Forensic Accounting in Cross-Border: Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

The origin of many investigations can be traced back to a tension or outright conflict between international regulatory standards and local practice. The actions of a small subsidiary, a business function in one office, or even a rogue employee can have wide-ranging implications for head office thousands of miles away. This is particularly true for cases involving corrupt payments or sanctions violations where any suspected violations must be investigated. The extraterritorial reach of such laws combined with the increasingly globalised nature of business means forensic accounting investigations will inevitably cross borders. This creates a number of challenges for investigating professionals, not least how to conduct investigations that satisfy the requirements of international regulators while ensuring compliance with local data laws.

A perfect storm for corruption

The Asia-Pacific region continues to see high levels of activity relating to familiar issues involving anti-corruption compliance. China has long been the focus of investigations and enforcement activity. There are several key factors that have combined to make the perfect storm for corruption in China: the importance of China for global business, China's long-standing corruption problems, increased enforcement by regulatory authorities and, in recent years, China's slowing growth. While China continues to see a large number of cases, the volume of investigations elsewhere in the Asia-Pacific is also significant. Increasingly, operations in South East Asia and India are attracting attention.

It is no secret that China has been a priority market for multinationals and global private equity firms for many years, but the China market may be in danger of losing its lustre. Coming in various waves over the past two decades, foreign investment helped drive China's dramatic economic development, and at times China has even rivalled the United States as the world's top foreign direct investment destination. With the sheer volume of foreign investment, there is much greater exposure to risks from China's chronic corruption problems as multinationals have entered and tried to navigate the Chinese market.

China is not unique in being a developing economy with corruption issues; however, what is unique is the sheer size of its economy combined with the pervasive direct role played by the state. Despite reforms, according to the OECD, China has 51,000 state-owned enterprises; the country with the next highest amount is Hungary with 370.1 Even ostensibly private domestic companies may actually be state-owned or controlled (in full or in part) through state ownership in their group organisational structure (for example, from local-level holding companies of the State-Owned Assets Supervision and Administration Commission). In addition, truly private companies with no state-ownership are often also heavily influenced by local government. Following major reforms in the 1990s, there have been no major moves towards the widespread removal of the state's direct role in the economy, and this is a fundamental root cause of China's chronic corruption problem.

Emerging markets (for investigators)

A review of Transparency International's Corruption Perception Index sees countries such as India, Indonesia, Thailand and Vietnam with low rankings, yet China-based operations have consistently been the main target of Foreign Corrupt Practices Act (FCPA) enforcement actions. This is partly a reflection of the importance of China to the global economy. As flows of foreign investment have increased to other jurisdictions, in particular to Indonesia and India, investigations activity has also increased. These investigations have tended to involve low-level bribery, which if systematic can leave multinational companies exposed to significant penalties.


2017 Global Rank

Hong Kong13
South Korea51

Evolving corruption schemes

When major FCPA cases first started to emerge in the early to mid–2000s, conducting investigations was relatively straightforward. Personnel were typically completely unaware of the necessity for anti-corruption compliance or why a US law should apply in an Asia-Pacific jurisdiction. In combination with this, the business culture in much of the Asia-Pacific region has also long been characterised by gift-giving and entertainment. As such, relevant transactions were often readily transparent in a company's books and records. For example, it was common to see transactions clearly recorded in the general ledger with descriptions such as 'gifts of alcohol and tobacco to government officials'.

As corruption cases became more frequent and visible, multinationals started to require anti-corruption due diligence as part of any prospective deal. Concurrently, compliance programmes evolved from a simple ethics statement to a fully fledged package of detailed policies and supporting procedures. Through this evolution, awareness of anti-corruption issues grew among employees. As awareness of bribery and corruption issues increased, the methods for making and disguising corrupt payments evolved as well.

Early FCPA matters drew attention to gifts, entertainment and travel provided to government officials. Compliance programmes now typically contain provisions asserting controls and company guidelines for these types of activities, and in rolling out FCPA compliance programmes, these constitute the low-hanging fruit. However, with the increased awareness of corruption issues, there has been a general shift in corruption-related schemes from relatively higher-volume and lower-dollar value schemes (excessive meals, gifts and travel), to relatively lower-volume and higher-dollar value schemes involving more creative, opaque approaches (such as increased use of third parties and schemes similar to those seen in embezzlement cases).

