Do you know the most appropriate way to respond to an allegation of financial crime in your organisation ?
Do you have a fraud response plan that you can refer to if an allegation of financial crime arrives on your desk? Is there someone in your organisation with the right skills, knowledge and resources to handle this for you? Yes? Congratulations you are one of the fortunate few!
No? Well here are a few tips on the do’s and don’ts for when that dreaded call comes in. You’ve been given responsibility to do an initial investigation into the matter and you are sat there thinking ‘so what’s next ?’. These tips are not exhaustive, but they do cover the key areas which often cause particular challenges for organisations.
If an investigation goes wrong it is usually in the first 48 hours when the adrenalin is flowing, some knee jerk reactions are made and the pressure is on to quickly establish the truth of what has or hasn’t happened. In the absence of a fraud response plan, being an avid fan of TV crime shows does not, unfortunately, mean that you have all the necessary skills to handle an investigation!
Don’t panic …...
Take a breath and it can be helpful to note down everything that you have been told (ideally in an email back to yourself so it is date stamped). Start to calmly reflect on this information. Who or what was the source of the allegation? How credible are they? Could system data that suggests a fraud has taken place actually be incorrect or incomplete? Is there a risk that the allegation could be malicious? How serious are the potential implications if the allegation is true? Does the information at this stage just suggest a single person or more? Are external parties believed to be involved? Start building up a list of questions that will need to be answered as part of the investigation. And ultimately what does the organisation want from the investigation? If the allegation or suspicion is found to be true, is there an appetite to pursue a criminal prosecution or civil recovery through the courts?
Minimise any further loss….
Assuming the allegation is true, what further loss could take place whilst an investigation is undertaken. What immediate actions should you take to minimise any such loss without the risk of alerting the suspect(s)? Delay making payments? Introduce an extra control? Reduce authority limits? Freeze access to systems? Freeze supplier / customer accounts? Assume the worst, get legal advice and take action.
Secure potential evidence……
What may be potential evidence in the case? Who holds the data? Third parties may also hold information that could be useful to you. Where and how is this potential evidence stored? Once you have taken appropriate legal advice (particularly around any GDPR implications), you may consider getting this potential evidence discretely secured, without alerting the suspected fraudster. It is generally recommended not to turn on an internal suspect’s device at this stage and have an initial look at what is on there, without having spoken to your legal team first. You could be inadvertently trampling over evidence that may then make it inadmissible in any future court case.
Evidential sources that are often overlooked in my experience include building access records, CCTV footage, firewall history, e-signature records, data in procurement and CRM systems, data gathered from API calls, tender submission files, bank payment files, previous declarations of interest, training records and qualification certificates. So, don’t just think of the obvious sources of potential evidence, think broader and ‘out of the box’
Obtain electronic records..…
Given the current lockdowns and remote working, securing electronic information may be more challenging than normal. You’ll almost certainly need someone in IT to help secure files but who can be trusted to keep the case confidential? IT Directors rarely, in my experience, have the technical skills and / or access rights to secure potential evidence, so consider carefully who you inform and involve. If you are not fully confident that the member of IT assigned to help you is trustworthy, consider asking them for more data (on other employees, suppliers etc) than you need.
Protect any whistle-blowers….
In the UK under the Public Interest Disclosure Act workers are protected from any detrimental treatment or victimisation from their employer if, in the public interest, they blow the whistle on any actual or suspected wrongdoing, including financial crime. Hence it is vital that their identity remains confidential and steps are taken to protect them. Speak to your legal team for further advice on this. If the allegation involves an overseas subsidiary, then some countries such as Hungary already have relatively tough legislation to protect whistle-blowers. New EU legislation impacting all member states must be transposed into national law by December 2021, but your European markets may already have developed national legislation on this, so again get some local legal advice.
Tell the right people in the right order at the right time…….
A key consideration is to decide who needs to be told, what do they need to be told, why, when and by who. I would recommend that you err on the side of caution and only share details of the case with a very select and trusted few at the initial stage of the investigation. Involving an appropriate member of the legal team will probably be one of your first steps, followed by an IT member of staff; and also a HR representative if any employees are suspected of involvement in the case. Also, if the case was to be leaked, is there a reputational risk? If so, consider briefing your Communications Director so that a statement is prepared and ready to be issued at short notice if needed. Support from your internal audit team (if you have one) will almost certainly help as, if nothing else, they will probably have some useful background information on the operations in the department(s) that the investigation may touch on. At the end of the investigation, you will want to consider who else needs to be informed. Regulators? Police? Suppliers? Customers? Shareholders? Investors? External auditors?
Decide which level of management to escalate this to and when …….
A common mistake is to actively involve senior staff at an operational level from day 1. Assuming the worst, if the alleged fraud is proven and an internal disciplinary hearing is held, you will need someone independent and senior to the chair of that disciplinary to hear any potential appeal. If the alleged fraudster is a senior executive, then you may need to inform the Chair of your Board in which case could another Board member be involved in the initial hearing and the Chair kept at arm’s length so that they are free to chair any appeal ?
Get external help if needed……
Cases at a very senior level or cases that are particularly complicated or sensitive in nature may need external forensic resources. This can help with any challenges around independence and confidentiality, as well as bringing technical forensic skills that may be lacking internally, particularly around securing and scrutinising data.
Learn from this…….
As you progress through your investigation, although establishing what has or hasn’t happened is your priority, do not forget to gather the information that will help to establish the root cause of your fraud. All frauds have 3 key ingredients – the motivation and rationale will be provided by your fraudster, but organisations provide the opportunity. So, what went wrong in your control environment that provided the opportunity for the fraudster to succeed? Applying the ‘5 whys’ as you progress with your review will help you to get to the true root cause and to not just report back on the alleged fraudster, but also to highlight what control weaknesses need to be addressed.
And finally, consider tasking the right person with drafting a fraud response plan that can be used in the future. Communicate it to the appropriate people and consider having it as an app on the company phones so people aren’t scrabbling around for papers or files on computers.
I hope these tips help. Do remember it is always helpful to take legal advice as the circumstances of every suspected fraud are different and there is no ‘one size fits all’ when it comes to dealing with these cases. And do get in touch with me if you would like any assistance with preparing your response plans and dealing with allegations.
Look out for further articles on protecting your organisation from fraud and other financial crime.