Forensic Accounting Skills in Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

22.1 Introduction

The purpose of this chapter is to explain Annual Update Integrity Vice Presidencykey steps and best practices in investigations from an accounting perspective. The term forensic, as defined in Webster’s Dictionary, means ‘belonging to, used in or suitable to courts of judicature or to public discussion and debate’. Accordingly, forensic accounting involves the application of specialised knowledge and investigative skills to matters in anticipation of possible litigation or dispute resolution, including in civil, administrative or criminal enforcement matters. Forensic accounting skills can be applied to a wide variety of investigations into alleged corporate and individual wrong­doing, including:

  • misappropriation of assets by employees;
  • bribery and corruption;
  • money laundering;
  • financial reporting fraud;
  • non-compliance with laws, regulations or provisions of contracts; and
  • fraud perpetrated by vendors or suppliers and other third parties.

We may refer to non-compliance instead of fraud. Non-compliance often lacks the intent of fraud and may manifest itself in the violation of an agreement, policy or otherwise acceptable behaviour. Investigations may focus on allegations of fraud or non-compliance.

The range of specialisations within the field of forensic accounting is diverse, but at the core is a focus on accounting systems, processes, records, data and reports. A logical order in which forensic accountants will proceed in an investigation is as follows:

  • gaining a broad understanding of allegations, accounting systems, employee responsibilities and business processes;
  • preserving records and other evidence;
  • mitigating losses;
  • developing a workplan for the investigation;
  • considering and carrying out data analytics, email review (often with counsel) and review of books and records;
  • conducting (often with counsel) information-gathering interviews; and
  • conducting (often with counsel) investigative interviews.

Many of the most important steps involved in this process are explained in this chapter.

22.2 Regulator expectations

In June 2020, the US Department of Justice (DOJ) set forth additional guidance[2] on how it evaluates corporate compliance programmes for assessment and sentencing purposes. Forensic accountants are well suited to help to develop effective compliance programmes or evaluate the efficacy of an existing programme. The DOJ guidance represents a credible roadmap for the building or enhancement of a programme, and adds detail and emphasis to the April 2019 guidance.[3] It remains centred on three primary questions: (1) Is the programme well designed? (2) Is the programme adequately resourced and empowered to function effectively? (3) Does the program work in practice?

The context of the DOJ’s guidance is to assist prosecutors to evaluate a corporation’s compliance programme in determining the form of any resolution or prosecution, monetary penalties and further compliance obligations such as a monitorship. Corporations, however, may use the guidance as a resource for building or enhancing their compliance programme. The DOJ guidance challenges the compliance professional with several hundred questions related to their existing programme. Although forensic accounting professionals collaborate with attorneys, auditors and several types of consultants to assist in-house compliance professionals with practically all aspects of their compliance programme, the DOJ’s revised guidance addresses the following key factors most applicable to forensic accounting:

  • risk assessments and in particular fraud risk assessments;
  • internal control testing
  • risk metrics including analytics;
  • gatekeeper training on the control processes;
  • third-party management;
  • internal audit and compliance function autonomy and independence;
  • internal audit effectiveness;
  • compliance and director access to data and information;
  • root cause analysis including appropriate remediation; and
  • investigations of misconduct.

The role of forensic accountants in conducting fraud risk assessments is long-established. This is largely based on experience investigating financial crimes and accumulation of best practices from compliance engagements. The fraud risk assessment – which requires fraud brainstorming, risk rankings and, ultimately, mapping risks to internal controls – is inherent in the forensic accountant’s skillset. Assessing fraud and corruption risk through analytics and AI have become a mainstay of forensic accountants’ added value. The risk metrics alluded to in the DOJ guidance suggest a formal way of measuring evolving risk and provides the compliance group with clear and concise dashboards for identifying risk, outlier data and fraud.

The guidance’s reference to gatekeepers[4] provides insight into a critical function that sometimes fails in the design stage but more often fails in the execution stage. Specifically, the guidance identifies training of gatekeepers in the control process (approvers, certifiers, etc.) as an important procedure. Forensic accountants often encounter gatekeeper design flaws from the organisation’s failure to segregate incompatible duties, but also in the execution because of poor training, lack of experience, and incompetence or indifference. The controls are only as good as their weakest link.

Third-party management may be the most common internal control to detect, deter and prevent misconduct. Forensic accountants who routinely provide compliance services offer background checks, investigative due diligence and relationship mapping all designed to identify relationships between and among individuals and organisations, prior illegal acts, beneficial owners, alter-egos and presence on sanctions lists. Third-party fraud comes in many iterations – the most pervasive is procurement fraud against the company, as well as ghost vendors to create slush funds for bribes to government officials. The guidance recognises the significance of robust internal controls in this space and specifically refers to the compensation paid to third parties, the business purpose and justification of the third parties, and the evidence of product or services from the third party.[5] The guidance also refers to the company’s audit rights within third-party contracts, audits most frequently carried out by forensic accountants.[6]

Internal auditors play a pivotal role in supporting a robust compliance programme, and the guidance recognises the significance of the internal audit function.[7] Specific questions posed in the guidance include whether the compliance and internal audit functions are independent, are adequately staffed and financed, and have access to relevant information and data in a timely manner. The internal audit and compliance functions can break down when one or more cannot be answered affirmatively. The consequences arising from a poorly financed compliance programme – or one structured to report to the same management that the compliance function oversees – is self-evident. Less obvious is the scenario where compliance and internal audit teams do not have sufficient or direct access to relevant sources of data to allow for the timely and effective monitoring or testing of polices, controls and transactions. Whether due to poor design, lack of resources, legacy systems from acquired entities or a plethora of data integrity issues, lack of complete and accurate data or information could be the death knell for compliance. The guidance suggests significant funding and resources should be allocated to data access and integrity for the compliance team to properly carry out its functions.

