Forensic Accounting Skills in Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

22.1 Introduction

The purpose of this chapter is to explain key steps and best practices in investigations from an accounting perspective. The term ‘forensic’, as defined in Webster’s Dictionary, means ‘belonging to, used in or suitable to courts of judicature or to public discussion and debate’. Accordingly, forensic accounting involves the application of specialised knowledge and investigative skills to matters in anticipation of possible litigation or dispute resolution, including in civil, administrative or criminal enforcement matters. Forensic accounting skills can be applied to a wide variety of investigations into alleged corporate and individual wrong­doing, including:

  • misappropriation of assets by employees;
  • bribery and corruption;
  • money laundering;
  • financial reporting fraud;
  • non-compliance with laws, regulations or provisions of contracts; and
  • fraud perpetrated by vendors or suppliers and other third parties.

We may refer to non-compliance instead of fraud. Non-compliance often lacks the intent of fraud and may manifest itself in the violation of an agreement, policy or otherwise acceptable behaviour. Investigations may focus on allegations of fraud or non-compliance.

The range of specialisations within the field of forensic accounting is diverse, but at the core is a focus on accounting systems, processes, records, data and reports. A logical order in which forensic accountants will proceed in an investigation is as follows:

  • gaining a broad understanding of allegations, accounting systems, employee responsibilities and business processes;
  • preserving records and other evidence;
  • mitigating losses;
  • developing a workplan for the investigation;
  • considering and carrying out data analytics, email review (often with counsel) and review of books and records;
  • conducting (often with counsel) information-gathering interviews; and
  • conducting (often with counsel) investigative interviews.

Many of the most important steps involved in this process are explained in this chapter.

22.2 Regulator expectations

In June 2020, the US Department of Justice (DOJ) set forth additional guidance2 on how it evaluates corporate compliance programmes for assessment and sentencing purposes. Forensic accountants are well suited to help to develop effective compliance programmes or evaluate the efficacy of an existing programme. The DOJ guidance represents an authoritative road map for the building or enhancement of a programme, and adds detail and emphasis to the April 2019 guidance.3 It remains centred on three primary questions: (1) Is the programme well designed? (2) Is the programme adequately resourced and empowered to function effectively? (3) Does the programme work in practice?

The context of the DOJ’s guidance is to assist prosecutors to evaluate a corporation’s compliance programme in determining the form of any resolution or prosecution, monetary penalties and further compliance obligations such as a monitorship. Corporations, however, may use the guidance as a resource for building or enhancing their compliance programme. The DOJ guidance challenges the compliance professional with several hundred questions related to their existing programme. Although forensic accounting professionals collaborate with attorneys, auditors and several types of consultants to assist in-house compliance professionals with practically all aspects of their compliance programme, the DOJ’s revised guidance addresses the following key factors most applicable to forensic accounting:

  • risk assessments and in particular fraud risk assessments;
  • internal control testing
  • risk metrics including analytics;
  • gatekeeper training on the control processes;
  • third-party management;
  • internal audit and compliance function autonomy and independence;
  • internal audit effectiveness;
  • compliance and director access to data and information;
  • root cause analysis including appropriate remediation; and
  • investigations of misconduct.

The DOJ’s additional guidance on how it evaluates corporate compliance programmes demonstrates there are numerous opportunities for forensic accountants working with legal and compliance teams to add significant value in building and enhancing the corporate compliance function.

22.3 Preservation, mitigation and stabilisation

Turning to the specific steps where a forensic accountant can assist, an important consideration at the outset of an investigation is to identify the necessary steps to mitigate loss of funds or other assets and to preserve data and relevant records. This may entail closing of bank accounts, freezing of email and other communications, deactivating user passwords and other steps to deny access to subjects of the investigation. Where the nature of the investigation requires it, financial and accounting information will need to be preserved and stabilised. Physical documents in this category may include a wide variety of records, such as purchase orders, invoices, customer orders, delivery records, etc. Every step of the transaction cycles involved in the scheme under investigation should be considered at this stage to identify all potentially relevant documents and electronic records (including audio).

22.4 e-Discovery and litigation holds

Owing to the proliferation of electronic data, an increasingly important early step in many investigations is to determine what relevant information exists, in what form (paper or electronic), where it is located (e.g., an on-site data centre, off-site at vendors, in the cloud), what security measures are in place over the data, and what the organisation’s standard record retention and destruction policies and practices are. The process of identifying, taking inventory of, and preserving relevant data that may be of use in an investigation is often referred to as e-discovery.