One example of this involves the creative use of third-party consultants in response to greater scrutiny of fictitious supporting documentation. We have noted an approach developed in response to this stricter environment utilising a series of different third-party consultants over brief durations for the same scope of work. A consultant would be hired by a high-risk function in the company for a high-risk scope of work, such as interfacing with government officials. The consultant would issue valid, officially registered invoices, so from an initial examination of the company's books and records no red flags would appear in the form of fictitious receipts. However, the consultant would then depart after a brief duration (less than a year) and be replaced by another consultant with the same function and scope. In addition, these consultants would essentially be start-ups with no history, track record or recognisable brand in the market; highlighting the need for substantive due diligence on intermediaries and third parties. In these cases, companies have effectively attempted to outsource their bribery. As a result, investigations and compliance programmes have had to expand in scope to ensure third-party risk is being addressed.

While many of the forensic accounting investigations in the Asia-Pacific region were previously driven by international regulatory agencies, in particular under the FCPA, owing to the size of the penalties, in recent years more attention has been paid to the previously largely overlooked domestic legislation. Investigators need to consider the interplay between different laws where the subject of the investigation must be compliant with both international and domestic legislation, such as an Asia-Pacific subsidiary of a company headquartered in the United States. This issue has attracted a great deal of attention in Korea, for instance, following the introduction of the Improper Solicitation and Graft Act, which came into effect in September 2016. In comparison with international laws, the act is considered strict, particularly in relation to entertainment thresholds.

The resurgence of financial integrity and quality of earnings issues

Macroeconomic conditions influence the prevalence and different types of fraud uncovered. China's GDP growth continues to slow and the potential impact of US tariffs presents a further challenge. China's response to previous slowing growth has been to double down on debt-fuelled infrastructure investment. As a New York Times article aptly puts it, 'a sizable chunk of China's economy may depend these days on building roads and rail lines into the desert using borrowed money.'2 Economic growth driven by these factors remains unsustainable and points to slower growth rates over time, and it remains to be seen whether domestic consumer consumption and a burgeoning tech sector can pick up the slack. Reliance on debt-fuelled growth cannot be maintained, and China is now taking steps to enact a critical deleveraging of the debt in its economy. The tightening of credit coupled with policy moves to reduce the level of shadow financing will have an impact as businesses come to terms with the new normal in access to credit.

In this regard, as economic pressure mounts, one can expect to see a re-emergence of classic financial statement fraud issues as well as more sophisticated schemes designed to pacify regulators, attract and retain investment, and maintain access to liquidity. Managed earnings as well as aggressive and fraudulent accounting practices are likely to be an increasing reality in China.

Indeed, an indicator of this has already emerged through the increased number of proceedings by the Enforcement Division of Hong Kong's Securities and Futures Commission (SFC). Recently the SFC expressed three major enforcement priorities for listed companies: IPO fraud and sponsor misconduct, false or misleading financial statements, and corporate governance failures. Under the Executive Director of Enforcement, Thomas Atkinson, the SFC is moving towards a more proactive and preventative approach to regulation. Through a combination of real-time, front-loaded and thematic reviews, the commission is adopting measures to increase deterrence and shorten response times when irregularities related to listed corporations are identified. Although the number of investigations cases in 2016/2017 decreased compared with the prior year (from 720 to 563), the size and complexity of these cases has increased, as the SFC focuses on the most serious instances of alleged misconduct. As a reflection of the increasingly cross-border nature of investigations, the SFC is also working to strengthen cooperation with the PRC regulators. In October 2014, the SFC and China Securities Regulatory Commission (CSRC) entered into a 'Memorandum of Understanding (MoU) on strengthening cross-boundary regulatory and enforcement cooperation under the Mainland-Hong Kong Stock Connect.' With the MoU, the regulators of SFC and CSRC will provide mutual assistance to combat cross-border misconduct and suspicious trading activity in Hong Kong and mainland China.

