For example and discussion purposes only. Each potential fraud is unique and the actions taken should be specifically designed for each occurrence.
It’s the situation you never thought would happen, and now it has – you’ve just learned that cash appears to be missing under suspicious circumstances. What do you do?
The first thing to do is remain calm in the face of crisis. When our emotions get control of our consciousness we lose objectivity and good judgment – just when it is needed the most. So take a deep breath and begin assembling the Event Team that will help manage the crisis.
The Event Team and the Investigation
The Event Team should consist of a member of Senior Management and a Department Head where the incident occurred. But do not include the immediate supervisor of any suspect, as that person may have a conflict of interest. The team should also include representatives from Finance, IT and Security, an HR representative and an attorney. Assemble the team and determine how the investigation will proceed, stressing good communication within the group and confidentiality outside of the group. All outside communication on the matter must be immediately shut down, except for hired forensic investigators, insurance brokers and trusted advisors, who should be advised on a need to know basis. Notifications to any board should briefly state the facts as known and not include conjecture or speculation. Make no public or company-wide announcements until the matter has been properly investigated.
Develop a brief written plan for the investigation including estimated time of completion and develop a filing system for evidence found, including adequate chain of custody control for original documents. If the matter proceeds to court, it may be necessary to demonstrate that the evidence gathered and presented is intact and to produce a witness who can testify that they had secure possession of the evidence.
Secure the Scene
If there is a suspected employee, that person should be placed on administrative leave until they are cleared of any wrongdoing or terminated for cause. Obtain the employee’s keys, badges, etc. and disable all of the employee’s computer passwords and email accounts and revoke access to all bank and securities accounts. Physical access to the employee’s work space should be restricted and the hard drive of the employee’s computer and company-owned electronic devices should be bit copied by a qualified IT professional. Secure all hard copy files. IT should be advised to not erase any backup tapes. All of the preceding tasks must be done in a way that is not demeaning, unprofessional or implies conclusions that cannot yet be supported by fact.
If a third party is involved, such as vendor fraud, work with legal counsel to suspend payment of invoices and purchasing and to secure evidence related to both the company’s employee and the third party’s employee who may have assisted in the matter.
Carefully select the persons to conduct interviews of both suspected persons and of potential witnesses. There should be no unplanned or random investigations. Untrained persons may say or do something that could later lead to defamation, discrimination, invasion of privacy or even false imprisonment charges. It is best to leave interviews to trained investigators.
Develop a brief written plan for the investigation, including timelines and responsible parties. The investigation should be guided by evidence and not guided, in appearance or in fact, by personal characteristics or feelings. Develop an efficient system for referencing and storing evidence. Follow best practices for chain of custody of evidence.
The investigation may include interviews, surveillance, forensic accounting and/or IT analysis, data mining and records reconstruction. Recognize that the investigation may take a considerable amount of time, so don’t overload team members who also have their regular job responsibilities or pressure the team to meet an unrealistic deadline, which could lead to an incorrect conclusion.
If several people may be the responsible party, there are ways to identify the party or parties responsible. These include human and electronic surveillance and rotation of staff in a deliberate manner. If there is a problem only when a specific person is on duty, then you’ve likely identified your suspect. Another method is to investigate the lifestyles and finances of those who may be responsible for unusual signs of affluence or distress. But be careful to not violate privacy laws or lead to invasion of privacy or defamation charges.
As evidence is gathered, the Event Team should regularly meet to review progress and modify the direction and scope of the investigation as required. The team should decide when sufficient work has been done to reach conclusions and end the investigation. At the conclusion of the investigation, a written conclusion should be prepared, which any team member may express their dissent.
At the end of the investigation, the Event Team leader and senior management should meet to determine how to communicate to the Board of Directors, employees and the media, if applicable.
Based on the results of the investigation, take corrective action or reinstate the person(s) investigated.
The preceding is provided as representative suggestions and should not be considered comprehensive. If you suspect fraud in your organization, seek appropriate counsel and expert assistance, including from your HW&Co. executive.