In addition, as soon as it becomes apparent that an investigation is necessary, a litigation or preservation hold notice should be issued. These notices require the suspension of any destruction or deletion of paper or electronic records that could be relevant to the investigation. Proper communication of a litigation hold or preservation order to all pertinent individuals and department which may include third parties who, for example, are responsible for archiving the organisation’s data off-site, is important to avoid accidental destruction of critical records.

22.5 Violation of internal controls

An important part of an investigation is establishing whether the act was intentional. Demonstrating that a subject was aware of and violated a documented, well-established internal control is often a relevant factor. For example, determining how an internal control was circumvented or otherwise violated is also an important part of understanding how fraud or corruption was perpetrated, because establishing that a subject intentionally violated internal controls can be important in connection with criminal prosecution or the regulatory enforcement process, and understanding precisely how internal controls were violated is critical to developing a remediation plan to enhance controls and to prevent future occurrences. In addition, understanding how internal controls were bypassed or overridden will often provide critical insight into who knew what and when.

The first step in determining whether policies or procedures were violated is to gain a thorough understanding of the accounting behind the controls as well as the identities of employees responsible for accounting, internal controls and the business processes being investigated. Upon gaining this basic knowledge, we identify the established policies and procedures (the current state). This normally entails reviewing documented policies and procedures, and walkthroughs, and may also include interviews with employees to help clarify any ambiguities in the documentation. Some considerations include:

  • which employees are authorised to initiate and process a transaction;
  • which employees are authorised to approve a transaction;
  • which employees can approve new vendors;
  • which employees are responsible for account reconciliations;
  • which employees have physical access to assets, including cash;
  • documentation requirements for the transaction;
  • how and where electronic and paper records are stored; and
  • how exceptions or unusual transactions are handled, including budget variance analysis.

It may also be important to review any training programmes that the subject of the investigation has received. Doing so can establish more firmly that the subject had an understanding of the proper method of handling the transactions.

Most accounting cycles, such as procurement, disbursement of funds and payroll, include many steps. Some of these are evidenced manually, such as with written approvals by signature and supporting documents such as invoices and delivery confirmations. Other steps require analysis of electronic records. Examples of critical pieces of electronic evidence related to internal controls include:

  • Date and time stamps: Most systems leave a valuable trail that can be used to establish an accurate and detailed timeline of events. For example, a vendor invoice may be put into the accounts payable system late at night during non-work hours, approved for payment moments later and payment is made to the vendor the very next day. Why the rush? Is there a legitimate need or is something more devious involved? Does payment so quickly comply with the organisation’s normal cash management and bill-paying policies?
  • User identification numbers: Systems maintain a record of user log-ins, along with date and time of information access and updates. Directly or indirectly, it is often possible to determine exactly which user of a system performed each step in the chain of activities comprising a transaction – who set a vendor up in the master file, who authorised the purchase and whether it was competitively bid, who entered the vendor invoice, who approved it for payment, who scheduled it for disbursement, who transmitted payment, etc.
  • Security matrices: Often reviewed in connection with the preceding step, determining which users have access to specific components of each system can play a vital role in assigning responsibility for specific steps in a matter under investigation. Access to a system often does not mean access to every part of that system. Analysis of a security matrix provides details of this information. Who has ‘read only’ access to vendor and invoice data? Who has input capability? Who has approval authority to release payments to vendors? Aligning this information with information gleaned from the preceding steps can find exactly where internal controls were compromised, including identification of instances of unauthorised access through password theft or sharing.

Physical documents are often important pieces of evidence in an investigation. But electronic evidence associated with a transaction cycle tends to be equally or more important. Proper analysis of this evidence enables an investigator to draw conclusions and gain insight that would be impossible in an entirely paper-based system. For example, a paper copy of a vendor invoice can be analysed to establish whether a subject signed or initialled it, and perhaps whether any alterations were made to the document. But if the organisation’s vendor invoice approval and payment system is electronic, the investigator can also determine with precision the date and time of the approval of the invoice and perhaps even where the subject performed these steps (from home, from a workstation in the office, etc.).

22.6 Forensic data science and analytics

Forensic data science refers to using a scientific method for the identification, collection, analysis and reporting of electronically stored information (ESI). This includes both structured data, such as financial records in a database, and unstructured data, such as files on a file server. The most commonly analysed data in forensic accounting investigations are financial, but several non-financial categories of data are also very useful to investigators. Each is explored below.

Data analysis generally has three applications in the investigative process:

  • to initially detect fraud or non-compliance (e.g., monitoring performed by internal audit);
  • to corroborate an allegation in order to justify launching an investigation (e.g., proving that an allegation received via a hotline appears to have merit); and
  • to perform certain parts of the investigation (e.g., analysis of payments made to suspicious vendors).