A recent enforcement case illustrates typical financial integrity issues, revolving around earnings. In this example, dating from December 2016 and pertaining to Greencool Technology Holdings Ltd, Hong Kong's Market Misconduct Tribunal found that 'four former senior managers disclosed false/misleading info about Greencool's sales, profit, trade receivables and bank deposits in a massive fraud.'3

Fraud methods in China have historically tended to be relatively simple. In order to inflate revenue or overstate assets, perpetrators simply fabricated transactions. However, as with corruption matters, the methods related to financial integrity issues are likely to evolve, involving more complicated business patterns with harder-to-detect fraud schemes and creative accounting methods (such as using third parties to inflate revenue and hide liabilities).

Investigating sanctions compliance

The case of ZTE has highlighted two significant points: the potential consequences of breaching sanctions regimes, and that the risks apply as much to corporates as to financial institutions – the traditional focus of sanctions-related enforcement actions. As with corruption investigations, the key risks and focus of investigation efforts lie with the use of third parties. A transaction directly with an entity in North Korea would be straightforward to detect. In reality, an entity conducting transactions with a comprehensively sanctioned country or sanctioned entity will more than likely be aware of the breach and attempt to disguise the transaction through the use of intermediaries. Investigators are required to focus on third-party due diligence, the profile of business partners, operating history and commercial rationale. Further, the use of targeted sanctions through sectoral sanctions and territorial sanctions means the onus is on the investigator to consider the substance of the transaction and the precise ultimate origin or destination of transactions.

Dealing with offshore jurisdictions

The use of offshore entities for legitimate business purposes is a widely used structure throughout the Asia-Pacific region. It has also been demonstrated that the lack of a publicly available ownership registry in certain offshore jurisdictions can be used by bad actors to disguise the true nature of illegitimate transaction flows. The difficulty in identifying the ultimate beneficiary of an offshore entity or structure is a common issue in corruption, sanctions, AML investigations and the use of related parties in accounting frauds. Where law or tax enforcement is involved, the relevant ownership details can be obtained in offshore jurisdictions. However, in most cases forensic accounting investigations will run up against dead ends when attempting to trace funds through offshore jurisdictions. In these cases, the focus of the investigation should be to understand the commercial rationale of the offshore structure and any related transaction flows. Any flow of funds or business relationships that involve offshore entities must be clearly explained and, more importantly, properly documented. If the subject of the investigation cannot provide such explanations then this should usually be considered a red flag for further investigation, and consideration may be given to obtaining legal advice into the feasibility of applying for a Norwich Pharmacal or similar disclosure order. As fraud schemes have become more sophisticated with regard to avoiding detection, additional onshore entities may be involved between the subject of the investigation and the offshore entity. Investigators need to consider anomalies in the supply chain and check for potential bogus suppliers and undisclosed related parties.

Cross-border data challenges

Investigators are often required to strictly segregate data sourced from different jurisdictions based on local data laws, and in the case of the PRC, the Law of the PRC on Guarding State Secrets. Similarly, in Japan, following amendments to the Act of Personal Information Protection, the Personal Information Protection Commission (PIPC) was established. According to PIPC regulations, entities must obtain the consent of the data subject prior to disclosure to overseas third parties. Transfer of any customer or employee data should only be done after careful due diligence on the terms and conditions in place with customers and employee contracts. In practice, it may not be possible to obtain a satisfactory level of comfort that the appropriate consents are in place. In many instances, client concerns about data security will mean data must stay within the client premises, particularly when dealing with large volumes of customer data. This creates significant challenges in both the execution and reporting of findings in cross-border investigations.