Root cause analysis is the investigative process of determining the facts and circumstances of the fraudulent act and identifying whether and which internal controls failed, responsible employees and third parties, the accounting aspects of the fraud – including how it was disguised in or kept off the books, and the extent and pervasiveness of the fraud. The most important part of the root cause analysis is the remedial actions that follow. The DOJ guidance and the Benczkowski Memorandum[8] on selection of monitors in criminal division matters stress the importance of remediation. References to lessons learned, updates to policies, procedures and controls, the adequacy of the compliance programme both at the time of the offence and the charging decision, continuous improvement, and whether the company undertook an adequate and honest root cause analysis pervade the DOJ guidance. Forensic accountants are well-suited to assist corporate compliance teams with root cause analysis and the remediation responsibilities that follow. Investigative, data analytics, risk assessment and internal control skills and experience make forensic accountants an integral and invaluable part of the process.

The DOJ’s additional guidance on how it evaluates corporate compliance programmes demonstrates there are numerous opportunities for forensic accountants working with legal and compliance teams to add significant value in building and enhancing the corporate compliance function.

22.3 Preservation, mitigation and stabilisation

Turning to the specific steps where a forensic accountant can assist, an important consideration at the outset of an investigation is to identify the necessary steps to mitigate loss of funds or other assets and to preserve data and relevant records. This may entail closing of bank accounts, freezing of email and other communications, deactivating user passwords and other steps to deny access to subjects of the investigation. Where the nature of the investigation requires it, financial and accounting information will need to be preserved and stabilised. Physical documents in this category may include a wide variety of records, such as purchase orders, invoices, customer orders, delivery records, etc. Every step of the transaction cycles involved in the scheme under investigation should be considered at this stage to identify all potentially relevant documents and electronic records (including audio).

22.4 e-Discovery and litigation holds

Owing to the proliferation of electronic data, an increasingly important early step in many investigations is to determine what relevant information exists, in what form (paper or electronic), where it is located (e.g., an on-site data centre, off-site at vendors, in the cloud), what security measures are in place over the data, and what the organisation’s standard record retention and destruction policies and practices are. The process of identifying, taking inventory of, and preserving relevant data that may be of use in an investigation is often referred to as e-discovery.

In addition, as soon as it becomes apparent that an investigation is necessary, a litigation or preservation hold notice should be issued. These notices require the suspension of any destruction or deletion of paper or electronic records that could be relevant to the investigation. Proper communication of a litigation hold or preservation order to all pertinent individuals and department which may include third parties who, for example, are responsible for archiving the organisation’s data off-site, is important to avoid accidental destruction of critical records.

22.5 Violation of internal controls

An important part of an investigation is establishing whether the act was intentional. Demonstrating that a subject was aware of and violated a documented, well-established internal control is often a relevant factor. For example, determining how an internal control was circumvented or otherwise violated is also an important part of understanding how fraud or corruption was perpetrated, because establishing that a subject intentionally violated internal controls can be important in connection with criminal prosecution or the regulatory enforcement process, and understanding precisely how internal controls were violated is critical to developing a remediation plan to enhance controls and to prevent future occurrences. In addition, understanding how internal controls were bypassed or overridden will often provide critical insight into who knew what and when.

The first step in determining whether policies or procedures were violated is to gain a thorough understanding of the accounting behind the controls as well as the identities of employees responsible for accounting, internal controls and the business processes being investigated. Upon gaining this basic knowledge, we identify the established policies and procedures (the current state). This normally entails reviewing documented policies and procedures, and walkthroughs, and may also include interviews with employees to help clarify any ambiguities in the documentation. Some considerations include:

which employees are authorised to initiate and process a transaction;

which employees are authorised to approve a transaction;

  • which employees can approve new vendors;
  • which employees are responsible for account reconciliations;
  • which employees have physical access to assets, including cash;
  • documentation requirements for the transaction;
  • how and where electronic and paper records are stored; and
  • how exceptions or unusual transactions are handled, including budget variance analysis.

It may also be important to review any training programmes that the subject of the investigation has received. Doing so can establish more firmly that the subject had an understanding of the proper method of handling the transactions.

Most accounting cycles, such as procurement, disbursement of funds and payroll, include many steps. Some of these are evidenced manually, such as with written approvals by signature and supporting documents such as invoices and delivery confirmations. Other steps require analysis of electronic records. Examples of critical pieces of electronic evidence related to internal controls include:

Date and time stamps: Most systems leave a valuable trail that can be used to establish an accurate and detailed timeline of events. For example, a vendor invoice may be put into the accounts payable system late at night during non-work hours, approved for payment moments later and payment is made to the vendor the very next day. Why the rush? Is there a legitimate need or is something more devious involved? Does payment so quickly comply with the organisation’s normal cash management and bill-paying policies?

  • User identification numbers: Systems maintain a record of user log-ins, along with date and time of information access and updates. Directly or indirectly, it is often possible to determine exactly which user of a system performed each step in the chain of activities comprising a transaction – who set a vendor up in the master file, who authorised the purchase and whether it was competitively bid, who entered the vendor invoice, who approved it for payment, who scheduled it for disbursement, who transmitted payment, etc.
  • Security matrices: Often reviewed in connection with the preceding step, determining which users have access to specific components of each system can play a vital role in assigning responsibility for specific steps in a matter under investigation. Access to a system often does not mean access to every part of that system. Analysis of a security matrix provides details of this information. Who has ‘read only’ access to vendor and invoice data? Who has input capability? Who has approval authority to release payments to vendors? Aligning this information with information gleaned from the preceding steps can find exactly where internal controls were compromised, including identification of instances of unauthorised access through password theft or sharing.

Physical documents are often important pieces of evidence in an investigation. But electronic evidence associated with a transaction cycle tends to be equally or more important. Proper analysis of this evidence enables an investigator to draw conclusions and gain insight that would be impossible in an entirely paper-based system. For example, a paper copy of a vendor invoice can be analysed to establish whether a subject signed or initialled it, and perhaps whether any alterations were made to the document. But if the organisation’s vendor invoice approval and payment system is electronic, the investigator can also determine with precision the date and time of the approval of the invoice and perhaps even where the subject performed these steps (from home, from a workstation in the office, etc.).

22.6 Forensic data analysis

Forensic analysis of data refers to analysis of electronically stored data. The most commonly analysed data are accounting and financial, but several non-financial categories of data are also very useful to investigators. Each is explored below.

Data analysis generally has three applications in the investigative process:

to initially detect fraud or non-compliance (e.g., monitoring performed by internal audit);

  • to corroborate an allegation in order to justify launching an investigation (e.g., proving that an allegation received via a hotline appears to have merit); and
  • to perform certain parts of the investigation (e.g., analysis of payments made to suspicious vendors).