Each of these will be explained further. But first, a few important points about data analytics are essential.

Data analytics rarely prove that fraud or non-compliance occurred. Rather, data analysis identifies transactions or activities that have the characteristics of fraud or non-compliance, so that they can be examined further. These are often referred to as anomalies in the data.

If an investigation ultimately leads to employee terminations or legal proceedings to recover losses, it is critical to have properly analysed the anomalies that data mining has identified. Could the anomaly in the data, or an anomaly in a document, while often identified as a characteristic of fraud, also simply indicate a benign deviation? Failing to investigate and rule out non-fraudulent explanations for anomalies can have consequences that many investigators have learned about the hard way.

Identifying and exploring all realistically possible non-fraudulent, non-corrupt explanations for an anomaly is also called reverse proof. Examining and eventually ruling out all of the valid possible non-fraudulent explanations for an anomaly in the data or documentation can prove that the only remaining reasonable explanation is fraud or corruption.

Careful consideration of alternative theories for data and document anomalies is critical to protecting the organisation and the investigator from liability stemming from falsely accusing someone of wrongdoing.

22.6.1 Data mining to detect fraud or non-compliance

Depending on which application or phase of the investigative process is involved, the nature of forensic data analysis can vary. For example, as an initial detector of fraud or non-compliance through ongoing monitoring, forensic data analytics usually takes one of two broad, but opposite, approaches: identification of any activity that deviates from expectations, or identification of activity that possesses specific characteristics associated with fraudulent or corrupt behaviour or other non-compliant conduct.

The former approach is taken when acceptable behaviour is narrowly defined, such that the slightest deviation warrants investigation. The latter approach is the more common. It is driven by a risk assessment and is based on what this type of fraud or non-compliance would look like in the data. For example, a shell company scheme might evidence itself by an address in the vendor master file matching an address in the employee master file. Any instances of such a match would be investigated.

In some cases, basing the ‘investigate’ or ‘don’t investigate’ decision on a single characteristic in the data can result in numerous false positives. For this reason, more sophisticated data analytics often rely on the consideration of multiple characteristics in assessing the risk of activity being fraudulent or corrupt. These characteristics can be combined into a singular risk score per transaction that can be aggregated by vendor, geography or other grouping. Risk scoring or risk ranking transactions can be useful for prioritising where to focus in the data.

Regardless of which of these two approaches is taken, data analytics often represents an essential tool for gathering evidence to lay the foundation for substantive examination of books, records and other evidence. Following the reverse-proof concept described above is critical once anomalies indicative of possible wrong­doing are uncovered.

22.6.2 Corroborating allegations

As a method of corroborating an allegation that has been received, data analysis can be of great value. It is a significant advantage to the investigator because, more often than not, it can be performed on electronic data without alerting the subject of the allegation. In this application, the allegation is first assessed in terms of what impact the alleged fraudulent or corrupt act would have on financial or non-financial data. It is important to understand how data flows through the organisation from the point of origination, through multiple hops in different departments, for example how an invoice will flow from a business unit to finance and back to the business unit. The data can change quite a bit throughout different business processes and this will need to be understood for a robust analysis of it. To illustrate, take the example of an allegation that workers in the shipping department of a warehouse are stealing inventory by short shipping orders to customers. There are numerous sources of data, both financial and non-financial, that could be analysed to assess the validity of this allegation:

  • gross profit margins – an unexplained decline in gross profit margins by product, or by location (as a result of having to re-ship additional items, with no associated revenue, to satisfy the customer);
  • inventory purchases – unexplained increases in purchases of certain inventory items without a corresponding increase in sales;
  • customer complaints – customer service data indicating complaints about incomplete shipments, especially if those complaints can be correlated back to specific orders; and
  • shipping records – using the customer complaint data, orders are correlated to specific shipments and employee names associated with filling and shipping these orders. Shipping records might also reveal more shipments to a customer than orders, indicating a second shipment was needed to complete the order after the customer complained.

This is a simple example, but one that illustrates that for every allegation, there likely exists data associated with either the perpetration or concealment of the fraud or non-compliance. And this data normally exhibits one or more anomalies in comparison with data from similar transactions that do not involve fraud or non-compliance.

22.6.3 Using data analysis in an investigation

The final application of forensic data analysis is performed during the investi­gation itself. Once an anomaly has been found to involve fraud or non-compliance, additional forensic data analysis, along with substantive forensic examination of the evidence, may be performed to:

  1. determine how long the activity has occurred;
  2. determine which employees (or third parties) have participated in the fraud (i.e., assessing whether collusion was involved);
  3. measure the financial damage resulting from the activity;
  4. identify other fraudulent or corrupt conduct by the same individuals; and
  5. determine how the fraudulent or corrupt act was concealed and how internal controls were circumvented.

