Use of Forensic Accountants

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


Forensic accounting, as an organised practice and moniker for this specialised type of accounting, took root in the 1980s, although forms of forensic accounting have likely been practiced for hundreds if not thousands of years in settling disputes or investigating suspicious discrepancies. The first known instance of the terms ‘forensic accounting’ and ‘forensic accountant’ being used was in an article by Maurice Peloubet published in the June 1946 Journal of Accountancy. The American Board of Forensic Accounting was established in 1993. International accounting firms formed ‘forensic accounting-oriented’ practices in the 1980s and 1990s. The first known forensic accounting textbook for students was published in 2003.

Today, forensic accounting has become a mainstream practice for accounting firms, and forensic accountants are being hired by business organisations and government authorities and agencies as part of internal audit or in-house investigation teams. Forensic accounting classes and even academic degrees are becoming more prevalent and popular at educational institutions. Forensic accounting is also commonly referred to as financial forensics and fraud auditing, and the three terms can be largely interchangeable, depending on the context.

What is important to make clear is that while the skills, technics and methods employed by forensic accountants and the activities they conduct, such as detailed data analysis, are used in other forms of accounting and auditing. What distinguishes the practice of forensic accounting from other forms of accounting is the purpose for which the work is being conducted and how the results are expected to be used.

As defined by its very name, forensic accounting is used for matters involving an alleged, suspected, or real violation of contractual terms, organisational policies, procedures, laws and regulations or other measure that could involve or result in a legal decision by a court of law or an administrative decision by an organisation that is punitive. For example, a forensic accountant could help organisations detect or investigate alleged or suspected wrongdoing within or against it, including staff misconduct. Or they could serve as an expert witness or subject matter expert in a civil or criminal law matter.

This chapter focuses on the use of forensic accountants specifically in investigations and forensic audits; two terms explained later which are also often interchangeable.

This chapter is written primarily for in-house professionals with a mandate to detect or investigate matters of wrongdoing within or against the organisation. Throughout this chapter wrongdoing is used as the general term for any act that is disallowed or prohibited and determined to have violated law, regulations, contract terms, or organisational policies and procedures that can result in a punitive decision and action by the organisation against the actor or actors. It is also for accounting and auditing professionals interested in pursuing a career in forensic accounting as part of an internal audit or investigation units. It is not meant as an implementation guide for the forensic accounting practitioner itself.

This chapter provides in-house investigation and internal audit units with useful contextual background about the forensic accounting profession, its roles and uses within internal audit or investigation units and when the skill is needed, scoping the work and key considerations, the skills and qualifications required, considerations in outsourcing the work, concluding and reporting findings and some practical guidance and examples.

Forensic accounting uses

Forensic accounting is a field that involves the application of specialised knowledge, experience and investigative skills by qualified practitioners to identify, analyse, quantify, interpret financial information and evidence and communicate findings in the conduct of internal audits, investigations or anti-fraud efforts. Many definitions, concepts and practice guidance used throughout this chapter were drawn directly from, or were inspired by, the General Principles for Financial Forensics, as endorsed by the Conference of International Investigators, October 2019. This chapter’s coauthors were on the General Principles’ drafting team.[1]

Forensic accounting has multiple uses within an organisation’s investigation or internal audit function. Functions within organisations that have the mandate to prevent, detect or investigate possible wrongdoing. An organisation as used in this chapter includes governmental entities and non-governmental organisations and foundations. Indicators of certain types of wrongdoing, such as misappropriation, theft or embezzlement of funds or goods, misuse of funds, corruption, and conflicts of interest, may be revealed or substantiated by forensically reviewing finance and accounting-related documents and records and the organisation’s related supporting documentation and records including as necessary, emails and other corporate communication records.

Indicators may include but are not limited to: (1) financial and accounting anomalies, such as irregular postings, unusual adjustments, misapplied expenses, duplicated payments, or atypical financial ratios, patterns and trends; (2) falsified financial reports and associated supporting documents and ledgers, such as vendor, payroll, cash and customer ledgers; (3) questionable expense patterns, entries and unfamiliar suppliers; (4) unexplained or unsupported revenues, expenses or accounting adjustments; or (5) inflated pricing and other indicators relevant to procurements and the various stages of a transaction or program activity life cycle. Indicators may also include whistleblowing patterns and trends, dominant management, or excessive turnover of personnel.

The presence of the indicators may also signal intentional violations or circumvention of internal control processes and possible collusion either within the organisation or involving external parties. Investigating how this occurred and by whom provides critical information in support of any investigative conclusions as well as recommendations for additional fraud mitigation measures. The specific evidence collected and interpreted by the forensic accountant is also useful in adding context and new insights to the fraud scheme that occurred or in explaining how it occurred and by whom.