Each of these will be explained further. But first, a few important points about data analytics are essential.

Data analytics rarely prove that fraud or non-compliance occurred. Rather, data analysis identifies transactions or activities that have the characteristics of fraud or non-compliance, so that they can be examined further. These are often referred to as anomalies in the data.

If an investigation ultimately leads to employee terminations or legal proceedings to recover losses, it is critical to have properly analysed the anomalies that data mining has identified. Could the anomaly in the data, or an anomaly in a document, while often identified as a characteristic of fraud, also simply indicate a benign deviation? Failing to investigate and rule out non-fraudulent explanations for anomalies can have consequences that many investigators have learned about the hard way.

Identifying and exploring all realistically possible non-fraudulent, non-corrupt explanations for an anomaly is also called reverse proof. Examining and eventually ruling out all of the valid possible non-fraudulent explanations for an anomaly in the data or documentation can prove that the only remaining reasonable explanation is fraud or corruption.

Take a simple example to illustrate this important concept. An employee is found to have submitted the same business expenditure twice for reimbursement (paid for using a personal credit card). Further analysis shows that this is not an isolated incident. In fact, the rate at which the employee submitted duplicate expenditures has increased over time – a classic red flag commonly associated with perpetrators of fraud. Is this a sufficient basis to support an allegation of misconduct?

This would be premature. What if, on further analysis, the investigator also finds that the employee has been asked to work an increasing number of hours every week and travel much more extensively over time. Investigating further, it is found that this employee is particularly disorganised and has never been asked to do this much business travel before. These additional facts make the distinction between an intentional act of fraud and an escalating series of honest mistakes a bit blurry.

Careful consideration of alternative theories for data and document anomalies is critical to protecting the organisation and the investigator from liability stemming from falsely accusing someone of wrongdoing.

22.6.1Data mining to detect fraud or non-compliance

Depending on which application or phase of the investigative process is involved, the nature of forensic data analysis can vary. For example, as an initial detector of fraud or non-compliance through ongoing monitoring, forensic data analytics usually takes one of two broad, but opposite, approaches: identification of any activity that deviates from expectations, or identification of activity that possesses specific characteristics associated with fraudulent or corrupt behaviour or other non-compliant conduct.

The former approach is taken when acceptable behaviour is narrowly defined, such that the slightest deviation warrants investigation. The latter approach is the more common. It is driven by a risk assessment and is based on what this type of fraud or non-compliance would look like in the data. For example, a shell company scheme might evidence itself by an address in the vendor master file matching an address in the employee master file. Any instances of such a match would be investigated.

In some cases, basing the ‘investigate’ or ‘don’t investigate’ decision on a single characteristic in the data can result in numerous false positives. For this reason, more sophisticated data analytics often rely on the consideration of multiple characteristics in assessing the risk of activity being fraudulent or corrupt.

Regardless of which of these two approaches is taken, data analytics often represents an essential tool for gathering evidence to lay the foundation for substantive examination of books, records and other evidence. Following the reverse-proof concept described above is critical once anomalies indicative of possible wrong­doing are uncovered.

22.6.2Corroborating allegations

As a method of corroborating an allegation that has been received, data analysis can be of great value. It is a significant advantage to the investigator because, more often than not, it can be performed on electronic data without alerting the subject of the allegation. In this application, the allegation is first assessed in terms of what impact the alleged fraudulent or corrupt act would have on financial or non-financial data. To illustrate, take the example of an allegation that workers in the shipping department of a warehouse are stealing inventory by short shipping orders to customers. There are numerous sources of data, both financial and non-financial, that could be analysed to assess the validity of this allegation:

gross profit margins – an unexplained decline in gross profit margins by product, or by location (as a result of having to re-ship additional items, with no associated revenue, to satisfy the customer);

  • inventory purchases – unexplained increases in purchases of certain inventory items without a corresponding increase in sales;
  • customer complaints – customer service data indicating complaints about incomplete shipments, especially if those complaints can be correlated back to specific orders; and
  • shipping records – using the customer complaint data, orders are correlated to specific shipments and employee names associated with filling and shipping these orders. Shipping records might also reveal more shipments to a customer than orders, indicating a second shipment was needed to complete the order after the customer complained.

This is a simple example, but one that illustrates that for every allegation, there likely exists data associated with either the perpetration or concealment of the fraud or non-compliance. And this data normally exhibits one or more anomalies in comparison with data from similar transactions that do not involve fraud or non-compliance.

22.6.3Using data analysis in an investigation

The final application of forensic data analysis is performed during the investi­gation itself. Once an anomaly has been found to involve fraud or non-compliance, additional forensic data analysis, along with substantive forensic examination of the evidence, may be performed to:

  1. determine how long the activity has occurred;
  2. determine which employees (or third parties) have participated in the fraud (i.e., assessing whether collusion was involved);
  3. measure the financial damage resulting from the activity;
  4. identify other fraudulent or corrupt conduct by the same individuals; and
  5. determine how the fraudulent or corrupt act was concealed and how internal controls were circumvented.

Determining who is involved in the fraud as well as who possessed knowledge of it is critical to the mitigation and control enhancement objectives. According to a 2016 report by the Association of Certified Fraud Examiners (ACFE), nearly 45 per cent of all fraud and corruption schemes investigated involve multiple perpetrators.[9] This figure has been steadily rising since the ACFE began studying fraud. The 45 per cent is split nearly evenly between cases involving multiple internal perpetrators and those involving collusion between insiders and outsiders, such as vendors or customers.

Point 4, above, may also come as a surprise to some, but is important. The ACFE report indicates that 31.8 per cent of the time an individual engages in fraud (especially with respect to asset misappropriations), they employ multiple methods to commit their crimes. The allegation or investigation may have initially focused on only one specific method. Exploring what other activities the subject might have the capability of engaging in is an integral element of the investigation. Investigators and victims attempt to ‘put a fence around the fraud’ as early in the investigative process as possible. Understanding the responsibilities of the subject and the potential for unrelated schemes is essential for erecting the fence. Victims often desire a narrow investigative scope – a sort of wishful thinking. An investigator’s worst-case scenario is missing a scheme conducted by a subject despite investigating the subject.

