
97
PhotobyStephanieMcCabeonUnsplash

Fraud example
SWIFT fraud in a bank
98

Fraud examples
Audience engagement – 3 practical examples in participants’ experience
99
PhotobyKellySikkemaonUnsplash

Module 5
CONDUCTING FRAUD
INTERVIEWS
100

Interviewee types
Type of interviewee Description
Cooperative Overly helpful and the investigator must carefully
determine their motives. Do the interviewees have a
sincere desire to help, are they trying to get even
with the suspect / direct attention away from
themselves as a suspect?
Neutral Open, objective, no hidden motives or agendas.
They have nothing to gain or lose from the interview
and are usually the most helpful and objective of all
the interviewees.
Reluctant Often associated in some way with the suspect or
the crime. They are the most difficult to interview and
normally should be interviewed without prior notice.
The element of surprise makes it harder for hostile
interviewees to prepare defenses.
101

102Possible reasons for reluctance
in interviews (apart from being
involved in the fraud)
Embarrassed / Shy
Some interviewees may be
embarrassed to share certain
information with the interviewer
or may feel uncomfortable in
the setting of the interview
room. Some interviewees also
are uncomfortable with sharing
information they consider to be
rumors that may ruin a person's
reputation.
Fear
Some people may be afraid
of having own
shortcomings/ issues
unrelated to fraud being
highlighted and hence fear
leads them to be
uncooperative or even
hostile to the interviewer.
Retribution
Fear to be labeled as
snitches or get innocent
people in trouble. They
may feel that they have
everything to lose and
nothing to gain by
cooperating
Memory
When a person is not directly
involved in an event, the person
may not remember details or the
order in which the events took
place, especially if a sufficient
amount of time has passed.
Interviewing Fraud Victims
When the fraud is brought to light,
most victims go through stages of
'Cycle of Acceptance' - denial, then
anger, rationalization, depression,
(bargaining) and finally acceptance.

Managing interviews (human
info gathering process recap
and additional information)
 Carefully plan the interview so as to maximize the information received and
minimize the time conducting it.
 Determine in advance exactly what kinds of information you want to obtain
from each person interviewed.
 Determine in advance as many facts as possible about the fraud and the
person being interviewed. e.g., age, marital status, education, attitude toward
the investigation, and anything else that could affect the interview.
 Determine when to conduct the interview. If the interviewee is believed to be
cooperative or neutral, set up an appointment.
 Allocate more than enough time to conduct each interview.
 Interview everyone as soon as possible because time causes memories to
fade.
 Select venue where interviewee is comfortable - like interviewee's place of
business. Also because there is greater access to any needed papers, books,
or people.
103

Managing interviews (cont’d)
 For interview look for a room where distractions from colleagues and
telephones can be eliminated or minimized.
 Select a room that is as bare as possible- get a full view of the body posture
and movements of the individual being interviewed. Sit four to five feet away
from the interviewee.
 Interview one person at a time and inform each interviewee ahead of time of
any information that will be needed in the interview.
 Control the interview. Do not allow interviewees to wander, get you
sidetracked, confuse the issue, or not answer important questions. Try not to be
so controlling, however, that unexpected important information from the
interviewee is missed.
 Conduct the interview in a professional manner. Remember that you are
seeking the truth, not trying to get a confession or a conviction.
 Ask short questions that are clearly and easily understood.
 Concentrate on the interviewee's answer rather than the next question you
plan to ask. Make sure you understand the answer before you continue.
104

Managing interviews (cont’d)
 Avoid asking close questions i.e. those with yes-or-no answers; instead, ask open questions that
require narrative answers. Require the person to give a factual basis for all her conclusions.
 Only if critical use close / leading questions that suggest part of the answer to close any point
which interviewee is reluctant to close.
 Be courteous, respectful, and polite, and do not talk down to the person. Be friendly, but
maintain a professional distance. Be sympathetic, where appropriate, and tell the person that
anyone might have done the same thing she did if the circumstances were the same.
 Preference is not to take notes during the interview as this makes it more difficult to
concentrate on the person being interviewed and her reaction. Prefer to tape (either audio or
video) the interview with permission.
 Fraud investigators should not be hesitant to ask company employees in their interviews if they
have any reason to believe that someone at the company is committing a fraud.
 Many more people than you might expect will come forward and tell about fraud when they
are asked point-blank by an investigator. It is also amazing how many perpetrators will admit
their guilt when they are confronted with evidence, or suspicion, of their wrongdoings.
105

106
Interviewing suspects –
Additional considerations
 The suspect is usually the last person(s) the investigator
interviews / interrogates.
 An investigator cannot be too careful in this interrogation
as the information obtained from suspect and in fact
strength of resulting case may depend heavily on a
confession / evidence from suspect.
 The interrogation should preferably be conducted when:
 as much information as possible has been gathered from
sources other than the suspect;
 for evidence that only the suspect can provide; and
 investigator is able to control the time, place, and subject
matter of the interrogation.