Where data can be aggregated from multiple locations, the efficiency of the investigation is increased. For practical reasons, it is helpful for investigating professionals to be able to review and share data between locations. Also, when conducting data analytics-based exercises, the analysis is more valuable when the data sits in one database and can be reviewed in the context of all the relevant data. For example, an analytical exercise reviewing expense reports by individual employees would ideally be able to identify benchmarks and outliers between employees across the entire business operations. This applies to a lesser extent to unstructured data, one of the main benefits of e-discovery software is to deduplicate documents collected from various data sources. Deduplication can be achieved through analysis of metadata without sharing the contents of the data across borders. However, the effectiveness of email threading analysis, grouping all emails in the same chain and identifying only unique content for review, will be partly affected by segregated data.

Strict data requirements necessitate a great deal of planning and preparation on the part of investigating professionals. While it is often necessary for all data collected during the e-discovery process to be hosted in-country, this does not solve the issue of dealing with working papers and other documents obtained by forensic accountants and other investigating professionals. In most professional firms, in the ordinary course of business the preference is to store working files on cloud-based systems. This is rarely appropriate for a cross-border investigation as it limits the control that can be placed on accessing and transmitting data. Another consideration is the location of email servers and back-up policy of the investigating firm. Data may be effectively leaving the jurisdiction unbeknown to the individual user by virtue of server locations and routine backups. These considerations must be balanced with the risks associated with data loss if backups are disabled. One commonly used solution is to deploy a mobile server at the client site on a closed network. This means the flow of data is controlled much more easily, but where data is hosted on client premises, measures should be put in place to ensure that the data is protected from potential interference. Keeping data on a closed network also creates challenges when it comes to reporting findings.

Regulators and other stakeholders will expect to be kept apprised of developments as the investigation progresses and, of course, receive a final report. The impact of the report, particularly when it involves personal data, may be lessened when findings can only be reported as part of aggregated data or in an anonymised format. For a corruption investigation, the findings will be at the level of individual transactions, payments to whom, on what date and authorised by whom. This is typically less of an issue for financial statement fraud cases where the focus of the investigation is usually to try to get to the real underlying financial position of the entity under investigation. However, the conduct of individuals will still be a focus of regulators in all cases. In many jurisdictions this information cannot be reported outside of the relevant jurisdiction, so careful determinations must be made about how findings are reported based on appropriate legal advice, as necessary. The use of technology tools can greatly assist the progress and efficiency in an investigation, but the first consideration when deploying these tools is ensuring that they are set up and operated in a controlled environment that is compliant with local data privacy laws. Investigators should be prepared to explain to the relevant authorities what measures have been put in place to comply with local laws. In these situations, as with all compliance matters, planning and documentation of the controls in place is key.

Technology assisted review

Technology assisted review (TAR) – using machine learning as part of the document review process – has been accepted by courts in the United States for some time. The take up in Asia-Pacific countries has been less widespread, particularly for internal investigations. This is a result of a mixture of factors: some unique to Asia and others relating to the technology generally.

The latest TAR software has a number of different functions that can aid the review process. Typically, the process involves taking a set of reviewed seed documents from which the software will look for common factors and apply predictive coding to the remaining review population. This is then refined and validated through an iterative process until the software determines that the remaining documents do not need to be reviewed or, technically speaking, that the probability that the relevance of any document that hasn't been reviewed (by a human) is outside predetermined statistical parameters.

Dealing with multiple languages

One conceptual issue that commonly occurs in investigations in Asia is multiple languages in the same review population. In these cases, the data set needs to be categorised by language and the machine learning can only be applied to each bucket on a siloed basis. This can create issues where a custodian may discuss the same issue in different languages across different email threads. The software will not be able to make the link between one email in, say, Japanese and a related email in English. One way to resolve this, once the issues are well known, is to use targeted search terms as a quality assurance exercise. Any issue that is identified in one language can be searched for using corresponding search terms in any other language used by the relevant custodian.

Hybrid approach

Another concern around this technology is the perception that it is a black box. Investigators who are not familiar with the technology can be reluctant to move away from tried and trusted methodologies. The technology used for traditional linear review has been in use for some time and is widely understood. A set of search terms can be agreed at the outset based on known issues and a review population is identified. From that point the progress of the review is relatively predictable. The review plan is straightforward and easy to communicate to stakeholders, including regulators.

