Thursday, 6 July 2017 Just like the television series, ‘48 hours’, which highlights the importance of the first two days in a homicide investigation, other crimes such as fraud and corruption should also be acted on quickly, but in a considered, well planned way. If the response to incidents of fraud and corruption is not carefully considered and planned, the risk of a poor outcome increases significantly. Poor outcomes include loss of evidence, inability to recover assets and the possibility of litigation brought about by the inappropriate handling of a suspect employee. Between November 2016 and April 2017, our team of Forensic experts held roundtable lunches on this subject in Brisbane, Melbourne, Sydney and Perth. The sessions were attended by professionals predominantly in the corporate sector in roles such as internal audit, risk and compliance, in-house legal and investigation roles. Participants at our sessions openly shared their experiences and views about fraud and the issues to consider when it does occur. The following is a summary of the outcome of the key issues that were shared during our discussions. Whistleblowing 1. Having an effective whistleblowing mechanism is a key corporate governance measure. Participants agreed that an effective mechanism meant that this allowed for two-way communication even if a whistleblower was anonymous. Where two-way communication was possible, it provided an opportunity to obtain further information about the issues reported. 2. It was important, regardless of whistleblower protection legislation (but particularly due to a lack of it) that corporations must have a commitment to supporting and protecting whistleblowers from victimization and have policies and procedures that clearly state this commitment. 3. Providing anonymity is essential for whistleblowing to be effective as not all individuals are comfortable enough to overtly report misconduct. Even information provided anonymously may be sufficient to identify significant issues, so it should not be disregarded. 4. A culture of ‘speaking up’ is very important and this culture should be demonstrated and promoted by Senior Management and the Board. 5. Organisations should have a ‘whistleblowing committee’ made up of several managers from different functions to receive and action reports. Protocols and procedures should be put in place to deal with situations that may involve reports against committee members and senior managers, e.g. the CEO. 6. It is important to provide feedback to a whistleblower about actions taken by the company to deal with the issues they report. It was agreed that not too much detail should be provided during the early stages of an investigation (linked to 1, above), e.g. ‘An investigation has commenced. Contact us again in 7 days for a further update.’ The timeframes for providing feedback to whistleblowers should be set out in policies and procedures. This elicits trust in the system, creates a willingness to report misconduct and reduces the risk of whistleblowers reporting issues externally, for example through the media. This often occurs when a whistleblower feels their complaints are not being dealt with, or adequately handled internally. 7. Some organisations set up their whistleblowing systems by having in-house legal counsel as the designated recipient of whistleblower reports, on the basis that legal professional privilege (LPP) would apply. However, many attendees stated that they did not think LPP would attach to a whistleblower report as it would not meet the predominance test of being prepared for the purposes of seeking legal advice. A participant from one company stated that any subsequent communications with a whistleblower were handled by in-house legal counsel. Other organisations stated that in-house legal counsel would receive the report at the same time as external counsel, so that the issue of LPP could be considered for any consequent investigation at the earliest opportunity. 8. Care should be taken to select individuals who exhibit the highest ethical standards to receive whistleblowing reports. Training in how to handle and collect information from whistleblowers should be provided to employees with this responsibility. 9. Claiming LPP at a later, advanced stage of an investigation could be difficult, so deciding about LPP at the commencement of an investigation or preliminary enquiry is a key consideration. Incident response/procedures 10. Particularly in the initial stages, only a small group of personnel should be made aware of the incident, i.e. a strict ‘Need to Know’ basis. 11. The specific issues should be carefully considered so that rash decisions are not made as they could negatively impact investigation outcomes, e.g. securing evidence and recovering assets. All sources of potential evidence and how to collect it should be considered. The preferred approach is to ‘hasten slowly’. 12. Upward and downward reporting lines need to be established as quickly as possible, and adhered to, so that the flow of information about the incident and response is controlled. 13. Appropriate planning should be undertaken. In a large organisation, this might be by an investigation committee. This includes, where necessary, using appropriately experienced resources in the planning and execution stages of the investigation. Once the matter has been considered carefully then the agreed approach should be documented in an investigation or action plan. 14. Be sure that those involved in the collection of evidence have sufficient training and experience in identifying, collecting and recording evidence. Digital evidence should be forensically acquired and the propensity to ‘have an initial look’ should be avoided as this may impact the integrity of evidence. Physical office searches should be undertaken and these should be appropriately documented, including taking photos and notes of what was done. Technology 15. There are myriad data sources that companies should be aware of and that could be valuable sources of evidence, e.g. mobile devices, USB, cloud etc. 16. The type of issue being investigated will determine what avenues of inquiry are pursued, but all should be considered by those who initially need to know. 17. There was discussion about employer rights to take possession of and/or obtain and review data held on these devices. It was agreed that appropriately detailed, well communicated policies regarding these rights would assist in supporting employer rights to access data generated by employees. It was agreed that any device issued by the company for business purposes could be retrieved from the employee, with the data they contain being accessed and analysed. 18. Social media was discussed as being a fertile source of evidentiary material. Again, the importance of having adequate policies and procedures dealing with employee access to social media sites using work assets and on work time was also raised. 19. It was agreed that when employees in positions of trust resign and leave the organisation, a standard procedure should be that their laptops and other work issued electronic devices (mobile phone, tablets etc.) are imaged. If an issue does arise post departure, then the integrity of the data contained on the hard drive is preserved and can be reviewed as part of an investigation. 20. Where a senior employee or one who is in a position of trust communicates an intention to depart the organisation, consideration should be given to obtaining a forensic image of that employee’s company issued devices at that time and again at departure. (The period between notifying of resignation and departure can be quite crucial in a subsequent investigation). 21. Whilst the focus was on digital data, a good point was raised about the importance of conducting a physical search of the suspect employee’s work area. On many occasions, this has provided very useful evidence. The process of conducting a systematic and thorough office search should be conducted by someone who has experience in doing so. This involves taking photographs before commencing the search, photographing exhibits in situ and where located, and carefully collecting, labelling and securing exhibits. Conclusion Our discussions highlighted that serious organisational misconduct such as fraud and corruption is a very emotive and often complex issue. Consequently, there is a tendency to act without sufficient consideration being given to the consequences of those actions. To reduce the likelihood of undesirable outcomes, hasten slowly and obtain expert guidance, where necessary. Note: As a result of the roundtable lunch sessions conducted with our clients, we have developed a ‘Fraud response checklist’. If you would like a copy, please contact David Lehmann.