Determining who is involved in the fraud as well as who possessed knowledge of it is critical to the mitigation and control enhancement objectives. According to a 2020 report by the Association of Certified Fraud Examiners (ACFE), nearly 51 per cent of all fraud and corruption schemes investigated involved multiple perpetrators.4 Typically, losses tend to increase with multiple perpetrators, particularly when three or more individuals conspire to commit fraud. This figure has been steadily rising since the ACFE began studying fraud. The 51 per cent statistic is divided nearly evenly between cases involving multiple internal perpetrators and those involving collusion between insiders and outsiders, such as vendors or customers.

Point 4, above, may also come as a surprise to some. The ACFE report indicates that 35 per cent of occurrences of fraud (especially with respect to asset misappropriations) are perpetrated through multiple methods. The allegation or investigation may have initially focused on only one specific method. Exploring what other activities the subject might have the capability of engaging in is an integral element of the investigation. Investigators and victims attempt to ‘put a fence around the fraud’ as early in the investigative process as possible. Understanding the responsibilities of the subject and the potential for unrelated schemes is essential for erecting the fence. Victims often desire a narrow investigative scope – a sort of wishful thinking. An investigator’s worst-case scenario is missing a scheme conducted by a subject despite investigating the subject.

The question of who knew what and when can be particularly important in satisfying auditors in the context of financial reporting fraud. In addition to quantifying the financial statement impact from fraud, auditors rely on representations from management. Knowledge of whether previous representations came from fraudsters and the auditor’s assessment of management’s integrity are often important aspects of financial reporting fraud investigations.

In the next sections, the distinction between financial and non-financial data will be explored, followed by a discussion of internal versus external data.

22.7 Analysis of financial data

Most analyses of internal data relevant to an investigation begin with financial data, much of which comes from the organisation’s accounting system. Accounting data can exist in several separate systems, such as:

  • general ledger, the master ledger that reflects all accounts and the sum of all accounting activity for the organisation;
  • general journal, where journal entries are initially recorded before being posted to the general ledger;
  • books of original entry, which contain details of certain types of financial transactions, summaries of which are posted to the general ledger. Examples of books of original entry include sales, cash receipts, cash disbursements and payroll; and
  • subsidiary ledgers, which contain additional details of transactions and activities that appear only in summary form in the general ledger. Examples of subsidiary ledgers are accounts receivable and accounts payable ledgers.

Performing an investigation often requires the extraction and analysis of data from all these systems to see the big picture or to properly trace the history of a transaction or series of activities. The days of manually maintained books of original entry are gone. The vast majority of organisations now use electronic accounting and financial software, and in larger organisations these systems are included as part of a broader ERP (enterprise resource planning) system.

Some systems are hybrids of financial and non-financial information. Examples of these systems include the following:

  • Inventory: In addition to cost information associated with purchases, the system may also provide data on quantities and dates of purchases, deliveries, shipments, inventory damaged or scrapped, and counts resulting from physical observation.
  • Payroll: In addition to data on net amounts paid to employees, the payroll system will usually include other relevant data needed to calculate an employee’s gross and net pay, including various worker classification codes, hours worked during a pay period, rates of pay, tax and withholding information, along with bank account information for the electronic transfer of funds to employees.
  • Human resources: In most large organisations a human resources system that is separate from payroll is maintained. Included in this system are data on rates of pay and past raises, incentive payments, and other financial data about each employee, as well as significant amounts of non-financial data, such as each employee’s home address. Human resource information systems may also include vital information associated with an employee’s initial hiring, such as background and reference checks, verification of information provided on an employment application, etc. This information can be important if the organisation anticipates filing an insurance claim to be indemnified for losses attributable to an employee.

Availability of and legal considerations associated with each of these sources of internal data vary from one jurisdiction to another, particularly with respect to payroll and personnel information. Privacy issues must be considered before embarking on any use of such data in an investigation.

22.8 Analysis of non-financial records

Increasingly, non-financial data is being analysed as a standard element of an investigation. Non-financial data can be classified into two broad categories: structured and unstructured.

Structured data is the type of data that generally conforms to a database format. It is often numeric (e.g., units in inventory, hours worked by an employee, calendar dates), but can involve alpha data as well (e.g., codes associated with types of customer or employee, certain elements of an address).

