Tag Archives: Engagement Management

When You Assume

by Rumbi Petrozzello
2018 Vice President – Central Virginia ACFE Chapter

On November 8, 2007, in the small town of Constantine, Michigan, 11-year-old Jodi Parrack was reported missing. Residents from the surrounding region volunteered to search for the missing girl, including Ray McCann, a police reservist. During the search, Ray suggested to Jodi’s mother, Valerie, that they should search for Jodi in the local cemetery. Valerie and Ray did so and, tragically, found her daughter there; she had been murdered.

Almost immediately, Ray came under suspicion. His reaction to Jodi’s death appeared to some of the investigators to be suspicious and why had he suggested that he and Valerie go to the cemetery, of all places, to look for Jodi? Then, during their subsequent investigation, the police found Jodi’s DNA on Ray’s body; according to Ray this was because he had pulled Valerie away from Jodi when he and her mother discovered the child’s body.

For years, Ray was under suspicion. He was brought in for questioning by the police on multiple occasions, and his answers, as far as the police were concerned, were not particularly convincing. He claimed to have been in one place and the police said that there was proof that he was not there. Seven years after Jodi’s murder, Ray was arrested and charged with perjury, related to the answers he had originally given the police; this seems to have been a tactic the police employed to hold him while they continued to try to gather enough evidence to charge him with Jodi’s murder.

While Ray was being held and facing from two to twenty years behind bars, another girl was attacked; she fought back, escaped and led the police to another man, Daniel Furlong. It turned out that Furlong’s DNA had been found on Jodi’s body during the original investigation as well as Ray’s and yet, the police had persisted in focusing solely on Ray. It was also revealed that the authorities were not honest when they told Ray that they possessed evidence Ray was lying. All the police really had was a deeply held conviction that Ray was being deceptive, leading to their determination to somehow develop evidence to validate that feeling.

By the time Ray was released after spending 20 wasted months of his life behind bars, he had lost his job, his family and the trust of the community in which he lived and which he had hoped someday to serve.

As Fraud Examiners and/or Forensic Accountants, we are engaged to investigate alleged wrongdoing and to follow up on leads as we work to resolve often confusing and contradictory matters. As we seek evidence, interview people and try to figure out what happened and who did what, it can be all too easy to make the mistake of viewing a red flag as somehow constituting proof. If someone giggles when they’re telling you they know nothing; if a person taps her foot throughout an interview, or if someone is extremely helpful, none of those things in themselves means anything definitive in resolving the question as to whether or not they have done anything wrong, let alone illegal.

Professional skepticism is a CFE’s tendency not to believe or take anyone’s assertions at face value, a mental tendency to ask every assertion to “prove it” (with evidence). The inevitable occurrence of confusion, errors and deception in all situations involving actual or suspected fraud dictates this basic aspect of professional skepticism. Persuading a skeptical CFE or forensic accountant is not impossible, just somewhat more difficult than persuading a normal person in an everyday context. Our skepticism protects the Ray McCann’s of this world because it’s a manifestation of objectivity, holding no special concern for preconceived conclusions on any side of an issue. Skepticism is not an attitude of being cynical, hypercritical, or scornful. The properly skeptical investigator asks these questions (1) What do I need to know? (2) How well do I know it? (3) Does it make sense?

Professional skepticism should lead investigators to appropriate inquiry about every clue involving seeming wrong doing. Clues should lead to thinking about the evidence needed, wringing out all the implications from the evidence, then arriving at the most suitable and supportable explanation. Time pressure to complete an investigation is no excuse for failing to exercise professional skepticism and bias and prejudice are always unacceptable. Too many investigators (including auditors) have gotten themselves into trouble by accepting some respondent’s glib assertion and stopping too early in an investigation without seeking facts supportive of alternative explanations.

A red flag means only that further investigation is warranted; it definitely does not mean that the examiner should shut down all other avenues of investigation and it certainly does not mean that an attempt should ever be made to make the crime fit the person. In the sad case of Ray McCann, the police continued to pursue him to the exclusion of all others even though they had found someone else’s DNA on Jodi’s body. They never appeared to be even looking for any other suspect. Even when Daniel Furlong subsequently confessed to murdering Jodi, the local authorities still persisted in implying that Ray was somehow connected to the crime; in the face of all contradictory evidence, the police still stubbornly refused to let go of their original hypothesis.