The question of who knew what and when can be particularly important in satisfying auditors in the context of financial reporting fraud. In addition to quantifying the financial statement impact from fraud, auditors rely on representations from management. Knowledge of whether previous representations came from fraudsters and the auditor’s assessment of management’s integrity are often important aspects of financial reporting fraud investigations.

In the next sections, the distinction between financial and non-financial data will be explored, followed by a discussion of internal versus external data.

22.7 Analysis of financial data

Most analyses of internal data relevant to an investigation begin with financial data, much of which comes from the organisation’s accounting system. Accounting data can exist in several separate systems, such as:

general ledger, the master ledger that reflects all accounts and the sum of all accounting activity for the organisation;

  • general journal, where journal entries are initially recorded before being posted to the general ledger;
  • books of original entry, which contain details of certain types of financial transactions, summaries of which are posted to the general ledger. Examples of books of original entry include sales, cash receipts, cash disbursements and payroll; and
  • subsidiary ledgers, which contain additional details of transactions and activities that appear only in summary form in the general ledger. Examples of subsidiary ledgers are accounts receivable and accounts payable ledgers.

Performing an investigation often requires the extraction and analysis of data from all these systems to see the big picture or to properly trace the history of a transaction or series of activities. The days of manually maintained books of original entry are gone. The vast majority of organisations now use electronic accounting and financial software, and in larger organisations these systems are included as part of a broader ERP system.

Some systems are hybrids of financial and non-financial information. Examples of these systems include:

Inventory: in addition to cost information associated with purchases, the system may also provide data on quantities and dates of purchases, deliveries, shipments, inventory damaged or scrapped, and counts resulting from physical observation.

  • Payroll: in addition to data on net amounts paid to employees, the payroll system will usually include other relevant data needed to calculate an employee’s gross and net pay, including various worker classification codes, hours worked during a pay period, rates of pay, tax and withholding information, along with bank account information for the electronic transfer of funds to employees.
  • Human resources: in most large organisations a human resources system that is separate from payroll is maintained. Included in this system are data on rates of pay and past raises, incentive payments, and other financial data about each employee, as well as significant amounts of non-financial data, such as each employee’s home address. Human resource information systems may also include vital information associated with an employee’s initial hiring, such as background and reference checks, verification of information provided on an employment application, etc. This information can be important if the organisation anticipates filing an insurance claim to be indemnified for losses attributable to an employee.

Availability of and legal considerations associated with each of these sources of internal data vary from one jurisdiction to another, particularly with respect to payroll and personnel information. Privacy issues must be considered before embarking on any use of such data in an investigation.

22.8 Analysis of non-financial records

Increasingly, non-financial data is being analysed as a standard element of an investigation. Non-financial data can be classified into two broad categories: structured and unstructured.

Structured data is the type of data that generally conforms to a database format. It is often numeric (e.g., units in inventory, hours worked by an employee, calendar dates), but can involve alpha data as well (e.g., codes associated with types of customer or employee, certain elements of an address).

Structured non-financial data is found in many systems, including those that include financial data mentioned above. Other systems, however, are entirely non-financial, but provide data that can be important to an investigation. Examples of non-financial systems commonly used for investigative purposes include:

Security: many organisations now use tools that leave an electronic trail of the exact times and dates when specific employees entered or left the building. Records of visits by vendors and other visitors may be included in this system or may be kept separately. Security information can be very useful in establishing timelines or the whereabouts of specific individuals.

  • Network data: much like accessing a building, networks maintain electronic records each time an authorised user logs on or off the system, and may retain a record of various aspects of the user’s network activity, such as which folders were accessed, which data was downloaded, which systems were used, etc.
  • Customer service: as the earlier example illustrates, data collected in the customer service system can have numerous applications in an investigative setting. Customer complaints about items missing from their orders may indicate theft in the warehouse.

Unstructured data refers to data that does not readily conform to a database or spreadsheet format. Text associated with messages in emails, explanations for journal entries and other communications are the most common. Unstructured data also includes photographic images, video and audio files.

Emails and text messages of interest to an investigator may involve messages within the organisation, between employees and communications between organisation employees and vendors, customers or other third parties.

Similar to other electronic data, when a user ‘deletes’ this information, a backup or archive version is often left behind and is available to an investigator. Understanding an organisation’s backup, archiving and storage practices is crucial to this part of an investigation.

Careful reviewing of email, instant messaging or text message chains (and, if available, recordings of telephone calls) is vital to most investigations and can provide an investigator with vital clues, such as:

  • the timeline of events;
  • the level of knowledge of events that specific individuals may have had;
  • the extent of collusion among individuals;
  • whether a subject or witness deleted email evidence; and
  • whether there are indications of intent.

Establishing a timeline can be one of the most important requirements of an investigation. A complete timeline of events can often be established by inte­grating the separate timelines learned from a review of:

  • systems and facilities access records;
  • electronic transaction information (e.g., entries, approvals);
  • documentation (e.g., invoices, shipping records); and
  • electronic communications, including metadata (e.g., emails).

Email (and where available, audio) review is of particular importance in establishing intent. Intent, particularly to a civil standard, may be inferred from communications that indicate an awareness that planned transactions or activities are in conflict with established policies and procedures or treatment of similar transactions. Sentiment analysis can also be performed in connection with email, instant messaging or text message communications. This type of analysis can identify pressures or rationalisations associated with fraudulent or corrupt behaviour. For example, an employee stating in these communications that he or she feels unfairly treated or resentment towards management might be expressing a rationalisation for stealing from an organisation.

One example of the use of both financial and non-financial data is in the investigation of alleged financial reporting fraud. When an allegation is made that a company’s financial statements have been intentionally manipulated, any of a large number of schemes come to mind. The most common fraudulent financial reporting schemes involve improper recognition of revenue, inflating turnover or sales through fictitious transactions or accelerating the recognition of legitimate transactions. So, a revenue inflation scheme will serve as our example.

To establish that the financial statements improperly reflect sales, electronic data from the sales and accounts receivable systems will need to be analysed in conjunction with physical or electronic records associated with customer orders, inventory, shipping and delivery, among others. By analysing these records, the investigator may establish that sales recognised by the company failed to conform to applicable accounting standards (e.g., International Financial Reporting Standards).