In addition to conducting investigations, forensic accountants can be used:

  • To assess allegations or red flags not yet the subject of an investigation to determine if and what type of full investigation may be needed;
  • As an integral part of an organisation’s fraud deterrence efforts, analysis of fraud indicators, or to conduct fraud risk assessments of high integrity-risk situations;
  • To identify root causes and control weaknesses to form the basis for recommending fraud risk mitigation measures to the organisation or its implementing partners, and;
  • To quantify economic losses or financial impact of the wrongdoing for pursuing restitution, recovery of damages, fines as well as for asset or funds tracing.

How forensic accounting works

Specialists in any industry or discipline are schooled and trained on how matters associated with their specialty should be; i.e. how they should look and work. A chemical engineer uses their training and knowledge of the active ingredients that should be in certain medicines to detect counterfeit drugs. A conductor uses their musical skills to know what a Mahler symphony should sound like. A heart surgeon knows how a healthy heart looks and functions and uses that skill and knowledge to detect a patient’s hidden problems or abnormal rhythms to inform treatment options.

Accountants in general are schooled and trained to know how financial transactions and business activities should be reflected in an organisation’s books and records and reported. Accountants know the way that accounting entries made to record financial activities and movements should align and balance each other, into which account or accounts they should be recorded, and how they should be described and supported.

Accounting books and records serve as a lens into wrongdoing. Like the chemical engineer, banker or heart surgeon, forensic accountants, who are schooled and trained in business fraud schemes, look for indicators that things are not as they should be and are possible indicators of a specific scheme or wrongdoing. They scour the records looking for transactions, adjusted accounts, activities, supporting documentation or suppliers that raise suspicion or are questionable and have not been recorded or supported appropriately, fully or at all, and need further explanation as to why.

For example, consulting fees recorded wrongly to a seldom-used asset account or buried in a freight expense account may be hiding kickbacks paid to a customer. Payments to a supplier that are split into smaller amounts to avoid more stringent approval thresholds may be hiding diversion of funds. A reclassification of expenses to asset accounts near quarter or yearend may be indications of attempts to inflate the organisation’s bottom line, ‘cooking the books’.

Forensic accountants are schooled and trained in the types and volumes of supporting documents or records that should or must be available to evidence an accounting entry or financial transaction. For example, in investigating an allegation of ghost employees at a particular foreign subsidiary, the forensic accountant looks for evidence that the employees on the payroll are legitimate and exist. Do they have contracts, do they complete time sheets, are they on the health insurance rolls and included in the computation of payroll taxes? Do they have an email account, access badge and server log-in credentials and have these been used? To what bank accounts are their salaries being paid and are they each different, or are some salaries being paid to the same bank account?

Additionally, forensic accountants are trained to employ an investigative mindset in the identification, analysis and evaluation of financial, accounting and other information relevant to the activities anticipating that the information may be intentionally biased, false, misleading and incomplete.

When a forensic accountant should be used

An in-house investigation unit or internal audit unit should consider using a forensic accountant on matters that:

  • are financial in nature as the transactions and audit trail related to the potential nefarious activities are usually reflected in some manner in the organisation’s books and records. This would be for most business frauds such as financial misrepresentation such as ‘cooking the books’, misappropriation of assets such as embezzlement or diversion and corruption such as bribes and kickbacks;
  • require a thorough and detailed understanding of business activities that have been conducted and how funds were used by an organisation, function, office or subsidiary of it over a specific period of time and the identification of who conducted the activities and why;
  • require interpretation of questionable financial and accounting transactions and supporting documentation, this may include interviewing accounting professionals or witnesses for information and explanations;
  • require extraction of data digitally from accounting records, e.g. general ledger or inventory stock records. The actual extraction may be performed by a digital forensics expert, organisation IT personnel, or organisation accounting personnel but with oversight by the forensic accountant to ensure a complete and accurate data set;
  • involve documenting or tracing funds flows or cash or bank account movements between numerous accounts, organisations or individuals, and jurisdictions;
  • involve assessing value for money of specific purchases;
  • require computation of financial or economic loss or damages, including ‘but for’ projections for purposes of demanding restitution; and
  • fraud risk mitigation activities, fraud trend analyses and proactive analytics.

Many in-house investigation units hire experienced investigators who have forensic accounting training and skills, like this chapter’s authors. Forensic accountants, over time, also develop their general investigative skills and experiences conducting investigations with or without a forensic accounting element. Depending on the practitioner’s more general investigative skills and experience, a forensic accountant may be useful in a variety of activities within the in-house investigation unit including to:

  • conduct a fraud risk assessment;
  • intake and assess allegations or conduct activities to inform the further review or investigation of a matter;
  • inform the decision to close the matter or to refer it to another function within the organisation for consideration;
  • investigate or to support an investigation into allegations or suspicions of wrongdoing either inside or external to the organisation, or staff misconduct;
  • quantify associated economic losses or damages for purposes of pursuing restitution or legal judgment;
  • communicate complicated accounting evidence, findings and losses internally within the organisation, in a report, or to a court of law or an administrative or other judicial proceeding, as appropriate.