As we pursue our work as forensic accountants and fraud examiners, we should be constantly reviewing our hypotheses and assessing our approaches.

• Are we trying to make evidence fit the facts as we initially suppose them to be?
• Are we ignoring evidence because it does not fit the story we’re trying to tell?
• Are we letting a particular person’s behavior cloud a more objective judgment of the totality of what’s going on?

Often, even after a person has been cleared of suspicion in a case, we hear parties involved in the investigation make statements along the lines of, “I just know they are good for something.” Fortunately, our practice is not founded on feelings and gut instincts; our practice, and profession, is one that relies on evidence. As you’re investigating a matter, keep in mind:

• Following your defined process and procedure throughout is paramount to investigative success. Even if someone or some aspect of a case looks totally transparent within the context of the investigation, be thorough and follow your evidence all the way through.

• If your findings do not support your original premise, don’t try to force things. Step back and ask yourself why this is the case. Ask yourself if you need to reconsider your foundational hypothesis.

• Beware of confirmation bias – that is be careful that you are not looking only for data that reinforces the conclusion(s) that you have already reached (and, in so doing, ignoring anything that might prove contradictory).

• Even if your team is determined to work the assignment in a particular direction, make sure you speak up and let them know about any reservations you might have. You may not have the popular position, but you may end up expressing the critical position if it turns out that there is other evidence in light of which the conclusions the team has made need to be adjusted.

In summary, when you feel it in your gut and you are absolutely sure that you are right about a hypothesis, it’s very difficult to look beyond your conviction and to see or even consider other options. It’s vital that you do so since, as the ACFE has pointed out so many times, there is a hefty price to be paid professionally for ignoring evidence which eventually proves to be critical simply because it appears not to corroborate your case. Due professional care requires a disposition to question all material assertions made by all respondents involved in the case whether oral or written. This attitude must be balanced with an open mind about the integrity of all concerned. We CFEs should neither blindly assume that everyone is dishonest nor thoughtlessly assume that those involved in our investigations are not ethically challenged. The key lies in the examiner’s attitude toward gathering the evidence necessary to reach reasonable and supportable investigative decisions.

Finding the Words

I had lunch with a long-time colleague the other day and the topic of conversation having turned to our May training event next week, he commented that when conducting a fraud examination, he had always found it helpful to come up with a list of words specifically associated with the type of fraud scenario on which he was working.  He found the exercise useful when scanning through the piles of textual material he frequently had to plow through during complex examinations.

Data analysis in the traditional sense involves running rule-based queries on structured data, such as that contained in transactional databases or financial accounting systems. This type of analysis can yield valuable insight into potential frauds. But, a more complete analysis requires that fraud examiners (like my friend) also consider unstructured textual data. Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports. Unstructured data, by contrast, is data that would not be found in a traditional spreadsheet or database. It is typically text based.

Our client’s employees are sending and receiving more email messages each year, retaining ever more electronic source documents, and using more social media tools. Today, we can anticipate unstructured data to come from numerous sources, including:

• Social media posts
• Instant messages
• Videos
• Voice files
• User documents
• Mobile phone software applications
• News feeds
• Sales and marketing material
• Presentations

Textual analytics is a method of using software to extract usable information from unstructured text data. Through the application of linguistic technologies and statistical techniques, including weighted fraud indicators (e.g., my friend’s fraud keywords) and scoring algorithms, textual analytics software can categorize data to reveal patterns, sentiments, and relationships indicative of fraud. For example, an analysis of email communications might help a fraud examiner gauge the pressures/incentives, opportunities, and rationalizations to commit fraud that exist in a client organization.

According to my colleague, as a prelude to textual analytics (depending on the type of fraud risk present in a fraud examiner’s investigation), the examiner  will frequently profit by coming up with a list of fraud keywords that are likely to point to suspicious activity. This list will depend on the industry of the client, suspected fraud schemes, and the data set the fraud examiner has available. In other words, if s/he is running a search through journal entry detail, s/he will likely search for different fraud keywords than if s/he were running a search of emails. It might be helpful to look at the ACFE’s fraud triangle when coming up with a keyword list. The factors identified in the triangle are helpful when coming up with a fraud keyword list. Consider how someone in the entity under investigation might have the opportunity to commit fraud, be under pressure to commit fraud, or be able to rationalize the commission of fraud.