But accounting mistakes are common. For this scheme to be fraudulent, the subjects’ dishonest intent to violate the accounting rules must be established. This is where analysis of emails and other electronic communications may be valuable. Perhaps email exchanges can be located documenting discussions of revenue shortfalls and methods of meeting budgeted figures. In this case, analysis of unstructured non-financial data may be one of the keys, along with interviews of subjects, to proving that the company intentionally violated their own policies and pertinent accounting principles.

Analysis of both financial and non-financial data is an important step in preparing to interview witnesses and subjects. Reading email and other communication chains before conducting the interview allows an investigator to plan the order and structure of questions to put the interviewer in the best position to identify conflicting statements and to obtain a confession.

Other investigation scenarios in which analysis of unstructured data association with communications between individuals include:

  • collusion between multiple employees involved in the theft of cash or other tangible or intangible assets;
  • bribery schemes in which the organisation has paid bribes, directly or indirectly, to obtain or retain business; and
  • kickback schemes in which a vendor has paid a procurement official of the organisation to steer business to the vendor.

22.9 Use of external data in an investigation

Most data and documentation used in an investigation is internally generated – it comes from within the organisation or (in the case of invoices from a vendor) is otherwise readily available within the organisation. Occasionally, however, data or documentation that is only available from external sources becomes essential. External sources of data fall into two broad categories, public and non-public.

Public data and documents are those that are usually available to the general public either by visiting a website or facility or on request from the holder of the records. In most cases, public records are maintained by government agencies. Examples of public records vary significantly from one jurisdiction to another, but some that may be useful to investigators are:

  • licences and permits issued by government agencies to individuals or businesses;
  • records of ownership or transfers of ownership of property (e.g., sales of land and buildings);
  • criminal convictions of individuals and organisations, and certain other court records; and
  • business registrations and certain filings made by organisations.
  • '

Availability and the extent of these records can differ markedly as an investigator seeks information from different parts of the world.

Increasingly, public records may also include information that an individual voluntarily makes publicly available. For example, when an individual posts photos or makes statements on social media, this information might be readily available to any and all viewers. Once again, investigators should always use caution when accessing this information, especially if the information is only available to ‘friends’ or other contacts that the individual has granted special access to. But when social media information is made fully available to the general public, it can provide a treasure trove of information about a subject, such as:

  • places the subject has visited;
  • individual contacts;
  • business relationships;
  • assets owned; and
  • past and present employers.

Another public source of information involves websites that do not require special password or other access privileges. For example, a company’s website or that of a trade association or other membership group that a subject might be involved with could provide clues about the subject’s relationships, travels and past.

Even information that is no longer on a website might still be available to an investigator. The Wayback Machine at is an archive of almost 500 billion past pages on the internet. Simply typing the URL of a website into the Wayback Machine will produce an index by date of prior versions of that website which have been archived and are available for viewing. Accordingly, an investigator may be able to find useful information from past editions of websites long after the information has been deleted.

Non-public records are private and confidential. Holders of these records are under no obligation to produce these records unless they have provided their consent or they are compelled to do so as a result of a legal process, such as a court order or subpoena. Records such as personal bank statements of individuals who may be the subject of an investigation fall into this category. Investigators normally do not have ready access to these records.

When assisting counsel with preparing a request for a subpoena or other court-ordered production of private records, an investigator should be as detailed and specific as possible. Overly broad requests are normally either denied or result in potentially lengthy delays. For example, if records associated with a bank account are requested, rather than requesting ‘all records associated with the account’, it is normally better to itemise a list of those records, such as by requesting copies of:

  • bank statements for the relevant period;
  • images of cleared checks;
  • supporting documents for other debits from the account;
  • signature cards; and
  • application or other forms prepared to open the account.

A vendor’s internal records would normally be non-public and the vendor may be under no obligation to provide them to an investigator. However, a properly worded right to audit or access to records provision included in the contract between the organisation and the vendor may provide access to some of the most important records an investigator might need if fraud or corruption involving a vendor is suspected. A well-crafted access-to-records clause can enable an investigator to request and view a wide variety of records, including:

  • supporting documentation for invoices sent to the organisation by the vendor;
  • accounting and payroll records;
  • time records supporting employees’ work efforts; and
  • communications relevant to the vendor’s relationship with the organisation.

If a vendor is suspected of inflating their billings to the organisation in any manner, or there are indications of collusion between an organisation employee and a vendor, one of the first steps an investigator should perform is to carefully review the terms of the contract to assess the organisation’s rights to access these records.

22.10 Review of supporting documents and records

Studying the processes and internal controls involved in the transaction cycle in the investigation and the results from data analytics and email review will result in a population of documents and electronic records that are relevant. For example, in a corruption investigation, several paper documents or records may need to be reviewed:

  • budgets;
  • agent, distributor, supplier and customer contracts;
  • bidding documents;
  • margin data;
  • price lists;
  • market data;
  • vendor set-up documents;
  • sales by region, agent, territory and product;
  • background checks;
  • purchase order or purchase request;
  • bill of lading or other confirmation of delivery of goods;
  • signed confirmation for services provided;
  • invoice from a vendor or supplier;
  • cheque or disbursement request form; and
  • banking records.

These records might be reviewed for many different reasons. Among the most common are:

  • establishing a timeline of events;
  • testing their clerical accuracy;
  • reviewing for inconsistencies, anomalies and trends;
  • reviewing for agreement with accounting records;
  • reviewing for compliance with internal controls; and
  • determining authenticity of the document, the vendor and the services rendered.

Testing for authenticity of the record itself or of individual signatures on documents normally involves a highly specialised skill, unless an anomaly is obvious. Accordingly, if an investigator suspects that a document on file is fraudulent or has been physically altered, or that a signature is not authentic, the document should be protected until someone with the specialised skills necessary to assess authenticity is called on. Examples of obvious deficiencies in documentation include:

  • inconsistencies in addresses;
  • lack of letterhead or other characteristics normally expected of a legitimate vendor;
  • misspellings or other typographical errors;
  • document at variance with vendor master file;
  • inconsistencies in dates; and
  • inconsistencies in vendor invoice numbers and sequencing.

