The purpose of this chapter is to explain key steps and best practices in investigations from an accounting perspective. The term forensic, as defined in Webster’s Dictionary, means ‘belonging to, used in or suitable to courts of judicature or to public discussion and debate’. Accordingly, forensic accounting involves the application of specialised knowledge and investigative skills to matters in anticipation of possible litigation or dispute resolution including in civil, administrative or criminal enforcement matters. Forensic accounting skills can be applied to a wide variety of investigations into alleged corporate and individual wrongdoing, including:
- misappropriation of assets by employees;
- bribery and corruption;
- money laundering;
- financial reporting fraud;
- non-compliance with laws, regulations or provisions of contracts; and
- fraud perpetrated by vendors/suppliers and other third parties.
We may refer to non-compliance instead of fraud. Non-compliance often lacks the intent of fraud and may manifest itself in the violation of an agreement, policy or otherwise acceptable behaviour. Investigations may focus on allegations of fraud or non-compliance.
The range of specialisations within the field of forensic accounting is diverse. But at the core is a focus on accounting systems, processes, records, data and reports.
20.2 Preservation, mitigation and stabilisation
An important consideration at the outset of an investigation is whether any steps are necessary to put a stop to further loss of funds, data or other assets. This may entail closing of bank accounts, freezing of email and other communications, deactivating user passwords and other steps to deny access to subjects of the investigation (see Chapters 5 and 6 on beginning an internal investigation). Where the nature of the investigation requires it, financial and accounting information will need to be preserved and stabilised. Physical documents in this category may include a wide variety of records, such as purchase orders, invoices, customer orders, delivery records, etc. Every step of the transaction cycles involved in the scheme under investigation should be considered at this stage to identify all potentially relevant documents.
20.3 Violation of internal controls
An important part of an investigation is establishing whether the act was intentional. Demonstrating that a subject violated a documented, well-established internal control is one method of doing this. Determining how an internal control was circumvented or otherwise violated is also an important part of understanding how fraud or corruption was perpetrated because establishing that a subject intentionally violated internal controls can be important in connection with criminal prosecution or regulatory enforcement process, and understanding precisely how internal controls were violated is critical to developing a remediation plan to shore up controls to prevent future occurrences.
The first step in determining whether policies or procedures were violated is to gain a thorough understanding of established policies and procedures. This normally entails reviewing documented policies and procedures and may also include interviews with employees to help clarify any ambiguities in the documentation (see Chapters 7 and 8 on witness interviews). Some considerations include:
- which employees are authorised to initiate and process a transaction;
- which employees are authorised to approve a transaction;
- the stages in the transaction process;
- documentation requirements for the transaction;
- how and where electronic and paper records are stored; and
- how exceptions or unusual transactions are handled.
It may also be important to review any training programmes that the subject of the investigation has received. Doing so can establish more firmly that the subject had an understanding of the proper method of handling the transactions.
Most accounting cycles, such as procurement, disbursement of funds and payroll include many steps. Some of these are evidenced manually, such as with written approvals by signature and supporting documents such as invoices and delivery confirmations. Other steps require analysis of electronic records. Examples of critical pieces of electronic evidence related to internal controls include:
- Date and time stamps – Most systems leave a valuable trail that can be used to establish an accurate and detailed timeline of events. For example, a vendor invoice may be input into the accounts payable system late at night during non-work hours, approved for payment moments later and payment is made to the vendor the very next day. Why the rush? Is there a legitimate need or is something more devious involved? Does payment so quickly comply with the organisation’s normal cash management and bill-paying policies?
- User identification numbers – Systems maintain a record of user log-ins, along with date and time of information access and updates. Directly or indirectly, it is often possible to determine exactly which user of a system performed each step in the chain of activities comprising a transaction – who set a vendor up in the master file, who authorised the purchase and whether it was competitively bid, who entered the vendor invoice, who approved it for payment, who scheduled it for disbursement, who transmitted payment, etc.