Scoping the work and key considerations

For whatever activities a forensic accounting practitioner is used, it is critically imperative that the scope and extent of the practitioner’s work and their skills and qualifications are aligned with:

  • the purpose and objectives of the activities to be conducted, i.e. whether the objective of the work is for fraud detection or deterrence, the forensic assessment of red flags, the investigation of possible wrongdoing, the pursuit of possible sanctions, the quantification of economic losses, or a combination thereof;
  • the resources and skills that are available to use and the available budget;
  • the degree of access to critical information, financial records and witnesses, including their cooperation, which may be limited or challenging;
  • the locations in which the fieldwork will be conducted, remotely or in person, and the languages needed to review documents and interview witnesses; and
  • the relevant standard of evidence required or expected for the purpose and objectives of the activities conducted.

When undertaking the assignment, the forensic accounting practitioner or their engagement manager should:

  • request originals of documented information where possible to reduce the risk of reviewing a document that has been manipulated for purposes of record keeping or the investigation itself;
  • use and analyse accounting records extracted digitally from the accounting system, rather than printed and provided by others, to ensure completeness, transparency and authenticity of the data;
  • to the extent possible, ensure that digital data extracts are appropriately structured and formatted to facilitate analysis using digital tools such as sorting, filtering, grouping, summation, content queries, graphical display and for identifying critical patterns, links and trends;
  • review non-accounting data such as procurement data, supplier lists, shipment data and non-financial data from external or open sources, such as business registrations to enhance the detection and clarification of issues;
  • consider requesting relevant data from digital devices of parties of interest where possible to gain additional relevant information not otherwise available, to validate source data, or to detect falsified information, as relevant. For example, recovered emails and metadata may reveal that the true source of an invoice from a suspicious supplier was an employee of the organisation rather than the purported supplier; and
  • use specialised software and dashboards designed to better illustrate complicated transactions, relationships and findings.

Investigation versus a forensic audit and fraud audit

Forensic audits are the service most closely associated with forensic accountants, whereby the terms forensic accounting and forensic auditing, and forensic accountant and forensic auditor, have become largely interchangeable. They are often also referred to as ‘fraud audits’ by stakeholders, although its focus and scope could be substantially different. A ‘fraud audit’ may also refer to, for example, work conducted by an internal audit function with a focus on fraud controls within an organisation. In reality, however, the terms ‘forensic audit’ and ‘fraud audit’ have no universal definition or defined scope within the accounting or investigation industries, or well-established professional standards issued by an authoritative body, in contrast to a ‘financial statement audit’ and ‘internal audit’ which are both well-defined in scope and have a long history of professional standards. The terms ‘forensic audit’ and ‘fraud auditdo not even have Wikipedia pages.

This current lack of a universal definition and of standards for forensic audits should be recognised and understood by in-house investigation units. This means that each new forensic audit has to be separately defined and scoped to fit the nature and objectives of the work to be conducted and its expected use. Of course, once defined, the same scope and terms of a forensic audit can be used multiple times if for the same purpose and objectives, such as performing routine forensic audits bi-annually on an organisation’s regional operating units or subsidiaries. A forensic audit could be scoped merely to look for red flags and issues in high fraud risk activities, or based on allegations or the identification of issues from an internal audit. In this context, the term ‘forensic audit’ is interchangeable with ‘preliminary investigation.’ The forensic audit could be light and broad in scope or a deep dive into a narrowly defined activity, depending on the context, purpose and objectives of the work.

A forensic audit can also be scoped with the same objectives of an investigation, and in recent years, more and more are, especially when the engagement is outsourced. Perhaps not called an investigation, per se, due to the preferences of the organisation or service provider, the objectives can be same as that of an investigation requiring the same types of skills conducting the same types of investigative activities, such as witness interviews and e-Discovery, with the objective of substantiating whether wrongdoing has occurred and by whom. In this case, the forensic audit generally must be appropriately scoped to collect evidence sufficient to meet the preponderance of evidence standard of evidence as covered in a later section.

Therefore, it is important that both the in-house investigation unit or internal audit unit and the forensic auditor, whether in-house or outsourced, specifies in the audit’s terms of reference the objectives and purpose of the work and how the findings are expected to be used. This is to ensure that the audit is appropriately scoped, resourced with the appropriate skills, undertakes the appropriate activities, and concludes at the appropriate standard of evidence.

Notably, should the forensic audit’s scope change due to preliminary findings to be similar to an investigation, the manager supervising the work and the forensic practitioner should ensure that the skills and professionals needed, activities conducted, and manner of reporting continue to be aligned with the audit’s revised scope, which may require a change in the audit’s personnel.

Skills and qualifications of a forensic accountant

The forensic accounting practitioners conducting the work, whether within, or external to, the organisation, need to have the requisite professional credentials, qualifications, skills and experiences in accounting principles and processes, accounting systems and controls, and financial reporting. The depth and breadth of requisite skills and experiences could vary based on the nature and complexity of the financial forensics work being performed, e.g. a basic review of bank statements versus complex funds tracing and the cost and availability of forensic accounting resources.