In a corruption investigation, the authenticity or business purpose of an inter­mediary may be in question. The investigator should determine:

  • the purpose of the intermediary;
  • the principals behind the intermediary;
  • the value, if any, of services rendered by the intermediary, to rule out use of the intermediary to create a slush fund or otherwise bribe a customer or influencer;
  • life before or after the intermediary; and
  • if the company documentation in connection with the intermediary is consistent with other intermediaries, policies and best practices.

22.11 Tracing assets and other methods of recovery

If the subject has misappropriated cash (via intercepting incoming funds intended for the organisation, stealing cash on hand, or fraudulently transferring funds from the organisation in connection with a disbursement fraud) one of the goals of most investigations is to secure the return of the funds. To do so, the investigation team must determine what the subject did with the money. Other sources of recovery may include culpable outside parties, including but not limited to collusive vendors, customers and agents. Coverage for employee dishonesty losses under insurance policies and fidelity bonds may also be possible.

If the subject misappropriates other assets, a similar question must be addressed – where are they? Often, when assets are stolen, the subject’s goal is a conversion to cash by selling the stolen assets. In other cases, the stolen asset itself may be of use to the subject.

Depending on how assets were stolen, varying degrees of a trail might be left by the perpetrator, enabling the investigation team to forensically determine the flow of money after it has left the organisation. The trail may begin with the company’s books and records. However, it is usually intentionally made opaque by fraudsters through money laundering techniques such as layering, transfers to shell companies, nominee shareholders and the use of clandestine communication techniques, cryptocurrencies, and tax havens where criminal law enforcement assistance may be less effective. Many of the records necessary to fully trace assets are non-public. But investigators are sometimes surprised to learn that a subject has left a public trail of valuable clues regarding the disposition or location of illegally obtained funds or assets that can be identified through indirect techniques, such as social media and internet due diligence, interviews of people in the know, establishing connections to the fraudster’s other assets in more vulnerable venues and through multinational co-operation of law enforcement agencies.

22.12 Development-bank forensic audit

One setting where forensic accountants have increased their presence in recent years is in forensic audits[10] in connection with multilateral development banks.

Multilateral development banks such as the World Bank Group, Inter-American Development Bank (IDB) and Asian Development Bank (ADB), have investigative offices within their organisations known as integrity departments.[11] Each of these integrity departments differs in name – Integrity-Vice Presidency (World Bank), Office of Institutional Integrity (at the IDB), Office of Anticorruption and Integrity (at the ADB) – but they share a similar mandate: the investigation of allegations of sanctionable practices within the scope of the broader development agenda of each bank.[12] These development banks have harmonised their anti-corruption principles and share many investigative approaches.[13] Since the purpose of these investigations is to determine the merits of allegations of corrupt and fraudulent practices, with the standard of proof being preponderance of the evidence, they are also an integral tool used more broadly in the oversight and mitigation functions of multilateral development banks. One senior forensic accountant from the World Bank noted the significance of forensic accounting in the bank’s oversight function and its use to proactively reduce financial losses.[14] Moreover, in the World Bank’s Integrity Vice Presidency’s 2017 annual report, the forensic services unit conducted a total of 13 audits involving 19 entities and 31 contracts valued at more than US$518 million.[15] This annual report noted that ‘forensic audits’ were also utilised to strengthen the World Bank’s fiduciary role and for risk management, in particular on the riskier projects.[16] In its 2017 annual report, the IDB’s Office of Institutional Integrity noted its audit and inspection powers in its investigations. The IDB also alluded to the ‘forensic audit’ as an investigative tool.[17] Although the ADB’s Office of Anticorruption and Integrity 2017 annual report did not cite forensic audits or inspection rights as an investigative tool, as discussed further below, the ADB in fact also has similar audit and inspection rights.[18]

The possible upshot of the significance of forensic accounting and exercise of audit and inspection rights in these multilateral development banks’ investigation and oversight functions is that forensic accounting will continue to evolve and is likely to become one of the most valuable tools to protect their policies.

Procurement guidelines and inspection clauses

The procurement guidelines or policies from the World Bank, IDB and ADB in general state that all borrowers, bidders, suppliers, consultants and contractors must observe the highest ethical standards.[19] The purpose of these high standards is to ensure that these parties will not be involved in sanctionable practices such as corrupt, fraudulent, coercive and collusive practices.[20] Within the context of these anti-corruption clauses, these procurement or policy guidelines also provide that a provision is required to be included in the request for proposals (or bidding documents) and any subsequent contracts that would permit the respective Banks to inspect documents related to the submission of proposal (or bids) and contract performance.[21] For example, the IDB’s procurement policies provide for the insertion of an inspection clause, ‘to permit the Bank to inspect any and all accounts, records and other documents relating to the submission or proposal (bid) and contract performance, as well as to have them audited by auditors appointed by the Bank’.[22] This clause provides for potential inspection or audit to be very broad in scope. The guidelines and policies from the World Bank, IDB and ADB provide no definitions or clarifications as to what specific accounts, records or other documents should be part of inspections and audits.[23]

When these inspection clauses are exercised during investigations by the integrity departments at these banks as part of their broader investigation against bidders, suppliers, consultants and contractors for alleged violations of sanctionable practices, a forensic accountant potentially has a wide latitude to review all kinds of financial documents, namely bank statements, tax invoices and vouchers. The senior forensic accountant at the World Bank mentioned above said that some of the World Bank forensic audits begin with complaints received by their integrity department and that, most commonly, their forensic audits reveal patterns of procurement fraud, conflict of interest, self-dealing, kickbacks, fraud in implementation and embezzlement of project funds.[24] In such cases, professional accounting skills coupled with an investigative mindset are used to uncover the misconduct.[25]

In summary, the forensic auditing of multilateral development banks as well as advising on the prevention, detection and mitigation of fraud and corruption constitute a significant growth area for forensic accountants.