- Security matrices – Often reviewed in connection with the preceding step, determining which users have access to specific components of each system can play a vital role in assigning responsibility for specific steps in a matter under investigation. Access to a system often does not mean access to every part of that system. Analysis of a security matrix provides details of this information. Who has ‘read only’ access to vendor and invoice data? Who has input capability? Who has approval authority to release payments to vendors? Aligning this information with information gleaned from the preceding steps can find exactly where internal controls were compromised, including identification of instances of unauthorised access through password theft or sharing.
Physical documents are often important pieces of evidence in an investigation. But electronic evidence associated with a transaction cycle tend to be equally or more important. Proper analysis of this evidence enables an investigator to draw conclusions and gain insight that would be impossible in an entirely paper-based system. For example, a paper copy of a vendor invoice can be analysed to establish whether a subject signed or initialled it, and perhaps whether any alterations were made to the document. But if the organisation’s vendor invoice approval and payment system is electronic, the investigator can also determine with precision the date and time of the approval of the invoice and perhaps even where the subject performed these steps (from home, from a workstation in the office, etc.).
20.4 Forensic data analysis
Forensic analysis of data refers to analysis of electronically stored data. The most commonly analysed data are accounting and financial, but several non-financial categories of data are also very useful to investigators. Each will be explored further in this section.
Data analysis generally has three applications in the investigative process:
- to initially detect fraud or non-compliance (e.g., monitoring performed by internal audit);
- to corroborate an allegation in order to justify launching an investigation (e.g., proving that an allegation received via a hotline appears to have merit); and
- to perform certain parts of the investigation (e.g., analysis of payments made to suspicious vendors);
Each of these will be explained further. But first, a few important points about data analytics are essential.
Data analytics rarely prove that fraud or non-compliance occurred. Rather, data analysis identifies transactions or activities that have the characteristics of fraud or non-compliance, so that they can be examined further. These are often referred to as anomalies in the data.
If an investigation ultimately leads to employee terminations or legal proceedings to recover losses, it is critical to have properly analysed the anomalies that data mining has identified. Could the anomaly in the data, or an anomaly in a document, while often identified as a characteristic of fraud, also simply indicate a benign deviation? Failing to investigate and rule out non-fraudulent explanations for anomalies can have consequences that many investigators have learned about the hard way.
Identifying and exploring all realistically possible non-fraudulent, non-corrupt explanations for an anomaly is also called reverse proof. Examining and eventually ruling out all of the valid possible non-fraudulent explanations for an anomaly in the data or documentation can prove that the only remaining reasonable explanation is fraud or corruption.
Take a simple example to illustrate this important concept. An employee is found to have submitted the same business expenditure twice for reimbursement (paid for using a personal credit card). Further analysis shows that this is not an isolated incident. In fact, the rate at which the employee submitted duplicate expenditures has increased over time – a classic red flag commonly associated with perpetrators of fraud. Is this a sufficient basis to support an allegation of misconduct?
This would be premature. What if on further analysis, the investigator also finds that the employee has been asked to work an increasing number of hours every week and travel much more extensively over time. Investigating further, it is found that this employee is particularly disorganised and has never been asked to do this much business travel before. These additional facts make the distinction between an intentional act of fraud and an escalating series of honest mistakes a bit blurry.
Careful consideration of alternative theories for data and document anomalies is critical to protecting the organisation and the investigator from liability stemming from falsely accusing someone of wrongdoing.
20.4.1 Data mining to detect fraud or non-compliance
Depending on which application or phase of the investigative process is involved, the nature of forensic data analysis can vary. For example, as an initial detector of fraud or non-compliance through ongoing monitoring, forensic data analytics usually takes one of two broad, but opposite, approaches: identification of any activity that deviates from expectations, or identification of activity that possesses specific characteristics associated with fraudulent or corrupt behaviour or other non-compliant conduct.
The former approach is taken when acceptable behaviour is narrowly defined, such that the slightest deviation warrants investigation. The latter approach is the more common. It is driven by a risk assessment and is based on what this type of fraud or non-compliance would look like in the data. For example, a shell company scheme might evidence itself by an address in the vendor master file matching an address in the employee master file. Any instances of such a match would be investigated.