Structured non-financial data is found in many systems, including those that include financial data mentioned above. Other systems, however, are entirely non-financial, but provide data that can be important to an investigation. Examples of non-financial systems commonly used for investigative purposes include the following:

  • Security: Many organisations now use tools that leave an electronic trail of the exact times and dates when specific employees entered or left the building. Records of visits by vendors and other visitors may be included in this system or may be kept separately. Security information can be very useful in establishing timelines or the whereabouts of specific individuals.
  • Network data: Much like accessing a building, networks maintain electronic records each time an authorised user logs on or off the system, and may retain a record of various aspects of the user’s network activity, such as which folders were accessed, which data was downloaded, which systems were used, etc.
  • Customer service: As the earlier example illustrates, data collected in the customer service system can have numerous applications in an investigative setting. Customer complaints about items missing from their orders may indicate theft in the warehouse.

Unstructured data refers to data that does not readily conform to a database or spreadsheet format. Text associated with messages in emails, explanations for journal entries and other communications are the most common. Unstructured data also includes photographic images, video and audio files.

Emails and text messages of interest to an investigator may involve messages within the organisation, between employees and communications between organisation employees and vendors, customers or other third parties.

Similar to other electronic data, when a user ‘deletes’ this information, a backup or archive version is often left behind and is available to an investigator. Understanding an organisation’s backup, archiving and storage practices is crucial to this part of an investigation.

Careful reviewing of email, instant messaging or text message chains (and, if available, recordings of telephone calls) is vital to most investigations and can provide an investigator with vital clues, such as:

  • the timeline of events;
  • the level of knowledge of events that specific individuals may have had;
  • the extent of collusion among individuals;
  • whether a subject or witness deleted email evidence; and
  • whether there are indications of intent.

Establishing a timeline can be one of the most important requirements of an investigation. A complete timeline of events can often be established by inte­grating the separate timelines learned from a review of:

  • systems and facilities access records;
  • electronic transaction information (e.g., entries, approvals);
  • documentation (e.g., invoices, shipping records); and
  • electronic communications, including metadata (e.g., emails).

Email review is of particular importance in establishing intent. Intent, particularly to a civil standard, may be inferred from communications that indicate an awareness that planned transactions or activities are in conflict with established policies and procedures or treatment of similar transactions. Email, although a rich source of behavioural history, can quickly become overwhelming from a volume standpoint. There are many modern techniques for prioritising and culling this type of information. Sentiment analysis, a form of artificial intelligence (AI), can assist with identifying the writer’s emotional state. Other forms of AI, typically referred to as natural language processing (NLP), can help correct for potential biases that investigators naturally bring to their review. For example, an investigator may select a list of search terms to run against email data to reduce the population for further review and bring the most important messages to the forefront. By creating these search terms, the investigator has leveraged what he or she knows about the case and this inflects a natural bias. By using AI and NLP, the data is allowed to speak for itself, and computer algorithms will cluster statistically relevant information. Typically, a combination of search terms and NLP is used. These types of analyses can identify pressures or rationalisations associated with fraudulent or corrupt behaviour. For example, an employee stating in communications that he or she feels unfairly treated or resentment towards management might be expressing a rationalisation for stealing from an organisation.

One example of the use of both financial and non-financial data is in the investigation of alleged financial reporting fraud. When an allegation is made that a company’s financial statements have been intentionally manipulated, any of a large number of schemes come to mind. The most common fraudulent financial reporting schemes involve improper recognition of revenue, inflating turnover or sales through fictitious transactions or accelerating the recognition of legitimate transactions. So, a revenue inflation scheme will serve as our example.

To establish that the financial statements improperly reflect sales, electronic data from the sales and accounts receivable systems will need to be analysed in conjunction with physical or electronic records associated with customer orders, inventory, shipping and delivery, among others. By analysing these records, the investigator may establish that sales recognised by the company failed to conform to applicable accounting standards (e.g., International Financial Reporting Standards).

But accounting mistakes are common. For this scheme to be fraudulent, the subjects’ dishonest intent to violate the accounting rules must be established. This is where analysis of emails and other electronic communications may be valuable. Perhaps email exchanges can be located documenting discussions of revenue shortfalls and methods of meeting budgeted figures. In this case, analysis of unstructured non-financial data may be one of the keys, along with interviews of subjects, to proving that the company intentionally violated their own policies and pertinent accounting principles.

Analysis of both financial and non-financial data is an important step in preparing to interview witnesses and subjects. Reading email and other communication chains before conducting the interview allows an investigator to plan the order and structure of questions to put the interviewer in the best position to identify conflicting statements and to obtain a confession.