22.13 Investigations involving national security interests

Forensic accountants engaged on investigations that involve national security interests require heightened sensitivity. Forensic accountants may find themselves involved in engagements where state secrets are either an integral or a tangential part of the assignment. For example, engagements related to the Committee on Foreign Investment in the United States (CFIUS), cross-border investigations or those involving entities employing a cross-border investment strategy may also, by their nature, involve intellectual property secrets of US companies who are contracted by the US government. This information may also be defined by CFIUS as ‘protected data’ in that any inadvertent or malicious release of this data can impact the national security of the United States. Several other types of engagements, including US Foreign Corrupt Practices Act investigations, international arbitrations and monitorships may present state-secret issues while not representing the core of the matter.

As technological innovation continues to dictate the rules of modern-day business, forensic accountants investigating entities employing a cross-border investment strategy should be cognisant of the complexities and heightened risks that arise due to national security interests. Special consideration should be given to the following emerging issues when dealing with companies that potentially pose national security risks.

22.13.1 IT infrastructure and potential segregation of client data

Forensic accountants should develop a customised risk profile at the onset of the investigation to assess possible cyberthreats, gaps in firm IT infrastructure controls, intrusion points and other high-risk scenarios. Subject to local law restrictions, the investigative team should consider separating physically and logically any client data received to prevent potentially virus-ridden files or malicious codes from being introduced or injected into firm networks. For example, consider using stand-alone servers with remote access (e.g., a Citrix environment) to review documents and conduct normal business activities during the investigation.

These safeguards, however, must be weighed against the practicalities of how the forensic accountants conduct their work – a careful balance needs to be struck between being vigilant and creating inefficiencies for the investigative team. Additionally, the views of the investigative team members should be taken into account – despite having the appropriate policy or protocols, a risk exists that they may be ignored if viewed by the engagement team members to be too strict or rigid. To the extent possible, less complex, user-friendly protocols should be implemented to encourage compliance; for example, the use of computers or devices with built-in heightened security features. Engagement teams may also consider implementing a cyber management centre operating round the clock to monitor and support the field team to lessen the burden on individuals.

While these options may be costly, it may be the most prudent approach to protect the investigative team from cyberthreats.

22.13.2 Compliance with data privacy laws and state secrecy law

Investigative teams should engage legal and IT infrastructure specialists experienced in navigating data privacy and state secrecy law issues to assist with developing the appropriate protocols to ensure compliance. The specialists should have specific knowledge and experience of the local laws and regulatory authorities in the countries involved in the investigation. Forensic accountants should be cognisant that even the company under investigation may not have the authority to determine whether the information and data being provided to them in the normal course of its investigation is considered a state secret. It is important not to rely solely on the company’s corporate legal and IT departments to make such determinations.

Nonetheless, forensic accountants should obtain written confirmation from the company under investigation explicitly stating that no state or commercial secret information is being provided, or to the extent it is, the company has obtained the appropriate authorisation to share such information. Furthermore, additional precautionary measures such as entering into confidentiality agreements for information exchanges should be considered.

Without external legal and IT infrastructure specialists, serious repercussions and risks potentially exist for the engagement team, including but not limited to possible arrest, detainment, etc. Depending on the nature of the investigation and the risk profile of the countries involved, the investigative team should develop a contingency plan and emergency protocol in the event a team member is detained, arrested or otherwise compromised.

22.13.3Involvement of foreign nationals

If the engagement requires assistance from foreign nationals, the forensic accounting team should consider implementing safeguards to limit access to potentially sensitive documents to prevent unauthorised or inadvertent sharing of information. Any potentially sensitive documents should be shared on a need-to-know basis and appropriately segregated from other engagement data and documents. Depending on the risk involved, certain engagements may, for example, necessitate compartmentalising any foreign national team member’s access to systems to prevent ‘insider’ threats. While the foreign national team members themselves may not pose any imminent threat individually, their access to the data and inner workings of the investigative team may subject them to being targeted by the intelligence services of the foreign country that may have a vested interest in the investigation.

Careful consideration should be given to the assigned roles and responsibilities of any foreign nationals. Additionally, forensic accountants should consider designating an engagement team coordinator to manage and track activities of foreign nationals to mitigate risks.

22.13.4Use of translators

Forensic accountants should exercise caution when using translators on its investigations involving national security concerns. Translator candidates should undergo a full scope background check prior to being engaged to identify potential areas of concern (e.g., former media reporters, prior government employment, ties to other parties of interest). Additionally, it is not uncommon for embassies and other foreign government agencies to engage translators for their own purposes – potentially from the same translation vendors as the investigative team. As such, an increased counterintelligence risk exists. The forensic accounting team should develop specific protocols in regard to sharing information with trans­lators providing them with only the basic information needed to perform their duties (e.g., brief background, objectives, specialised terms). The engagement team should avoid broader discussions on investigation planning or findings and observations when translators are present, to limit the potential risk of infiltration.

22.13.5Countries with advanced intelligence gathering capabilities

Investigations involving countries, such as Russia or China, with advanced intelligence gathering may pose an increased risk to friends and family members of the engagement team and engagement vendors or contractors. It is not uncommon for the intelligence agencies of such countries to make contact with individuals associated with highly sensitive investigations to collect any intelligence available. Forensic accountants should consider imposing a strict travel protocol to prevent team members from having contact with foreign nationals or even friends and family residing in the countries where the company under investigation has a presence to avoid any unnecessary risks. Moreover, the investigation team should frequently reiterate the importance of confidentiality throughout the investigation to deter inadvertent leakage of information.

22.13.6 Companies with significant state support

Investigations into companies that receive significant state support may pose additional risk for engagement team members. Nation states could potentially target the investigation for surveillance. As such, forensic accountants should consider engaging counterintelligence professionals to assist from an engagement planning perspective. For example, investigative teams may consider engaging security professionals to perform due diligence on hotels and other locations to be frequented by the engagement team. Additionally, security professionals can assist with developing travel protocols, including best practices such as using the ‘buddy system’ (i.e., never travel alone), keeping a low profile and limiting travel within designated safe areas.

22.13.7 Foreign investment and particular US national security concerns

In addition to the foregoing engagement-specific considerations, forensic accountants should also be generally familiar with the impact of foreign investments in the United States and how those investments are viewed by the US government as a potential threat to national security. Although forensic accountants may not have any specific charge to review such foreign investments in conducting their work, their investigative procedures may reveal a percentage of foreign funds invested in US companies that constitutes ‘control’ of the company under investigation. CFIUS oversees the national security aspects of foreign direct investment in the US economy. Forensic accountants may have an obligation to report findings regarding foreign control to a company’s general counsel to ensure awareness of the CFIUS regulations. The company’s general counsel would then decide whether to file a voluntary notice with CFIUS.