In some cases, basing the ‘investigate’ or ‘don’t investigate’ decision on a single characteristic in the data can result in numerous false positives. For this reason, more sophisticated data analytics often rely on the consideration of multiple characteristics in assessing the risk of activity being fraudulent or corrupt.
Regardless of which of these two approaches is taken, data analytics performed at this stage represent the very first steps in the investigative process. One or more anomalous transactions or activities have been flagged for further evaluation. Following the reverse-proof concept described above is critical once anomalies indicative of possible wrongdoing are uncovered.
20.4.2 Corroborating allegations
As a method of corroborating an allegation that has been received, data analysis can be of great value (see Chapters 18 and 19 for additional guidance on dealing with whistleblowers). It is a significant advantage to the investigator because, more often than not, it can be performed on electronic data without alerting the subject of the allegation. In this application, the allegation is first assessed in terms of what impact the alleged fraudulent or corrupt act would have on financial or non-financial data. To illustrate, take the example of an allegation that workers in the shipping department of a warehouse are stealing inventory by short shipping orders to customers. There are numerous sources of data, both financial and non-financial, that could be analysed to assess the validity of this allegation:
- gross profit margins – an unexplained decline in gross profit margins by product, or by location (as a result of having to re-ship additional items, with no associated revenue, to satisfy the customer);
- inventory purchases – unexplained increases in purchases of certain inventory items without a corresponding increase in sales;
- customer complaints – customer service data indicating complaints about incomplete shipments, especially if those complaints can be correlated back to specific orders; and
- shipping records – using the customer complaint data, orders are correlated to specific shipments and employee names associated with filling and shipping these orders. Shipping records might also reveal more shipments to a customer than orders, indicating a second shipment was needed to complete the order after the customer complained.
This is a simple example, but one that illustrates that for every allegation, there likely exists data associated with either the perpetration or concealment of the fraud or non-compliance. And this data normally exhibits one or more anomalies in comparison with data from similar transactions that do not involve fraud or non-compliance.
20.4.3 Using data analysis in an investigation
The final application of forensic data analysis is during the investigation itself. Once an allegation has been substantiated, or an initial anomaly has been found to involve fraud or non-compliance, additional forensic data analysis may be performed to:
- determine how long the activity has been going on;
- determine which employees (or third parties) have played roles (i.e., assessing whether collusion was involved);
- measure the financial damage resulting from the activity; and
- identify other fraudulent or corrupt conduct by the same individuals.
Determining who is involved has become increasingly important over the years. According to a recent report by the Association of Certified Fraud Examiners (ACFE), nearly 45 per cent of all fraud and corruption schemes investigated involve multiple perpetrators.1 This figure has been steadily rising since the ACFE began studying fraud. The 45 per cent is split nearly evenly between cases involving multiple internal perpetrators and those involving collusion between insiders and outsiders, such as vendors or customers.
Point 4, above, may also come as a surprise to some, but is important. The ACFE report indicates that 31.8 per cent of the time an individual engages in fraud (especially with respect to asset misappropriations) they employ multiple methods to commit their crimes. The allegation or investigation may have initially focused on only one specific method. Exploring what other activities the subject might have the capability of engaging in similar behaviour with is an important consideration in the investigation. Companies will wish to avoid a scenario in which only one type of fraudulent activity is discovered when the subject engaged in a second type of fraud at the same time.
For example, the investigation may reveal that a subject established a shell company designed to look like a legitimate vendor and has been transferring funds to the company, supported by fraudulent invoices for services that have not been rendered. On the surface, this appears to be a common asset misappropriation scheme. Further analysis, however, might reveal that the shell company is merely a conduit for paying bribes to foreign government officials, a potentially even more serious offence than an asset misappropriation.
In the next sections, the distinction between financial and non-financial data will be explored, followed by a discussion of internal versus external data.
20.5 Analysis of financial data
Most analyses of internal data relevant to an investigation begin with financial data, much of which comes from the organisation’s accounting system. Accounting data can exist in several separate systems, such as:
- general ledger, the master ledger that reflects all accounts and the sum of all accounting activity for the organisation;
- general journal, where journal entries are initially recorded before being posted to the general ledger;
- books of original entry, which contain details of certain types of financial transactions, summaries of which are posted to the general ledger. Examples of books of original entry include sales, cash receipts, cash disbursements and payroll; and
- subsidiary ledgers, which contain additional details of transactions and activities that appear only in summary form in the general ledger. Examples of subsidiary ledgers are accounts receivable and accounts payable ledgers.