Forensic accountants should generally have an accounting degree from a university and have one or more professional accounting certifications. While these qualifications are not required, they demonstrate that the practitioner has a tested and recognised level of basic accounting competencies. The industry more generally requires these credentials for forensic accountants who testify as an expert witness or sign high-profile investigation reports. Having advanced degrees or certifications in internal auditing, fraud examination, investigations, law or other related field, or formal training and certifications by law enforcement or a government investigative authority are preferable for practitioners undertaking more complex investigations.

While having auditing experience whether in internal auditing or financial statement reporting is helpful, practitioners with practical accounting experience recording or approving accounting transactions for an organisation, generating accounting estimates and accruals, applying cost accounting, preparing budgets, management reports and financial statements will have a more in-depth understanding of the intricacies of how business accounting works in practice and how it can be manipulated and used to hide wrongdoing.

In working in or for an in-house investigation unit, or requested to conduct forensic audits, the practitioner should also have a basic working knowledge of and experience in core investigative activities including; allegation or red flag assessment, investigative planning or scoping and budgeting, digital forensics and eDiscovery tools and techniques, data analytics, evidence collection and interpretation, investigative interviewing, and report writing, as needed and the role that each core activity plays in conducting the work.

The forensic accountant must also possess deep knowledge of a wide variety of fraud and corruption schemes and possess the skill to explain and illustrate orally or in writing complicated accounting matters and transactions, fraud schemes, and investigative findings to an audience unskilled in accounting. They should also have a working knowledge of widely recognised and used fraud frameworks, such as the Fraud Diamond.[2]

Other skills which could enhance the practitioner’s functionality are mining and analysing big data sets, programming or writing algorithms whether in spreadsheets, data analytical tools or databases and working with data visualisation software and dashboards. The latter is not only used in analysing data but also in illustrating complex findings.

Outsourcing the work

Ideally when hiring investigative staff, in-house investigation units should aim to ensure that at least one of the hires is also a trained forensic accountant. This chapter’s authors are two great examples. Many in-house investigative units, however, especially smaller ones or ones with more of a security or compliance focus, have no investigators with forensic accounting skills, may need more resources due to caseloads, or outsources all investigations. For these needs, the work can be outsourced to an independent contractor, a boutique firm specialising in forensic accounting, or an accounting firm with forensic accounting practitioners.

There are numerous benefits in outsourcing the forensic accounting work. It provides access to more resources for large or exceptionally complex cases, and to practitioners specialising in your industry or the particular type of fraud scheme being investigated. The external resource’s independence better ensures its objectivity, and it minimises reputational risk of mishandling the work internally. Also, for organisations with few cases requiring forensic accounting, external providers are paid only when used. Additionally, using someone with an established reputation and brand name on a particularly high-profile matter can provide more assurance to the board of directors, stakeholders, the media and victims of the fraud, e.g. shareholders of a company engaged in financial reporting fraud, if relevant. This provides reassurance that the investigation is being done by an independent practitioner objectively, fairly, with the required skills and that the findings are at less risk of being whitewashed or influenced by those implicated within the organisation.

Outsourcing the work also has its drawbacks which can be mitigated with adequate planning and active oversight of the work. These include potentially higher costs, less control over the practitioner’s priorities and schedule, continuity of practitioners from case to case, less daily collaboration and interaction with the practitioners, and inconsistent quality of practitioners and output. Additionally, an external provider has less intimate knowledge of your organisation and its operations and people, and outsourcing does little to build your own unit’s capacity and experience.

Some guidance and key considerations in outsourcing forensic accounting work:

  • ensure that the service provider fully understands the investigative context and objective of the work and the expected standard of evidence, see next section, as this will drive the skillset of the resources used, the work conducted, and the expectations in the way in which the findings and conclusions are articulated;
  • ensure that the engagement is staffed with the appropriate skills and experiences, especially if using an accounting firm, which may propose to staff it with financial statement auditors having little or no investigative or forensic auditing experience;
  • avoid scope creep surprises by checking in regularly with your practitioner. If expanded scope is warranted, this allows the opportunity to weigh upfront the pros and cons of expanding the scope and budget as events unfold;
  • ensure that the practitioner has full access to the organisation’s records and staff and intervene early should it experience resistance or obstruction;
  • ensure that the practitioner’s report of findings concludes at the appropriate standard of evidence and does not evade its obligations with caveats, vague citations to supporting evidence, and claims of limited scope; and
  • agree to a documented budget with milestones and monitor performance against them on an ongoing basis.

Concluding on the findings and meeting the appropriate standard of evidence

Similar to an investigator’s work, the forensic account, whether in-house or outsourced, should meet the appropriate ‘standard of evidence’ in concluding and articulating their findings. Standards of evidence, also referred to as standards of proof, are the standards that the evidence collected must meet, by law or in accordance with organisational policies, to satisfy or discharge the burden of proof required for, or applicable to, a given charge of potential wrongdoing or the risk it could have occurred or be occurring.