Forensic accountants should be aware that CFIUS’s purview now expands well beyond the common critical infrastructure industries, such as aerospace and defence, and other US government contractors that support US government agencies since President Trump signed into law the bipartisan Foreign Investment Risk Review Modernization Act in October 2018. The intensified scrutiny of certain industries expanded CFIUS’s purview and designated 27 new ‘critical technology’ sub-industries.

CFIUS can no longer be an afterthought. Forensic accountants should recognise that investors are considering CFIUS reviews as a priority. Recent regulatory updates have empowered CFIUS to intervene much earlier in the investment transaction negotiation process. As a result, legal teams for potential foreign investors who are seeking to invest in certain US industries no longer question whether CFIUS should be involved, but rather how, and how early.

22.14 Conclusion

The rapid conversion of accounting and other records from paper-based systems to electronic systems, coupled with the explosion in the quantity and types of electronic data, has resulted in many changes in the field of forensic accounting and the requirements for investigations. Expertise in the evaluation and handling of electronic evidence is just one way in which forensic accounting has evolved. Focused and efficient use of data analytics as well as the ability to mine a universe of publicly available yet critical information regarding subjects, companies and their relationships are two additional ways in which forensic accounting has matured. On the other hand, operating within a web of global data privacy and other complex regulatory constraints can complicate the job of the forensic accountant. All in all, today’s forensic accountants are significantly more successful in identifying, investigating and mitigating fraud than their counterparts in the past.


[1] Glenn Pomerantz and Nicole Sliger are partners, Karyl Van Tassel is a senior managing director and Michael Barba is a managing director at BDO USA, LLP.

[2] U.S. Dep’t of Just., Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020) (June 2020 Guidance).

[3] U.S. Dep’t of Just., Criminal Division, Evaluation of Corporate Compliance Programs (Updated April 2019).

[4] June 2020 Guidance, page 4.

[5] Ibid., pages 7 to 8.

[6] Ibid., page 8.

[7] Ibid., page 15.

[8] Brian A Benczkowski, Assistant Attorney General of the United States, Memorandum re Selection of Monitors in Criminal Division Matters (11 October 2018).

[9] 2016 ACFE Report to the Nations on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners. Available at

[10] A forensic audit is the application of specialised knowledge and investigative skills used to collect, analyse and evaluate evidential matter and to interpret and communicate findings in the courtroom, boardroom or other legal or administrative venue (Durkin and Ueltzen, 2009).

[11] Other multilateral development banks also have integrity departments. These include European Bank for Reconstruction and Development, African Development Bank, European Investment Bank and Asian Infrastructure Development Bank, but for the purpose of this chapter, the writers are limiting their comments to the World Bank Group, Inter-American Development Bank and the Asian Development Bank.

[12] World Bank, ‘Annual Update Integrity Vice Presidency Fiscal Year 2017’, (last accessed 20 August 2018); World Bank, ‘Who We Are’, (last accessed 20 August 2018); Inter-American Development Bank, ‘15 Years Standing Against Corruption’, Office of Institutional Integrity and Sanctions Systems, 2017 Annual Report, (last accessed 24 August 2018); Inter-American Development Bank, ‘About Us’, (last accessed 24 August 2018); Asian Development Bank, ‘iACT for Integrity and Respect Office of Anti-corruption and Integrity 2017 Annual Report’, (last accessed 24 August 2018); Asian Development Bank, ‘Who We Are’, (last accessed 24 August 2018).

[13] Asian Infrastructure Investment Bank, ‘AIIB Yearbook of International Law: Good Governance and Modern International Financial Institutions’, (last accessed 22 August 2018); Asian Development Bank, ‘Integrity Principles and Guidelines (2015)’, (last accessed 24 August 2018).

[14] Ferlatte, Ryna, ‘Fighting corruption behind the scenes: The evolving and ever important role of forensic audits in international development’, People, Spaces, Deliberation, World Bank, 13 May 2016, (last accessed 13 November 2019).

[15] World Bank, ‘Annual Update Integrity Vice Presidency Fiscal Year 2017’, (last accessed 20 August 2018).

[16] Ibid.

[17] Inter-American Development Bank, ‘15 Years Standing Against Corruption’, Office of Institutional Integrity and Sanctions Systems, 2017 Annual Report, (last accessed 24 August 2018).

[18] Asian Development Bank, Procurement Guidelines (April 2015) and Asian Development Bank, Guidelines on The Use of Consultants by Asian Development Bank and its Borrowers (March 2013).

[19] World Bank, Guidelines: Procurement of Goods, Works, and Non-Consulting Services under IBRD Loans and IDA Credits & Grants by World Bank Borrowers (January 2011, revised July 2014) and World Bank Guidelines: Selection and Employment of Consultants under IBRD Loans and IDA Credits & Grants by World Bank Borrowers (January 2011, revised July 2014); Inter-American Development Bank, Policies for the Procurement of Goods and Works financed by the Inter-American Development Bank GN-2349-9 (March 2011) and Inter-American Development Bank, Policies for the Selection and Contracting of Consultants financed by the Inter-American Development Bank (March 2011); Asian Development Bank, Procurement Guidelines (April 2015) and Asian Development Bank, Guidelines on The Use of Consultants by Asian Development Bank and its Borrowers (March 2013).

[20] Ibid.

[21] Ibid.

[22] Inter-American Development Bank, Policies for the Procurement of Goods and Works financed by the Inter-American Development Bank GN-2349-9 (March 2011) and Inter-American Development Bank, Policies for the Selection and Contracting of Consultants financed by the Inter-American Development Bank (March 2011).

[23] Ibid.

[24] Ferlatte, Ryna, ‘Fighting corruption behind the scenes: The evolving and ever important role of forensic audits in international development’, People, Spaces, Deliberation, World Bank, 13 May 2016, (last accessed 13 November 2019).

[25] Ibid.

Unlock unlimited access to all Global Investigations Review content