Performing an investigation often requires the extraction and analysis of data from all these systems to see the big picture or to properly trace the history of a transaction or series of activities. The days of manually maintained books of original entry are gone. Most organisations now use electronic accounting and financial software, and in larger organisations these systems are included as part of a broader ERP system.
Some systems are hybrids of financial and non-financial information. Examples of these systems include:
- Inventory – in addition to cost information associated with purchases, the system may also provide data on quantities and dates of purchases, deliveries, shipments, inventory damaged or scrapped, and counts resulting from physical observation.
- Payroll – in addition to data on net amounts paid to employees, the payroll system will usually include other relevant data needed to calculate an employee’s gross and net pay, including various worker classification codes, hours worked during a pay period, rates of pay, tax and withholding information, along with bank account information for the electronic transfer of funds to employees.
- Human resources – in most larger organisations a human resources system that is separate from payroll is maintained. Included in this system is data on rates of pay and past raises, incentive payments, and other financial data about reach employee, as well as significant amounts of non-financial data, like each employee’s home address. Human resource information systems may also include vital information associated with an employee’s initial hiring, such as background and reference checks, verification of information provided on an employment application, etc. This information can be important if the organisation anticipates filing an insurance claim to be indemnified for losses attributable to an employee.
Availability of and legal considerations associated with each of these sources of internal data vary from one jurisdiction to another, particularly with respect to payroll and personnel information. Privacy issues must be considered before embarking on any use of such data in an investigation.
20.6 Analysis of non-financial records
Increasingly, non-financial data is being analysed as a standard element of an investigation. Non-financial data can be classified into two broad categories: structured and unstructured.
Structured data is the type of data that generally conforms to a database format. It is often numeric (e.g., units in inventory, hours worked by an employee, calendar dates), but can involve alpha data as well (e.g., codes associated with types of customer or employee, certain elements of an address).
Structured non-financial data is found in many systems, including those that include financial data mentioned above. Other systems, however, are entirely non-financial, but provide data that can be important to an investigation. Examples of non-financial systems commonly used for investigative purposes include:
- Security – many organisations now use tools that leave an electronic trail of the exact times and dates when specific employees entered or left the building. This information can be very useful in an investigation.
- Network data – much like accessing a building, networks maintain electronic records each time an authorised user logs on or off the system, and may retain a record of various aspects of the user’s network activity, such as which folders were accessed, which data was downloaded, which systems were used, etc.
- Customer service – as the earlier example illustrates, data collected in the customer service system can have numerous applications in an investigative setting. Customer complaints about items missing from their orders may indicate theft in the warehouse.
Unstructured data refers to data that does not readily conform to a database or spreadsheet format. Text associated with messages in emails, explanations for journal entries and other communications are the most common. Unstructured data also includes photographic images, video and audio files.
E-mails and text messages of interest to an investigator may involve messages within the organisation, between employees and communications between organisation employees and vendors, customers, or other third parties.
Similar to other electronic data, when a user ‘deletes’ this information, a back-up or archive version is often left behind and is available to an investigator. Understanding an organisation’s back-up, archiving and storage practices is crucial to this part of an investigation.
Reviewing email or text message chains can provide an investigator with vital clues, such as:
- the timeline of events;
- the level of knowledge of events that specific individuals may have had;
- the extent of active collusion among individuals; and
- whether there are indications of intent.
Establishing a timeline can be one of the most important requirements of an investigation. A complete timeline of events can often be established by integrating the separate timelines learned from a review of:
- systems and facilities access records;
- electronic transaction information (e.g., entries, approvals);
- documentation (e.g., invoices, shipping records); and
- electronic communications (e.g., emails).
