Covid-19 pandemic has given rise to a widespread disruption in business operations, globally. Consequently, it has exposed the businesses to vulnerabilities of fraud. Spurt of the virus has ushered in a new era of hybrid model of working from home and partially work from office. Such an environment makes corporates more vulnerable to fraudulent practices.
As per ACFE report “Global study on Occupational fraud and abuse”, many victims had not reported fraud cases to law enforcement agency though the organization had enough reasons to believe that fraud had occurred and, in many cases, even knew the modus operandi and culprits. Respondents, who did not report the case, were asked the reasons for the same. 10% of the victim organizations stated “lack of evidence” to be the key reason. This makes it imperative to understand the significance of evidence collection and preservation. Additionally, the report also indicates that the duration of fraud is directly proportionate to the financial loss on account of the fraud. Hence, taking prompt actions can aid in quick detection of fraud consequently arresting or avoiding the potential loss. This article discusses about such immediate steps recommended to be undertaken on observing any red flags, receiving any whistle blower complaint, or even suspecting a fraud or malpractice. Management may choose to do all or some of the below recommended good practices depending upon the suspicion, seriousness/complexity of fraud, quantum of damage, number of suspected employees, duration of fraud etc.
Success of an investigation depends on the immediate steps taken by an organization promptly on being acquainted about suspected fraud. Having a comprehensive incident response plan to deal with any fraud situation is the need of every organization irrespective of sector, size or geography. An incident response plan will communicate an organization’s responsibilities with respect to preserving evidence along with its safekeeping, securing the workplace of suspect, withdrawal of approving rights, change of login credentials for financial transactions, informing the external vendors.
For each case, management should cautiously identify which individuals should be informed of the required steps of the incident response plan. Similarly, it is important to identify individuals from whom the procedures should be kept completely confidential to avoid tipping off the suspect. For instance, IT head is required to be informed about the suspicion to aid in data extraction while preserving data sanctity, legal head needs to be mindful of handling various legal issues which may arise during & post incident response. However, other individuals working in the ecosystem of suspect employee can be provided with the information on need-to-know basis. Once suspect is aware that eyebrows are being raised on his/her activities, he/she can misguide the potential probe in many ways or devise novel models to destruct the evidence too.
Collection of relevant evidence is critical in proving or disproving the occurrence of fraud. Evidence recreates the sequence of events which uncovers the overall modus operandi used to execute the fraud and also involvement of other individuals or third parties who may not be otherwise in the lens of suspicion. Careful evidence handling becomes significant at the organization level to underpin potential probe and investigation. Evidence resides in two forms, digital and physical, both of which, are equally important for successful completion of investigation.
Volatile data resides in random access memory (RAM), registries and cache. It includes the information which is currently being run by the computer. Once the computer is turned off, such data is lost. Collecting such data from the suspect’s workstation should be undertaken on a priority basis before any power cuts or before switching off the computer. The process of gathering volatile data is also known as “live forensics”. However, organization should assess the relevance and applicability of such data with the suspected fraud case.
Non-volatile data is a part of permanent memory in the computer. Common files containing evidence stored in computer systems include user created files and computer created files.
|Computer generated files||What data does it record?||How can such data help the organization?|
|1||Meta data||It provides data about who copied, received, clicked, edited, moved, or printed the document; and when these events occurred||It would help gather information regarding the personnel involved in alteration or destruction of evidence|
|2||Event logs||Event logs records the data about transactions and events taken place on a computer chronologically||A detailed review of event logs can help to understand the timelines of fraudulent activities.|
|3||Internet activity||It stores the data regarding the websites visited, time spent online & images previously viewed online.||A quick scan over suspect’s search history is likely to give clues regarding suspect’s behavioural pattern|
|4||Deleted data||Data are not erased from computer’s hard drive until the data are overwritten. Deleted files might be recoverable||Such deleted files might include critical evidence supporting the case|
It is important to handle the data collected with precision and care. Evidence collected must be backed up to avoid damage and alteration of any kind. Relevant information from the suspect’s computer is essential to be extracted without alerting the suspect.
As per ACFE report “Global study on Occupational fraud and abuse”, 43% of schemes were detected by tip and half of those tips came from employees. Accordingly, if fraud suspicion had arisen on filing of whistle blower complaint, then organization should immediately encourage the whistle blower to discreetly disclose the information to understand the details of the fraud scheme or provide more details/proof of the fraud. This will not only uncover the modus operandi of the fraud but also assist the organization in timely action to secure evidences. Historically, it is observed that the quicker and more sensitively the discussion/correspondence with the whistle
blower are managed, better are chances of successfully closing an investigation.
As per above mentioned ACFE report, 51% of fraud in their study were committed by two or more perpetrators working in collusion. Accordingly, there can be a possibility of more than one suspect executing the fraud scheme. Therefore, the organization should identify such other suspects who might be working hand in gloves with the prime
suspect to execute the fraud schemes. Organization should undertake all the incident response steps as mentioned
above for such other suspects as well to curb fraud losses.
These are some prerequisite steps which should form part of the incident response plan.
Based on the quantum of fraud and requirement of an organization, an external investigation agency can be appointed to explore the need of detailed investigation. The scope of work of such investigation should include desktop & email review, forensic data analytics, market intelligence, interview with whistle blower (if any) and document review to join different pieces of information and analyse the fraud scheme.
Such an investigation report would assist the organization to identify the loopholes. This can be overcome by implementing strong internal control mechanism commensurate with the organization. In this way, timely action to combat fraud would help the organization to arrest the fraud losses.
Size: 7 MB
Partner & Leader