The ‘burden of proof’ is the degree to which evidence must substantiate something as being factually true. The burden of proof and standards of evidence are interchangeable throughout this chapter. To substantiate something in this context is to validate or verify the factual truth, actuality of what occurred and importantly, what did not occur. In the context of business operations, the burden ranges from: no evidence, the activity is unsupported and therefore non-compliant, to absolutely certain, with numerous other levels in between. The burden may be set by law, legal precedent, government regulations, contractual terms, or an organisation’s and investigation unit’s internal policies, procedures and practices, such as employee and supplier codes of conduct. Examples of which are:

  • the burden of proof required by the employee code of conduct to be summarily terminated for code breaches may be fairly high, given the stakes; and
  • the burden of proof required by the code of conduct for suppliers or supplier contracts for ending a contract or relationship for suspected fraud may be fairly low requiring less evidence or proof, depending on the contractual terms and the value at stake.

In an organisation, the administrative ‘trier of fact’ with the burden of proof could be the officer, e.g. human resources or CEO who administers disciplinary action for staff misconduct, the ethics officer, the general counsel, other relevant roles, or the board of directors or one of its committees, e.g. audit committee.

Standards of evidence are applicable, whether formally or informally, to most functions within an investigation unit whether an informal inquiry, assessment of red flags or allegations, a spot check, a forensic audit, or an investigation. The investigation unit’s policies should dictate and guide what standards apply to each activity. Standards less stringent than for substantiating investigative findings such as reasonable basis, for example may be adopted by the unit for its fraud risk assessments, expenditure and records validations, the assessment of allegations or red flags, preliminary investigations, proactive spot checks of high-risk activities or locations, and the quantification of economic losses. This chapter provides an Annex with a comprehensive list of the various standards and guidance on applying them.

Therefore prior to scoping, staffing and commencing the work, it is essential that the forensic accounting practitioner and the investigation unit’s manager overseeing the work ensure that the work’s objectives and how its findings may or are to be used are aligned with the relevant standard of evidence. Why? Because the relevant standard directly influences the scope and nature of the activities conducted, the resources used, the type and volume of evidence collected and analysed, and how the findings are reported.

Notably, in many investigations, some evidence collected may reach the highest possible standards whereas other evidence only meets the lower standards. It is the combined weight of all relevant evidence, inculpatory and exculpatory, that is generally used to substantiate the investigation’s objective or the use of its findings. The Annex provides examples.

Reporting findings

The investigation unit’s policies and procedures dictate how the findings from an in-house, investigation unit’s various activities are to be reported and shared. The manner in which a forensic accountant’s findings, observations and conclusions are articulated and reported, whether taken alone or combined with information and findings from other investigative activities, is guided by those policies and should reflect the objective and expected use of the work and the applicable standard of evidence.

In all cases, a forensic accountant’s findings should be well documented and supported and the relevant supporting documentation and data should be maintained as part of the evidentiary record, as applicable. This includes, but is not limited to:

  • copies of accounting ledgers and journals;
  • transactional supporting documentation such as invoices, bank statements, payment documentation and delivery receipts; detailed analysis and worksheets;
  • the results and data from digital forensic or e-discovery analysis;
  • third party information and confirmations; and
  • open-source search results, corporate registrations and filings; communications; and records or transcripts of interviews, as applicable.

The forensic accountant’s report or internal summary of findings should be appropriately articulated and supported to reflect the applicable standard of evidence. For example:

  • preliminary assessments and spot checks should be explicitly clear in articulating the applicable standard and what work was not done, what evidence was not collected or considered, and what due process was not included, e.g. providing subjects with summaries of evidence and findings for comments;
  • for work and conclusions in which the preponderance of the evidence standard is required, the practitioner should explicitly state whether the evidence meets that standard, or not, and why or why not. The practitioner should avoid making a definitive finding that:
    1. is unnecessarily caveated;
    2. uses vague language, language limiters and weak modal verbs, e.g. could be, might;
    3. relies on evidence not sufficiently sourced, referenced, or corroborated; (4) falls short of presenting evidence sufficient to meet the standard, e.g. did not conduct interviews; or
    4. fails or refuses to conclude at the standard required, e.g. stating ‘the evidence seems to indicate that the act may have possibly or likely occurred…’ rather than ‘the investigation substantiated that it was more likely than not that the wrongdoing occurred…’.

In reporting their findings, the forensic accountant should take into consideration the intended audience and the purpose or purposes for which the report will be used. The forensic accountant should take into consideration the report’s length and depth of details, not use overly technical terms, and should use ample illustrations and examples to explain the fraud schemes and how they were accounted for, detected and proven. Because the schemes and their underlying accounting can be complex for the average reader, the practitioner is encouraged to make ample use of flowcharts, process flow graphs, visualisation software, entity relationship diagrams, excerpted images of supporting documents such as bank statements with the key evidence highlighted, and screenshots of relevant webpages.