Other investigation scenarios in which analysis of unstructured data association with communications between individuals include:

  • collusion between multiple employees involved in the theft of cash or other tangible or intangible assets;
  • bribery schemes in which the organisation has paid bribes, directly or indirectly, to obtain or retain business; and
  • kickback schemes in which a vendor has paid a procurement official of the organisation to steer business to the vendor.

22.9 Use of external data in an investigation

Most data and documentation used in an investigation is internally generated – it comes from within the organisation or (in the case of invoices from a vendor) is otherwise readily available within the organisation. Occasionally, however, data or documentation that is only available from external sources becomes essential. External sources of data fall into two broad categories: public and non-public.

Public data and documents are those that are usually available to the general public either by visiting a website or facility or on request from the holder of the records. In most cases, public records are maintained by government agencies. Examples of public records vary significantly from one jurisdiction to another, but some that may be useful to investigators are:

  • licences and permits issued by government agencies to individuals or businesses;
  • records of ownership or transfers of ownership of property (e.g., sales of land and buildings);
  • criminal convictions of individuals and organisations, and certain other court records; and
  • business registrations and certain filings made by organisations.

Availability and the extent of these records can differ markedly as an investigator seeks information from different parts of the world.

Increasingly, public records may also include information that an individual voluntarily makes publicly available. For example, when an individual posts photos or makes statements on social media, this information might be readily available to any and all viewers. Once again, investigators should always use caution when accessing this information, especially if the information is only available to ‘friends’ or other contacts that the individual has granted special access to. But when social media information is made fully available to the general public, it can provide a treasure trove of information about a subject, such as:

  • places the subject has visited;
  • individual contacts;
  • business relationships;
  • assets owned; and
  • past and present employers.

Another public source of information involves websites that do not require special password or other access privileges. For example, a company’s website, or that of a trade association or other membership group with which a subject might be involved, could provide clues about the subject’s relationships, travels and past.

Even information that is no longer on a website might still be available to an investigator. The Wayback Machine at is an archive of more than 600 billion past pages on the internet (as at November 2021). Simply typing the URL of a website into the Wayback Machine will produce an index by date of prior versions of that website which have been archived and are available for viewing. Accordingly, an investigator may be able to find useful information from past editions of websites long after the information has been deleted.

Non-public records are private and confidential. Holders of these records are under no obligation to produce these records unless they have provided their consent or they are compelled to do so as a result of a legal process, such as a court order or subpoena. Records such as personal bank statements of individuals who may be the subject of an investigation fall into this category. Investigators normally do not have ready access to these records.

Another challenging and practically untraceable medium adopted by cybercriminals is the dark web, a small section of the deep web (content on the internet that is not readily accessible or visible through search engines) designed so it cannot be accessed through standard web browsers. It allows anonymous private communications for legitimate reasons (e.g., protection of free speech), but also for the distribution of harmful information and purchase of illegal goods and services that law enforcement agencies have difficulty tracing. For example, once an organisation’s network has been breached, the intruder may extract sensitive information such as customer data, logins and passwords, banking details, taxpayer identification and social security numbers, and credit card details, and then sell this confidential information anonymously on dark web marketplace and forum websites to buyers across the world.

There are no anti-money laundering or know-your-customer (KYC)controls on the dark web. Most dark web sites are anonymous and difficult to attribute to an owner because these sites use a ‘.onion’ domain suffix, which can only be accessed via a Tor (The Onion Router) browser. Website traffic is bounced through randomly selected Tor entry, relay and exit nodes using separate embedded layers of data encryption for each hop in the network circuit (hence the term ‘onion’). In addition, perpetrators are increasingly using cryptocurrencies to conduct illicit financial transactions via the dark web while hiding their identities.

Dark web investigations therefore require specialist forensic investigative tools, such as a secure dark web browsing platform with network and malware protection (e.g., firewalls and virus scanning), and secured data storage that maintains a strong custody chain for digital evidence, backed by strict and auditable compliance controls. Such tools can be used to search and monitor dark web communications, capture cryptocurrency information (e.g., blockchain wallet addresses) and attempt to identify and locate cyber fraudsters while capturing and analysing digital evidence in a forensically sound manner.

When assisting counsel with preparing a request for a subpoena or other court-ordered production of private records, an investigator should be as detailed and specific as possible. Overly broad requests are normally either denied or result in potentially lengthy delays. The format of the records and the tools available to the investigator to analyse them should also be considered. For example, if records associated with a bank account are requested, rather than requesting ‘all records associated with the account’, it is normally better to itemise a list of those records, such as by requesting copies of:

  • bank statements for the relevant period;
  • images of cleared checks;
  • supporting documents for other debits from the account;
  • signature cards; and
  • application or other forms prepared to open the account.