One example of the use of both financial and non-financial data is in the investigation of alleged financial reporting fraud. When an allegation is made that a company’s financial statements have been intentionally manipulated, any of a large number of schemes come to mind. The most common fraudulent financial reporting schemes involve improper recognition of revenue, inflating turnover/sales through fictitious transactions or accelerating the recognition of legitimate transactions. So, a revenue inflation scheme will serve as our example.
To establish that the financial statements improperly reflect sales, electronic data from the sales and accounts receivable systems will need to be analysed in conjunction with physical or electronic records associated with customer orders, inventory, shipping and delivery, among others. By analysing these records, the investigator may establish that sales recognised by the company failed to conform to applicable accounting standards (e.g., International Financial Reporting Standards).
But accounting mistakes are common. For this scheme to be fraudulent, the subjects’ dishonest intent to violate the accounting rules must be established. This is where analysis of emails and other electronic communications may be valuable. Perhaps email exchanges can be located documenting discussions of revenue shortfalls and methods of meeting budgeted figures. In this case, analysis of unstructured non-financial data may be one of the keys, along with interviews of subjects, to proving that the company intentionally violated their own policies and pertinent accounting principles.
Analysis of both financial and non-financial data is an important step in preparing to interview witnesses and subjects. Reading email and other communication chains before conducting the interview allows an investigator to plan the order and structure of questions to put the interviewer in the best position to identify conflicting statements and to obtain a confession.
Other investigation scenarios in which analysis of unstructured data association with communications between individuals include:
- collusion between multiple employees involved in the theft of cash or other tangible or intangible assets;
- bribery schemes in which the organisation has paid bribes, directly or indirectly, to obtain or retain business; and
- kickback schemes in which a vendor has paid a procurement official of the organisation to steer business to the vendor.
20.7 Use of external data in an investigation
Most data and documentation used in an investigation is internally generated – it comes from within the organisation or (in the case of invoices from the vendor) is otherwise readily available within the organisation. Occasionally, however, data or documentation that is only available from external sources becomes essential. External sources of data fall into two broad categories, public and non-public.
Public data and documents are those that are usually available to the general public either by visiting a website or facility or on request from the holder of the records. In most cases, public records are maintained by government agencies. Examples of public records vary significantly from one jurisdiction to another. But some examples of public records that may be useful to investigators are:
- licences and permits issued by government agencies to individuals or businesses;
- records of ownership or transfers of ownership of property (e.g., sales of land and buildings);
- criminal convictions of individuals and organisations, and certain other court records; and
- business registrations and certain filings made by organisation.
Availability and the extent of these records can differ markedly as an investigator seeks information from different parts of the world.
Increasingly, public records may also include information that an individual voluntarily makes publicly available. For example, when an individual posts photos or makes statements on social media, this information might be readily available to any and all viewers. Once again, investigators should always use caution when accessing this information, especially if the information is only available to ‘friends’ or other contacts that the individual has granted special access to. But when social media information is made fully available to the general public, it can provide a treasure trove of information about a subject, such as:
- places the subject has visited;
- individual contacts;
- business relationships;
- assets owned; and
- past and present employers.
Another public source of information involves websites that do not require special password or other access privileges. For example, a company’s website or that of a trade association or other membership group that a subject might be involved with could provide clues about the subject’s relationships, travels and past.
Even information that is no longer on a website might still be available to an investigator. The Wayback Machine at www.archive.org is an archive of almost 500 billion past pages on the internet. Simply typing the URL of a website into the Wayback Machine will produce an index by date of prior versions of that website which have been archived and are available for viewing. Accordingly, an investigator may be able to find useful information from past editions of websites long after the information has been deleted.
Non-public records are private and confidential. Holders of these records are under no obligation to produce these records unless they have provided their consent or they are compelled to do so as a result of a legal process, such as a court order or subpoena. Records such as personal bank statements of individuals who may be the subject of an investigation fall into this category. Investigators normally do not have ready access to these records.
Vendor records would normally be non-public. However, a properly worded right to audit or access to records provision included in the contract between the organisation and the vendor may provide access to some of the most important records an investigator might need if fraud or corruption involving a vendor is suspected. A well-crafted access-to-records clause can enable an investigator to request and view a wide variety of records, including:
- supporting documentation for invoices sent to the organisation by the vendor;
- accounting and payroll records;
- time records supporting employees’ work efforts; and
- communications relevant to the vendor’s relationship with the organisation.