The forensic accountant’s report should also highlight the root causes for the wrongdoing and control weaknesses that allowed it to occur, as applicable, as it can form the basis for recommending fraud risk mitigation measures to the organisation.

The practitioner may be requested to present the findings as either a fact witness or expert witness via deposition or as oral testimony in a court of law. Should this occur often, the practitioner should seek formal training on presenting effectively in such settings.

Practical examples

The following are practical examples of fraud schemes, the investigation of which would benefit from the use of a forensic accountant. The forensic accountant approaches each of these situations in a unique manner. They use their experience, skills and training to separate what is legitimate in the books and records, and what has been falsified to cover up a suspected fraud scheme.

Financial reporting misrepresentation

It is not uncommon for an operating unit within an organisation, or even the organisation generally, to push regulatory limits with aggressive interpretations of relevant generally accepted accounting and financial reporting principles. Less common but more egregious is the falsification of transactions and reporting fictitious activities. Often referred to as ‘cooking the books’, suspected perpetrators of these schemes purposefully distort or accelerate actual performance or worse, falsify data and supporting documentations to improve the metrics they are being measured on, including hiding poor performance. Results subject to manipulation could be the volume of quarterly new customer sales, annual revenue growth, gross or net margins, particular financial ratios critical to debt covenants, or other metrics used to improve publicly traded share prices.

Channel stuffing is a commonly used short-term revenue ‘enhancer’. It is the process of accelerating and bringing forward future revenues by selling and shipping near the end of a reporting period, more goods to distributors and customers than are currently ordered or needed. This is done to artificially boost reported sales and profit levels. Should channel stuffing be alleged or suspected, a forensic accountant would conduct analysis and look for indications that a sudden surge of sales and shipments is unusual and not easily explained by seasonality, sales promotions, nearing expiry dates, or other causes. The most prevalent tell-tale sign of channel stuffing is that the surge closed the gap between targeted or forecasted revenues for the reporting period.

A more egregious scheme is the falsifying of revenues in collusion with certain customers through existing customer channels or by creating fictitious customers. With some exceptions, the fictitious revenues never materialize in cash collections, leaving clear signs of the scheme within the books and records, waiting for the forensic accountant to identify.

Asset misappropriation, diversion and embezzlement

In these schemes, suspected perpetrators divert or steal money or assets from the organisation without authorisation or business purpose, for the financial benefit of the suspected perpetrator. It can also involve the suspected perpetrator misusing corporate resources, e.g. for personal use or benefit.

A forensic accountant can be invaluable for investigating suspected diversion. In addition to having to devise the mechanism on how to divert the assets, such as providing fictitious goods or services to fictitious suppliers created by the suspected perpetrator, they must also engineer a way to hide the diversion. They do so by falsifying how it is accounted for and supported in the books and records, so that it does not arouse suspicion, and sufficiently conceals the wrongful act, prima facie. This also usually requires falsifying invoices, goods receipts, purchase orders or other key supporting documentation and records. Additionally, procurement processes would have likely been manipulated or bypassed. None of this is easily done and usually leaves red flags that an experienced and well-trained forensic accountant can spot.

Related-party transactions

This scheme involves an organisation shuffling funds back and forth to external parties, or even internal parties such as subsidiaries disguising the shifting of funds as legitimate transactions. This may be done for many reasons, for example to inflate an organisation’s apparent revenues and profits. This may also involve the falsification of related production or service costs to lend support that a product or service was produced or sourced, and provided to the related parties. A forensic accountant is again useful here because this scheme would leave traces of suspicious funds in and out of a company’s bank account or accounts, who at the company made them, as well as suspect attributable debits and credits in the books. It may also be determined that related parties are owned by insiders or their family members, or they may not exist at all.

Falsified growth and solvency

An organisation looking to raise or improve its perceived value, may fabricate assets and misstate revenues. Buying other companies is one way a company could make itself look like it was growing. These companies may be purchased at overvalued prices and with overstated claims of new clientele. The amount claimed as paid for the companies may have never been made, or in reality a lower amount was paid. Also, if a company’s growth and success in relation to others in the same or similar business sector appeared abnormal, a forensic accountant could be hired to investigate. The forensic accountant would be hired based on having knowledge and expertise in a specific business sector, such as construction, banking or even coffee and coffee house chains. Using that specific knowledge and expertise in a particular sector, the forensic accountant may develop trends among peer companies and determine where rapid growth or contraction in certain accounts appear abnormal or raise red flags when compared to others in the sector.

Cash held at a bank may also represent a significant asset for a company. Bank confirmations may be used to verify the amount in the accounts, but these can also be manipulated. A suspected perpetrator may provide information in relation to their bank claims, such as fake physical or email addresses and other contact information for the bank. In such instances, it may not be the bank that replies to a bank confirmation, but the suspected perpetrator themselves. The forensic accountant can overcome such deceit. They may check for related information in other places or the lack thereof. For cash assets held at banks, the forensic accountant may check for debits and credits related to bank fees and interest gains. The lack of these, or other identified inconsistencies, would raise red flags that information and data received from the ‘bank’ may have been manipulated or entirely fabricated. Falsified or non-existent cash assets held at a bank would also need the creation of a significant amount of related data. Beyond fees and interest, the forensic accountant could also examine and review accounts receivable and payable. This way they would be able to understand where the cash came from and what it was used to pay for.