Module 6 REPORT WRITING
107

Reporting and closure
 To report findings from the investigation that are
synthesized and analyzed into meaningful and
actionable recommendations, and can withstand
scrutiny from third-parties, courts of law, and other
regulatory bodies.
108

Key activities
 Prior to determining the format of the report consider:
 The audience (i.e., Board of Director, Management,
Counsel, Court of law etc). This will help ensure that
the report includes information relevant to the
stakeholders for example, the Board of Directors
would be keen to have an executive summary,
management more focused on operational
implications whilst counsel would be interested to
identify any potential findings that may or may not
lead to criminal or civil action; and
 The intended use of the report (i.e., could it be used
for litigation purposes or is it only for internal use).
109

Key activities (cont’d)
 Discussions early on in the engagement will facilitate planning
for the reporting phase of the engagement
 The various types of reports include letter reports, full format
reports, and PowerPoint presentation reports. All formats
have their own pros and cons which should be considered
on a case by case basis.
 Where a report includes multiple / complex investigations, is
cross border / jurisdiction, multi-teams and has numerous
authors, extra consideration at the onset of the investigation
must be provided to the report.
110

The structure of the report should be agreed early
on. Typically, it should include:
 an investigation background,
 summary of procedures and findings,
 detailed procedures followed,
 findings,
 restrictions related to the use and distribution of the
report,
 recommendations for remedial actions as
appropriate.
 Exhibits supporting findings
 On large engagements collaboration tools, regular
communications and general project management
should be considered to ensure a quality report.
111

 Based on the engagement focus and who will be using
and viewing the report, consider appropriateness of
visualization, need for translation, and degree of
formality.
 Define and follow quality review procedures.
 Consider any geographic-specific factors related to the
report. Consider the use of a matrix that defines the
specific requirements by country (e.g., the Netherlands
requires client acknowledgement and the person being
investigated must receive the report first with an
opportunity to provide comments).
112

Helpful templates
 ACFE gives two primary forms of reporting templates:
o The long form spells out the details of what examination
techniques the fraud examiner intends to follow;
http://www.acfe.com/uploadedFiles/ACFE_Website/Conte
nt/documents/sample-documents/sample_report.pdf
o The short form is simple and is not written in detail like
long form.
http://www.acfe.com/uploadedFiles/ACFE_Website/Conte
nt/documents/sample-
documents/Fraud%20Examination%20Report-short.pdf
113

Recap of key learnings
Wrap up of workshop
114
PhotobyJoãoSilasonUnsplash

Suggested supplementary reading
 http://bit.ly/2EvZ9jl
Jul-Sep 2014
Published Oct 2014
115

Presenters
Zeeshan Shahid
Forensic and Consulting
Professional
Asad Ismail
Advisory and Assurance
Professional
116

Panel
discussion
FORENSIC AUDIT OF
HOUSING SOCIETIES
117

”
“SECP has provided a list of 1,846 registered housing
societies including 440 in Karachi, 656 in Islamabad,
45 in Peshawar, and 705 in Lahore; however, there
are almost a total of 5100 registered housing societies
working across Pakistan,” adding that there are also
more than 35,000 unregistered and illegal housing
societies.
ANONYMOUS FIA OFFICIAL, PAKISTAN TODAY, JULY 25, 2017
An excerpt from the media coverage to share the sheer
enormity of the task.
118

Thank You
119
This communication contains general information only, and none of the authors, by means of this
communication, are rendering professional advice or services. The authors will not be responsible for
any loss whatsoever sustained by any person who relies on this communication.
© 2018.

Workshop on Fraud Investigation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Workshop on Fraud Investigation

Similaire à Workshop on Fraud Investigation (20)

Plus de Zeeshan Shahid

Plus de Zeeshan Shahid (9)

Dernier

Dernier (20)

Workshop on Fraud Investigation