A vendor’s internal records would normally be non-public and the vendor may be under no obligation to provide them to an investigator. However, a properly worded right to audit or access to records provision included in the contract between the organisation and the vendor may provide access to some of the most important records an investigator might need if fraud or corruption involving a vendor is suspected. A well-crafted access-to-records clause can enable an investigator to request and view a wide variety of records, including:

  • supporting documentation for invoices sent to the organisation by the vendor;
  • accounting and payroll records;
  • time records supporting employees’ work efforts; and
  • communications relevant to the vendor’s relationship with the organisation.

If a vendor is suspected of inflating their billings to the organisation in any manner, or there are indications of collusion between an organisation employee and a vendor, one of the first steps an investigator should perform is to carefully review the terms of the contract to assess the organisation’s rights to access these records.

22.10 Review of supporting documents and records

Studying the processes and internal controls involved in the transaction cycle in the investigation and the results from data analytics and email review will result in a population of documents and electronic records that are relevant. For example, in a corruption investigation, several paper documents or records may need to be reviewed:

  • budgets;
  • agent, distributor, supplier and customer contracts;
  • bidding documents;
  • margin data;
  • price lists;
  • market data;
  • vendor set-up documents;
  • sales by region, agent, territory and product;
  • background checks;
  • purchase order or purchase request;
  • bill of lading or other confirmation of delivery of goods;
  • signed confirmation for services provided;
  • invoice from a vendor or supplier;
  • cheque or disbursement request form; and
  • banking records.

These records might be reviewed for many different reasons. Among the most common are:

  • establishing a timeline of events;
  • testing their clerical accuracy;
  • reviewing for inconsistencies, anomalies and trends;
  • reviewing for agreement with accounting records;
  • reviewing for compliance with internal controls; and
  • determining authenticity of the document, the vendor and the services rendered.

Testing for authenticity of the record itself or of individual signatures on documents normally involves a highly specialised skill, unless an anomaly is obvious. Accordingly, if an investigator suspects that a document on file is fraudulent or has been physically altered, or that a signature is not authentic, the document should be protected until someone with the specialised skills necessary can assess its authenticity. Examples of obvious deficiencies in documentation include:

  • inconsistencies in addresses;
  • lack of letterhead or other characteristics normally expected of a legitimate vendor;
  • misspellings or other typographical errors;
  • document at variance with vendor master file;
  • inconsistencies in dates; and
  • inconsistencies in vendor invoice numbers and sequencing.

In a corruption investigation, the authenticity or business purpose of an inter­mediary may be in question. The investigator should determine:

  • the purpose of the intermediary;
  • the principals behind the intermediary;
  • the value, if any, of services rendered by the intermediary, to rule out use of the intermediary to create a slush fund or otherwise bribe a customer or influencer;
  • life before or after the intermediary; and
  • if the company documentation in connection with the intermediary is consistent with other intermediaries, policies and best practices.

22.11 Tracing assets and other methods of recovery

If the subject has misappropriated cash (via intercepting incoming funds intended for the organisation, stealing cash on hand, or fraudulently transferring funds from the organisation in connection with a disbursement fraud) one of the goals of most investigations is to secure the return of the funds. To do so, the investigation team must determine what the subject did with the money. Other sources of recovery may include culpable outside parties, including but not limited to collusive vendors, customers and agents. Coverage for employee dishonesty losses under insurance policies and fidelity bonds may also be possible.

If the subject misappropriates other assets, a similar question must be addressed – where are they? Often, when assets are stolen, the subject’s goal is a conversion to cash by selling the stolen assets. In other cases, the stolen asset itself may be of use to the subject.

Depending on how assets were stolen, varying degrees of a trail might be left by the perpetrator, enabling the investigation team to forensically determine the flow of money after it has left the organisation. The trail may begin with the company’s books and records. However, it is usually intentionally made opaque by fraudsters through money laundering techniques such as layering, transfers to shell companies, nominee shareholders and the use of clandestine communication techniques, cryptocurrencies, and tax havens where criminal law enforcement assistance may be less effective. Many of the records necessary to fully trace assets are non-public. But investigators are sometimes surprised to learn that a subject has left a public trail of valuable clues regarding the disposition or location of illegally obtained funds or assets that can be identified through indirect techniques, such as social media and internet due diligence, interviews of people in the know, establishing connections to the fraudster’s other assets in more vulnerable venues and through multinational co-operation of law enforcement agencies.