If a vendor is suspected of inflating their billings to the organisation in any manner, or there are indications of collusion between an organisation employee and a vendor, one of the first steps an investigator should perform is to carefully review the terms of the contract to assess the organisation’s rights to access these records.
20.8 e-Discovery and litigation holds
Owing to the proliferation of electronic data, an increasingly important initial step in many investigations is to determine what relevant information exists, in what form (paper or electronic), where it is located (e.g., an on-site data centre, off-site at vendors, in the cloud), what security measures are in place over the data, and what the organisation’s standard record retention and destruction policies and practices are. The process of identifying, inventorising, and preserving relevant data that may be of use in an investigation is referred to as e-Discovery.
In addition, as soon as it becomes evident that an investigation could lead to legal proceedings, a litigation hold should be issued. A litigation hold results in the suspension of any destruction or deletion of paper or electronic records that could be relevant to the investigation. Proper communication of a litigation hold to all pertinent individuals and departments is important to avoid accidental destruction of critical records.
20.9 Review of supporting documents
While the use of electronic data is increasingly becoming a major element of investigations, analysis of paper documents remains vital to many investigations. Studying the processes and internal controls involved in the transaction cycle suspected in the investigation should result in a list of documents that are relevant. For example, in a procurement transaction, several paper documents may need to be reviewed:
- budget authorisation form;
- request for tender;
- bidding documents received from bidders;
- purchase order or purchase request;
- bill of lading or other confirmation of delivery of goods;
- signed confirmation for services provided;
- invoice from a vendor or supplier; and
- cheque or disbursement request form.
These documents might be reviewed for many different reasons. Among the most common:
- establishing a timeline of events;
- testing their clerical accuracy;
- reviewing for inconsistencies (e.g., a price reflected on a purchase order that was inflated on the final invoice);
- reviewing for agreement with accounting records; and
- reviewing for compliance with internal controls;
- establishing a trend (e.g., a series of increases in prices or quantities over time)
Testing for authenticity of the record itself or of individual signatures on documents normally involves a highly specialised skill, unless an anomaly is obvious. Accordingly, if an investigator suspects that a document on file is fraudulent or has been physically altered, or that a signature is not authentic, the document should be protected until someone with the specialised skills necessary to assess authenticity is called on.
20.10 Tracing assets
If the subject has misappropriated cash (via intercepting incoming funds intended for the organisation, stealing cash on hand, or fraudulently transferring funds from the organisation in connection with a disbursement fraud) one of the goals of most investigations is to secure the return of the funds. To do so, the investigation team must determine what the subject did with the money.
If the subject misappropriates other assets, a similar question must be addressed – where are they? Often, when assets are stolen, the subject’s goal is a conversion to cash by selling the stolen assets. In other cases, the stolen asset itself may be of use to the subject.
Depending on how assets were stolen, varying degrees of a trail might be left by the perpetrator, enabling the investigation team to forensically determine the flow of money after it has left the organisation. Many of the records necessary to fully trace assets are non-public. But investigators are sometimes surprised to learn that a subject has left a public trail of valuable clues regarding the disposition or location of illegally obtained funds or assets.
The rapid conversion of accounting and other records from paper-based systems to electronic systems, coupled with the explosion in the quantity and types of electronic data, has resulted in many changes in the field of forensic accounting and the requirements for investigations. Expertise in the evaluation and handling of electronic evidence is just one way in which forensic accounting has evolved. Focused and efficient use of data analytics as well as the ability to mine a universe of publicly available yet critical information regarding subjects, companies and their relationships are two additional ways in which forensic accounting has matured. On the other hand, operating within a web of global data privacy and other complex regulatory constraints can complicate the job of the forensic accountant. All in all, today’s forensic accountants are significantly more successful in identifying and mitigating fraud than their counterparts from long ago.
- 2016 ACFE Report to the Nations on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners. Available at http://www.acfe.com/rttn2016.aspx.