Corruption and kickbacks

Organisations operating in jurisdictions where corruption is common, or expected, may be subject to pressure by local suppliers to have contracts steered to them in exchange for a kickback. The same is true of opportunistic managers proactively looking for a quick payout from willing suppliers. Undisclosed and inappropriate conflicts of interest may also be an issue in the awarding of contracts. Proving the kickback, or conflict of interest, is difficult to prove without access to specific records. Those may include a suspect’s banking and accounting records and other financial and personal information. The payment method of the kickback can also take on cash and non-cash forms. However, the activities associated with the act may generate indicators that can be detected by a forensic accountant to support a corruption or kickback theory.

Forensic accountants know that income needs to be generated by the supplier in order to create the financial means for the payment of the kickback. These financial means may be imbedded in the price of the contract because non-immaterial kickbacks are rarely going to be paid out of the supplier’s pocket or bottom line. The contract may thus be ‘cheated’ in one or more ways by:

  • inflating the cost of the goods or services delivered to above competitive market prices;
  • under delivering on the goods or services, e.g. short shipments; or
  • substituting the product or human resource with something, or someone less expensive, of lesser quality or that does not meet the required technical qualifications.

Additionally, purposely steering a contract to a corrupt supplier usually leaves tell-tale signs within the procurement process itself. The forensic accountant is trained to spot those signs. Further steps can be taken by the forensic accountant to determine whether undisclosed conflicts of interest exist and whether a suspected perpetrator receiving a kickback is benefitting from unreported surplus financial income.

Annex: applying the appropriate standards of evidence

Most investigative professionals associate burden of proof with a court of law where most civil matters require proving what factually occurred with a preponderance of the evidence; and most criminal matters require proving what factually occurred beyond a reasonable doubt. But there are other burdens of proof that are applicable to the investigator’s work and in most cases, they are less stringent.

  • For example, a business unit within the organisation suspects that a winning bidder in a procurement tender may have misrepresented its work experience and the qualifications of its key staff that were critical for it receiving the highest technical scores. The investigation unit is asked to look into the matter without alerting the bidder. According to the organisation’s procurement rules the business unit only need to show that there is a ‘reasonable basis’ for concluding that the bidder misrepresented its information and to disqualify it from winning.
  • Based on this burden of proof, the investigation unit may choose to collect evidence of the bidder’s work experience on open-source research or by interviewing those familiar with the bidder’s work and its key staff. The evidence collected from one or both activities may be sufficient to meet the business unit’s burden of proof to disqualify the bidder.
  • The required applicable standard informs and drives the practitioner’s planning and scope of activities, resources used, the breadth and depth of work needed and how the findings will be reported. Thus, questions to answer up front may be:
  • What is the work’s context?
  • How will the findings be used?
  • What is the purpose and potential ultimate outcome of the exercise, which are the results for, e.g. who is the decision-maker and what is the required burden of proof, if known, that the decision-maker is required to meet?
  • Is the work to launch or close an investigation, inform the strengthening of risk mitigation measures, terminate an employee, cancel a supplier contract, demand restitution, ensure compliance with regulations, file a potential lawsuit in a civil court of law, or make a criminal referral to the authorities? Each of these requires a different level of proof of what factually has occurred.
  • What type and volume of evidence would be needed to meet the appropriate standard of evidence for the given burden of proof?

The questions may need to be revisited at various stages of evidence collection depending on the evolution of the findings.

The various standards of evidence that might be applicable to a forensic accountant’s work are listed in Table 24.1 from the least to the most stringent. In general, the higher the stakes of the decision or judgment to be made or rendered, the more stringent the standard of evidence required. For each of these standards, the standard of evidence has been met if the evidence collected is sufficient to discharge the decision maker’s burden of proof.

Table 24.1. The Standards of Evidence

Standard of EvidenceDescriptionApplication
UnsupportedThere is insufficient evidence to support the activity as it has been represented without resorting to corroborating effortsGenerally for when internal auditors or investigators are validating expenditures or inventory stock movements
Reasonable indications or Red flagsAn objectively factual basis for suspecting that possible wrongdoing may be occurring or has occurred. In practice, this may require more than just a scintilla, trace, of evidence depending on the context.Used in spot checks of operations or high-risk areas, fraud risk assessments, or allegations made by a credible whistle blower or by the organisation’s accountants, auditors or operations
Probable or likely or plausibleA slightly higher threshold of credible evidence supporting the possibility that wrongdoing has occurred, but that does not require the factfinder to weigh conflicting evidence.Generally the same uses as for ‘reasonable indicators’ but with a slightly higher need for more evidence demonstrating likelihood.