Because of the challenges outlined above, a hybrid approach can be an effective way to defensibly accelerate the progress of an investigation. Firstly, the TAR software can be used as part of an early case assessment. The data visualisation functions quickly help investigators get an overall understanding of the data set and identify if there are any gaps in the data.

For the review phase, the search terms can then be applied to the review population as in a linear review. TAR is then used not to predictively code, but to prioritise the review based on the results of an initial review seed set of documents. The advantage of this approach is that the machine learning will help to identify potentially relevant documents and push them up the review queue, meaning early identification of key documents. Compared with a linear review there is no downside, as the prioritisation can be managed at minimal incremental cost and is likely to lead to efficiency savings overall. This is particularly helpful when there are parallel workstreams such as witness interviews and analysis of structured data. Early identification can allow the investigation to quickly hone in on the key issues.

Combining insights from multiple sources of data

One of the most time-consuming and, therefore, expensive aspects of an investigation is identifying links and analysis between different data sets, particularly between unstructured data, emails, chat messages, etc, and structured data (usually transaction data). An email might refer to the payment of an invoice, and the investigation then has to identify the payment in the structured data in a different system (or systems) by reference to the date or the invoice number. This can be particularly time-consuming, particularly in the context of investigations where the list of suspect transactions could be voluminous, such as AML, corruption or accounting fraud investigations.

New tools are now available that can not only house structured and unstructured data in the same review platform, but also automatically make links between the two data sets. In practice, this means a reviewer can look at the contents of an email discussing a transaction and the actual associated transaction details with a few clicks. This can help to quickly validate findings as well as root out false positives; ie, filter out emails that on first review might appear to contain issues, but are actually benign.

As noted above, in many cases data sets from different jurisdictions cannot be reviewed as a whole. While this places some limits on the efficiencies that are available from using various technology tools, the benefits of using these tools outweigh the costs of implementation, even for relatively small data sets. The increasing complexity and sophistication of the issues faced by forensic investigators means investigators must equip themselves with the best available tools to uncover the issues in an efficient and cost-effective manner.

Capturing communications

The evolution of channels of communication and blurring of the lines between business and personal communications means relevant data can sit on multiple devices with multiple applications on each device. Capturing, processing and hosting email and other electronic data has been standard practice for a number of years but is no longer sufficient. The use of messaging applications for business as well as social interaction is now commonplace. The annual WeChat report issued by Tencent's research division reported that 83 per cent of surveyed respondents use WeChat for work, with a reported 963 million active accounts,4 all of which equates to a lot of business conversations happening off email. Crucially these work-related conversations occur regardless of whether the device is issued by the company or is owned by the employee. While there are means of capturing these conversations from backups to laptops, this depends on the settings applied by the user, so cannot be guaranteed. Conversations on messaging applications can be extremely valuable evidence precisely because bad actors now know very well that their corporate emails can be easily accessed and reviewed. In most cases custodians tend to be less cautious when communicating over messaging applications. Whether the device is owned by the employee or company-issued (with appropriate data-ownership policies), such communications can be key to an investigation.


The work of forensic accountants has evolved from the previous focus on anti-corruption compliance and accounting fraud in China to now include both new geographical markets and new issues reflecting regulatory priorities, such as sanctions compliance and AML. The associated investigations are increasingly complex as the number of sources of relevant data and overall data volumes increase. Forensic accountants have always needed an eye for detail, inquisitiveness, persistence and accounting expertise. Added to that, investigating teams need to be aware of and able to make best use of the technological tools available to manage and gain insight from very large and disparate sets of data. Along with the changes in data, the evolving regulatory landscape in respect of data privacy in both Asia-Pacific regulations and extraterritorial international regulations requires investigators to be cognisant of the relevant laws and ensure the collection and transfer of data is carried out in a controlled environment.



2 New York Times, 'Predictably, China's Year-on-Year Growth Maintains Its Steady Pace,' 16 July 2017.

3 Hong Kong Securities and Futures Commission, presentation given at the HKICPA on 19 July 2017, 'SFC enforcement trends & priorities: corporate misconduct & fraud'.

Unlock unlimited access to all Global Investigations Review content