Many people commit fraud because of something that has happened in their life that motivates them to steal. Maybe they find themselves in debt, or perhaps they must meet a certain goal to qualify for a performance-based bonus. Keywords that might indicate pressure include deadline, quota, trouble, short, problem, and concern. Think of words that would indicate that someone has the opportunity or ability to commit fraud. Examples include override, write-off, recognize revenue, adjust, discount, and reserve/provision.

Since most fraudsters do not have a criminal background, justifying their actions is a key part of committing fraud. Some keywords that might indicate a fraudster is rationalizing his actions include reasonable, deserve, and temporary.

So, even though the concepts embodied in the fraud triangle are a good place to start when developing a keyword list, it’s also important to consider the nature of the client entity’s industry and the types of payments it makes or is suspected of making. Think about the fraud scenarios that are likely to have occurred. Does the entity do a significant amount of work overseas or have many contractors? If so, there might be an elevated risk of bribery. Focus on the payment text descriptions in journal entries or in work delated documentation, since no one calls it “bribe expense.” Some examples of word combinations in payment descriptions that might merit special attention include:

• Goodwill payment
• Consulting fee
• Processing fee
• Incentive payment
• Donation
• Special commission
• One-time payment
• Special payment
• Friend fee
• Volume contract incentive

Any payment descriptions bearing these, or similar terms warrant extra scrutiny to check for reasonableness. Also, examiners should always be wary of large cash disbursements that have a blank journal payment description.

Beyond key word lists, the ACFE tells us that another way to discover fraud clues hidden in text is to consider the emotional tone of employee correspondence. In emails and instant messages, for instance, a fraud examiner should identify derogatory, surprised, secretive, or worried communications. In one example, former Enron CEO Ken Lay’s emails were analyzed, revealing that as the company came closer to filing bankruptcy, his email correspondence grew increasingly derogatory, confused, and angry. This type of analysis provided powerful evidence that he knew something was wrong at the company.

While advanced textual analytics can be extremely revealing and can provide clues for potential frauds that might otherwise go unnoticed, the successful application of such analytics requires the use of sophisticated software, as well as a thorough understanding of the legal environment of employee rights and workplace searches. Consequently, fraud examiners who are considering adding textual analytics to their fraud detection arsenal should consult with technological and legal experts before undertaking such techniques.

Even with sophisticated data analysis techniques, some data are so vast or complex that they remain difficult to analyze using traditional means. Visually representing data via graphs,  link diagrams, time-series charts, and other illustrative representations can bring clarity to a fraud examination. The utility of visual representations is enhanced as data grow in volume and complexity. Visual analytics build on humans’ natural ability to absorb a greater volume of information in visual rather than numeric form and to perceive certain patterns, shapes, and shades more easily than others.

Link analysis software is used by fraud examiners to create visual representations (e.g., charts with lines showing connections) of data from multiple data sources to track the movement of money; demonstrate complex networks; and discover communications, patterns, trends, and relationships. Link analysis is very effective for identifying indirect relationships and relationships with several degrees of separation. For this reason, link analysis is particularly useful when conducting a money laundering investigation because it can track the placement, layering, and integration of money as it moves around unexpected sources. It could also be used to detect a fictitious vendor (shell company) scheme. For instance, the investigator could map visual connections between a variety of entities that share an address and bank account number to reveal a fictitious vendor created to embezzle funds from a company.  The following are some other examples of the analyses and actions fraud examiners can perform using link analysis software:

• Associate communications, such as email, instant messages, and internal phone records, with events and individuals to reveal connections.
• Uncover indirect relationships, including those that are connected through several intermediaries.
• Show connections between entities that share an address, bank account number, government identification number (e.g., Social Security number), or other characteristics.
• Demonstrate complex networks (including social networks).

Imagine a listing of vendors, customers, employees, or financial transactions of a global company. Most of the time, these records will contain a reference to a location, including country, state, city, and possibly specific street address. By visually analyzing the site or frequency of events in different geographical areas, a fraud investigator has yet another variable with which s/he can make inferences.

Finally, timeline analysis software aids fraud examiners in transforming their data into visual timelines. These visual timelines enable fraud examiners to:

• Highlight key times, dates, and facts.
• More readily determine a sequence of events.
• Analyze multiple or concurrent sequences of events.
• Track unaccounted for time.
• Identify inconsistencies or impossibilities in data.

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm
the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.