Corporate fraud is committed, and discovered, predominantly within the organization. Kroll Advisory Solutions' 2012/2013 Global Fraud Report found that, in 67 percent of the frauds for which the perpetrator is known, insiders — senior managers, junior employees, or third-party agents — were the culprits. Meanwhile, the Association of Certified Fraud Examiners' 2012 Report to the Nations indicates that whistleblower reports account for roughly 43 percent of all frauds detected.
Consequently, internal audit is often the first group to become aware of wrongdoing allegations and then tasked with initiating a response. Fraud investigations, however, can be a minefield — even the first steps can impact the final outcome significantly. Insufficient discretion at the launch of the investigation, for example, may tip off the suspect, causing the destruction of potentially vital evidence. Moreover, information collected hastily without sufficient attention to procedure might be inadmissible in court, or lead to sanctions and fines.
A host of challenges beset those responsible for looking into potential wrongdoing. By taking the right steps before an investigation, internal audit can reduce the risk of error, helping to ensure the investigation is planned correctly and carried out with efficiency.
1. Conduct an Initial Assessment
The internal auditor first needs to assess whether an allegation has merit. This process should begin with consideration of the complainant's credibility and motives — when that person's identity is known — as well as other possible indications of the allegation's likely validity.
The auditor should avoid simplistic judgments. Just because a complainant lacks credibility or may have ulterior motives, for example, does not necessarily mean there is no need for an investigation. By the same token, even a highly credible individual can make an unfounded allegation. Upon close examination, allegations often contain specific facts, especially those related to the workings of the organization, that can help support assertions and provide internal audit a basis for corroboration.
2. Perform a Risk Assessment
Because insider wrongdoing can have a significant impact on the organization, especially when committed by a member of senior management, internal audit should perform a risk assessment. The assessment should include examination of monetary, regulatory, reputational, and other known risks.
An obvious goal in fraud cases is to determine the extent of existing damage and prevent further losses. This can be difficult, as allegations rarely include an exact amount of stolen funds or an assessment of organizational impact. For example, the monetary impact of vendor kickbacks to employees is often hard to assess, as it involves gauging the extent to which the organization may have received insufficient value for the products it purchased. In these circumstances, the organization may want to assess the extent to which the vendor is used and consider industry risks associated with the organization and vendor.
Issues of concern to regulators include insider trading, bribery of public officials, manipulation of publicly listed companies' financial statements, money laundering, and privacy or data breaches. If an organization fails to conduct an adequate investigation or take appropriate corrective measures, the regulator may initiate its own investigation or — where a funding relationship exists — withdraw support from the organization.
If allegations relate to an organization's foreign operations, or involve activities in jurisdictions with extraterritorial legislation, international regulatory requirements should also be considered. Many countries have enacted anti-bribery legislation, including the United States' Foreign Corrupt Practices Act (FCPA), Canada's Corruption of Foreign Officials Act, and the United Kingdom's Bribery Act. Running afoul of these laws can have significant consequences. In 2011, for example, a multinational engineering and electronics company was investigated by regulators in both the United States and Germany in relation to alleged bribery of foreign officials in Argentina. The company eventually settled both cases but had to pay more than US $1 billion in fines — the largest FCPA fines in history.
The potential reputational damage to an organization from fraud cannot be taken lightly. Examples of circumstances that may pose significant reputational risks include payments to foreign government officials, circumvention of local or foreign laws, and accepting incentives from suppliers.
A Canadian engineering and construction company has undergone extensive investigation — including a widely publicized police search of its headquarters — for alleged involvement in a Bangladeshi corruption scandal. These allegations, along with further claims of corruption in Libya and Canada, have had a significant impact on the company's share price.
3. Determine the Objectives
Internal audit is in a unique position to collect and assess available evidence to assist the organization in understanding the case. This process may include preparing an initial assessment of the losses or risks to which the organization has been exposed. Once the organization understands the issues, consideration should be given to whether to pursue criminal charges or civil remedies (i.e., recovery of funds), as it will affect the investigators' approach to the inquiry process. For instance, in the United States and Canada, the standard of proof for criminal charges is higher than that of civil remedies. Further, the makeup of the investigative team may be different depending on the objectives of the investigation. Decisions may change over time and as new circumstances of the case come to light, and accordingly the investigative strategy may also need to change.
4. Select Team Members
Ideally, the investigative team should be kept as small as possible, and participation should be on a "need-to-know" basis. Moreover, team members must not have any conflicts that would — or even be perceived to — impair their judgment or objectivity in the investigation.
The team must also comprise appropriately skilled and qualified individuals to perform, or at least oversee, the evidence collection process — particularly for electronic evidence. Team members need to be informed that any one of them may be called upon to testify as a witness in court and that notes and workpapers are discoverable and could appear before a judge or jury. Therefore, workpaper files — including interview notes and communications — should be maintained.
Numerous additional considerations should be kept in mind when choosing members of the investigation team, including participants' independence, as well as the potential need for legal counsel, investigative experts, and other expertise.
Maintaining independent oversight is crucial to the investigation's credibility — failure in this area leaves the investigative findings open to criticism by opposing counsel, regulators, or law enforcement agencies. In many cases, especially those involving financial matters, internal audit might be in the best position to manage the investigation. If the situation involves senior management, however, or the risks to the company are significant, the board of directors, the audit committee, or a special committee of the board may be better suited to the task.
To protect litigation privilege, corporate counsel or independent external counsel should be included in the investigation from the beginning. These experts can also advise on legal matters such as employee suspensions or terminations and evidence gathering to help ensure future court admissibility. Moreover, by adding credibility, independent counsel can provide assurance that the investigation will stand up to external scrutiny.
An independent, reputable investigative firm can add credibility to an inquiry, bring current knowledge of relevant issues, and provide skills that many companies lack in areas such as computer forensics, analytics, and forensic accounting. Such help is also important if opinion testimony may be required, as the testimony is admissible only if it comes from witnesses who the courts determine are experts. When needed — for example, in cases that may lead to pursuit of criminal charges or civil remedies — an expert should be retained early on. To maintain litigation privilege, investigators and experts should always be retained through general or external counsel.
Other Team Members
Other individuals who may be helpful or necessary to involve in the investigation, depending on the circumstances, include human resource and IT professionals. Moreover, if the company maintains operations in foreign jurisdictions, involving on-site personnel at those locations may be beneficial as well.