22.12 Cryptocurrencies

Cryptocurrencies present unique challenges and new opportunities for investigators seeking to trace them and attempt their recovery. Bitcoin, Ethereum and many other emerging cryptocurrencies are easily accessible and widely accepted to the degree that fraudsters can, with minimal effort and risk, rely on them to move funds for the same purpose fiat currencies have long been used to transfer and conceal the source, nature and ownership of illicit funds. The added advantages of cryptocurrencies not requiring physical contact or interaction with banks has made them the payment method of choice for perpetrators of ransomware attacks and other schemes aimed directly at defrauding victims (e.g., internet-based advanced fee schemes). Therefore, forensic investigators must still follow the money trail and will be doing so more often with cryptocurrencies; however, there is another side to the coin, so to speak. While cryptocurrencies provide a degree of pseudonymity, especially those designed to provide enhanced privacy (e.g., Monero, Zcash), they do not provide complete anonymity. On the contrary, cryptocurrencies by design create an immutable public blockchain record of transactions that investigators can exploit to follow the money to a certain extent, provided they have the right tools and training.

As new cryptocurrencies are developed on different blockchains, investigators must also learn to follow transfers across them because fraudsters are already using cross-chain transfers to launder funds. This also requires the investigative blockchain data analysis tools (e.g., TRM Labs, Chainalysis) to be continually adapted and advanced to enable cross-chain analysis.

Although the on-blockchain transactions in cryptocurrencies can be traced using public blockchain data, for digital asset tracing to be successful for asset recovery or prosecution purposes investigators must be able to trace transactions beyond the blockchain to identify the counterparties and the ultimate beneficiaries. This requires identifying and pursuing additional information from virtual asset service providers (VASPs) such as cryptocurrency exchanges, hosted wallet platforms and financial institutions providing custodial services for cryptocurrencies – the on-ramps and off-ramps to blockchains. These entry and exit points for cryptocurrencies are essential to fraudsters because for cryptocurrencies to be more useful to the ultimate beneficiaries, the digital asset value must still be converted to or from fiat currency, or other tangible assets. Therefore, a key goal of blockchain data analysis is to correlate known blockchain addresses for on-ramps and off-ramps with blockchain data on suspect transactions to develop leads as to where cryptocurrency funds were converted. If this was a legitimate or regulated VASP, KYC information may have been recorded and more traditional investigative steps could be followed, such as the use of subpoenas, search warrants, regulatory inquiry or examination, witness interviews, etc.

A challenge for cryptocurrency-related investigations is the existence of illicit, unlicensed peer-to-peer exchanges that offer a way to convert fiat currencies to and from cryptocurrencies through unregulated entities that do not collect KYC information. There are also providers of cryptocurrency laundering services known as ‘mixers’ that offer a way for money launderers to obfuscate the actual parties to a blockchain transaction by mixing the cryptocurrency value with large numbers of other blockchain transactions going through the mixer. Even transactions flowing in and out of a legitimate exchange can become untraceable using blockchain data (without co-operation from the exchange to obtain internal account data) due to the sheer volume of transactions flowing through a large exchange (e.g., Coinbase).

In summary, investigating financial crimes involving cryptocurrency and digital asset tracing will require specialist blockchain analysis and intelligence tools and services, as described above, to identify leads to follow beyond the public blockchain. This may be easier to do when dealing with cryptocurrency compared to fiat currency that is physically transferred, but it also presents new challenges. Understanding these challenges and how to identify potential sources of additional attribution data for cryptocurrency transactions is essential. This will continue to be a changing landscape for investigators given the continually evolving technology and expanding array of new forms of blockchain based cryptocurrencies and emerging decentralised finance (DeFi) platforms that promise to offer an even greater variety of financial services based on blockchain technology.

22.13 Conclusion

The rapid conversion of accounting and other records from paper-based systems to electronic systems, coupled with the explosion in the quantity and types of electronic data, has resulted in many changes in the field of forensic accounting and the requirements for investigations. Expertise in the evaluation and handling of electronic evidence is just one way in which forensic accounting has evolved. Focused and efficient use of data analytics as well as the ability to mine a universe of publicly available yet critical information regarding subjects, companies and their relationships are two additional ways in which forensic accounting has matured. On the other hand, operating within a web of global data privacy and other complex regulatory constraints can complicate the job of the forensic accountant. All in all, today’s forensic accountants are significantly more successful in identifying, investigating and mitigating fraud than their counterparts in the past.


1 Glenn Pomerantz is a partner and Daniel Burget is a director at BDO USA, LLP.

2 U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020).

3 U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated April 2019).

4 2020 ACFE Report to the Nations on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners, available at

Unlock unlimited access to all Global Investigations Review content