Reasonable basis or

Substantial evidence

Evidence of such sufficiency and relevance that a reasonable mind would accept as adequate to support the fact finder’s conclusions.Generally used to make business decisions such as terminating contracts, customers or suppliers, or to guide the next steps of an investigation.
Preponderance of the evidenceAlso known as the balance of probabilities, there is evidence sufficient to show that the wrongdoing is more likely or probable to have occurred than not occurred.The standard adopted for most administrative investigations even if the matter being investigated is criminal in nature, ultimately resulting in a referral to government authorities.
Clear and ConvincingThe evidence is highly and substantially more likely to show that the wrongdoing occurred than not occurred such that there must be an abiding conviction that the truth of the facts is highly probable.Applicable in certain civil cases, e.g. civil fraud, and some employee relationship, i.e. misconduct, matters. May also be adopted by an investigation unit for matters involving higher stakes (e.g. CEO misconduct).
Beyond a Reasonable DoubtThe evidence must be so convincing that no reasonable person would question the factuality of what occurred. The standard requires that the evidence offer no logical explanation or conclusion other than that the act/wrongdoing occurred.Used in criminal courts of law in trying individuals and corporations but is also used in some tribunals in deciding employee-based matters (e.g. wrongful termination).
Absolutely CertainCategorically clear and certain beyond any doubt and the evidence is irrefutable.The standard for the highest stakes; e.g. a country’s leader might require it of his intelligence services about who was behind a heinous act committed against the country before committing an act of aggression against another sovereign country.

In using the table, the term ‘evidence’ should be used in its broadest general sense, i.e. relevant information rather than its stricter legal definition and use in courts.

Interestingly, this relatively low standard is the one used by financial statement auditors to justify their opinions about whether the financial statements audited present fairly the financial position and performance of the organisation and are free of ‘material misstatement’. While the language differs across jurisdictions, auditor reports claim that ‘we believe that our audit provides a reasonable basis for our opinion.’

As a corporate investigation is administrative in nature versus criminal which are conducted by government and law enforcement authorities, many investigation units adopt the preponderance of the evidence standard generally used in civil court legal proceedings to substantiate the findings of an investigation, even if the matter being investigated is criminal by nature, such as fraud or theft. A clear distinction here is needed. Although an organisation investigates possible criminal activity within or against it, e.g. theft of assets, the administrative investigation is only attempting to establish that the evidence substantiates with a preponderance of the evidence that the criminal activity, e.g. theft occurred, as defined within the organisation’s codes and contracts, as a basis for making its punitive business or administrative decision. In these matters, the subject does not receive, nor is entitled to, the same due process rights and protections as in a criminal investigation nor are they subject to the same degree of potential punishment, imprisonment, or fines.

Notably, in many investigations, some evidence collected may reach the highest possible standards whereas other evidence only meets the lower standards. It is the combined weight of all relevant evidence, inculpatory and exculpatory, that is generally used to substantiate the investigation’s objective or the use of its findings, for example:

  • The investigation unit is investigating the alleged embezzlement of organisational funds by the head of the organisation’s regional office. It has collected both the sender’s and subject’s authentic original bank statements, wire transfer instructions signed by the subject, wire transfer advice, independent bank confirmation, email from the subject to the treasurer requesting the wire transfer with receiving bank account details, and tangible evidence and receipts of the use of funds by recipient/ or subject within days of receiving the wire transfer.
  • Most of this evidence on its own provides more than a ‘reasonable basis’ that funds were actually transferred. Their collective total meets or exceeds at least the ‘beyond reasonable doubt’ standard, if not meets the ‘absolute certainty’ standard proving that the subject had the organisation transfer funds to his personal bank account whereupon he thereafter converted them to personal use. Both standards are likely more stringent than what is required by the organisation’s policies to substantiate a transfer of funds occurred, e.g. perhaps just the bank statements alone may have met the more likely than not standard.
  • On the other hand, there is insufficient evidence indicating that the office head embezzled the funds, as he could have simply transferred them as a short-term loan for personal use for which he intends to repay. The transfer being recorded transparently in the “Staff Advances” ledger account and the subject’s statements corroborated this scenario. However, no one else was asked or informed, no paperwork was completed and no approvals were obtained from the central office.
  • In conclusion, the evidence, when taken together may be only sufficient to substantiate with a preponderance of evidence that the funds were inappropriately taken without authorisation, must be immediately repaid, and the office head appropriately sanctioned as per organisational policies. But it may not be enough to meet the same standard with a serious charge of embezzlement resulting in immediate dismissal. More evidence is needed to prove this wrongdoing sufficiently.

Legally reviewed by Jules Colborne-Baber (Deloitte UK).


[2] David T. Wolfe and Dana R. Hermanson, “The Fraud Diamond: Considering the Four Elements of Fraud,” The CPA Journal, December 2004.

Unlock unlimited access to all Global Investigations Review content