Forensic Matters: To catch a thief

Monday, 15 August 2016

Introduction

The Association of Certified Fraud Examiners recently published its 2016 Global Fraud Study. It found that 70 percent of all fraud was exposed by tip off, internal audit and concerns of management. Tips were overwhelmingly the largest source, representing 40 percent. Direct supervisors are the most common recipients of tips.

The takeaway is that tips or anonymous whistle-blower facilities are a valuable source of information.

So this is how issues may come to your attention. But how do we investigate fraud once a concern has been raised? Here are some examples of evidence that may help prove (or disprove) an allegation of impropriety.

1  Emails and other electronic evidence

Email reviews are one of our best sources of information. Everyone knows that emails on a work server can be read by the employer. But it’s astonishing how often fraudsters incriminate themselves on work emails. And personal email accounts may be obtainable if accessed on a work device.

We use data management tools such as Clearwell and predictive coding to help our review and efficiently focus our enquiries across large data-sets. This can involve straight-forward techniques, like running search terms across data, or more complex techniques such as assessing the traits of relevant documents and finding documents with similar properties.

The email review process is dynamic and we can refine our searches as results are obtained. I once obtained a suspect’s business plan for fraudulent activities which had been downloaded from a personal email to a work computer. This was very useful in identifying suspect activities, aliases, and accomplices; and in directing our investigations.

2  Mobile devices

Mobile phones and other electronic devices are also potential mines of information. It’s important to review your organisation’s policies on mobile devices and accessing employee data. Identify whether the device is employee- or company-owned, and consider relevant legislation such as the Surveillance Devices Act and the Data Privacy Act.

We often request a suspect employee’s device at the start of an interview, removing the opportunity for them to alter any data. The PIN should be obtained and the device switched onto flight mode to prevent remote access. Backups may be obtainable if the phone has been connected to an available computer (even if only for charging) and we have worked with phone service providers to obtain text messages. However, retention periods differ. It is important not to look through the phone before a forensic image is taken. Otherwise the forensic continuity is jeopardised.

Typically we review text messages, emails, call history, internet search history, calendar entries and the applications installed on the device.

It is important not to look through the phone before a forensic image is taken. Otherwise the forensic continuity is jeopardised.

 

3  Internet browsing history

An employee’s internet history provides information about activities and potential motivations. We have identified compulsive gamblers whose habit prompted their fraud. It is also suspicious when low-income earners research expensive homes, cars and other luxury items not consistent with their income.

We can get an insight into behaviours from internet history, including webmail accounts and social platforms. Social media such as Facebook and Twitter can provide a wealth of material for intelligence purposes.

4  Document review

Whilst not as glamorous as the other techniques, good old-fashioned document review can pay dividends. It helps build a solid understanding of what has happened and identify gaps in evidence. We use document review in most of our investigations because a business’s documents are its basic record of events.

The approach and type of review are dependent on the individual investigation and circumstances. We have seen some organisations go to great lengths to present a ‘business-as-usual’ façade to the employees or departments being investigated, including laying new dust to conceal that a physical document search occurred; or assigning us with internal audit contacts who retrieve files at a pace designed not to arouse suspicion. Our temporary assistants tend to enjoy their brief foray into corporate intrigue.

Useful documentation is often found around employee workstations. For example, bank statements from bogus suppliers, personal bank statements, evidence of gambling, external storage devices and so on.

In one case, reviewing the invoices of a mining company helped us to identify collusion between the procurement manager and three large suppliers. Management had asked for our help because the supplier invoices totalled several million dollars and little was known about the companies. A review of invoices found that all three suppliers had identical invoice layout and design. We found that the three companies were owned by the same person who was a close family member of the procurement manager.

5  Interviews

Interviews with the suspect and available witnesses are a central component of our investigations. Often underestimated as merely incidental to an investigation, an interview is the culmination of many hours of hard work and analysis. Interviews allow us to put allegations to suspects and give them a chance to respond.

The success of any interview comes down to preparation and the investigator’s skill in building rapport with the interviewee. Of course having relevant evidence on hand to put to the interviewee can help make or break an interview. Presenting evidence such as surveillance photos and emails gives the suspect a chance to provide an explanation. Often though, when confronted with overwhelming evidence, the result can be a confession!