INVESTIGATIVE METHODS IN FORENSIC ACCOUNTING
"Give the tools of the big guy to the little guy and you just might empower him" (Tim Noah)
Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.
Of first and foremost importance is the caution to check with legal counsel. Check with the company's legal counsel and then check with a local attorney on state and federal laws. Do this before you even think about launching a financial crime investigation. There are certain investigative measures which need to be taken that may violate employee workplace rights or peoples' constitutional rights. There are also special procedures for the gathering and handling of financial crime evidence. This is a highly complex area of crime-fighting where an investigation can easily backfire, and you might be exposing yourself and the organization to possibly more harm (and liability) than existed before you launched the investigation. Don't expect to find every kind of evidence mentioned in this lecture because some documents, by nature of the criminal coverup, will be irretrievably lost, and no amount of accounting will ever reconstruct them.
SUSPICION AND PROBABLE CAUSE
It's hard to define what it means to be "suspicious" of somebody or something, but it's an important element of investigation, nonetheless. Obviously, going on a hunch, rumor, whim, or guess is "mere suspicion," and this violates everything that the principles of criminal procedure stand for. We can, however, talk sensibly about being reactive (to the patterns of past crime) and being proactive (to the possibility of future crime). Pattern is the key word here, and there's a maxim in forensic accounting called Benford's Law which states that fabricated figures (an indicator of fraud) possess a different pattern from random (or valid) figures (Pickett & Pickett 2002: 103), so perhaps you've got to have a suspicious pattern of numbers to start with. Once you understand pattern, it's permissible to think in terms of "profiling" without being accusatory (having someone in mind), as long as we realize we're dealing with "reasonable suspicion" which is something short of probable cause (what it takes to accuse somebody). The standard known as "reasonable suspicion" is sometimes called articulable suspicion, and it requires the investigator to be able to articulate or identify a specific crime they think is being committed, and that a set of factual circumstances exist which would lead a reasonable person to believe that a sufficient number of elements of crime have occurred, are occurring, or are about to occur. There's more to it, of course, like the "experienced police officer standard" (special expertise or training which creates a nexus with sufficiency and is standard part of probable cause), "reasonableness under all circumstances" (the reduced expectation of privacy in the workplace), and the "totality of circumstances" test (which justifies a temporary deprivation of liberty if the search for truth includes looking for exculpatory or mitigating factors). But enough law; it's time to look at the so-called "red flags" or indicators of financial crime. These indicators may or may not constitute a "profile," since most of them deal with problems in the organization itself.
Indicators of Financial Crime
|Red Flags of Employee Behavior:
1. Overworking -- financial criminals are sophisticated, and know that the typical suspects of misdeeds in organizations are likely to be those who miss work a lot, call in sick, go home early, and so forth. Hence, the financial criminal (also by inclination) tends to work long and hard, staying after hours, volunteering for extra duties, or in short, attempting to appear as a superstar in the organization. This is called the protective behavior pattern.
2. Overpersonalized business matters -- a financial criminal will become extremely upset over little things that touch on or threaten their scam or fraud, and this may be something as minor as a change in office location, or something like another employee dealing with a vendor that only they think they should be dealing with. They may also not have kind words to say about top management (calling them corrupt) because (a) they want to be perceived as a powerbroker or dealmaker, and (b) they plan to claim, if caught, that the kind of thing they did was nothing compared to what goes on at the top.
3. Antisocial loner personality -- the criminal may or may not have this personality to begin with, but criminologists say that something about the unshareable aspects of financial crime may cause the person to become a loner. Their constant griping (see #2) about top management and how screwed up the workplace is also tends to result in a perception that they are antisocial. Their relationships with co-workers can be characterized as cold and impersonal since all they are inquisitive about is how co-workers do their job so they can learn about any system controls that are in place throughout the organization.
4. Inappropriate lifestyle change -- few financial criminals can resist the urge to spend some of their ill-gained loot, and their lifestyle, assets, travel, or offshore bank accounts will just not add up to the salary they're making. They are driven by money and ego, and if given the chance, will jump at almost every opportunity to make more money, and to boast and brag about knowing such opportunities.
Red Flags of Organizational Behavior:
1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.
2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.
3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.
4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.
5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.
6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.
The above are "red flags" associated with what anyone, not only a seasoned investigator, would be easily able to spot. When combined with the results of robust audits which contain some "explanations," "except for," or "deficiencies," and when also combined with confidential tip-offs (perhaps to a hotline), ex-employee whistleblowing (exit interviews), or current employee whistleblowing (qui tam lawsuits if the company is doing business with the government), I would say that not only has reasonable suspicion been reached, but the standard of probable cause is approached.
RED FLAGS + AUDIT RESULTS + WHISTLEBLOWING = Reasonable Suspicion
In proceeding to the stage characterized by probable cause (which is generally an accusatory stage), it's important to concentrate on the bigger fish. Avoid the temptation to go after small fish or soft targets just to come up with names, like going after lower-level employees who file a false number of hours on their overtime claims. In fact, avoid any fishing expedition, like putting up CCTV cameras throughout the workplace, or resorting to lie detectors on employees. Anything along these lines that will tip your hand or make you look like a stooge of the administration will backfire on you in terms of increased employee resistance. This is the point at which you need to consult with company lawyers. Reasonable suspicion gives you, the investigator, certain powers to invade privacy and impede liberty (within limits), but probable cause (best obtained by personal observation or eyewitnesses) will be needed before you can do any searches or seizures. Legal counsel needs to be consulted, at minimum, on the following important matters:
Have whistleblowing employees signed non-disclosure agreements (NDAs) which might render their tips or testimony worthless?
What are the reasonable expectations of privacy in the workplace, and have employees signed any waivers of privacy rights?
Is there a fraud policy in place, and have employees signed off on at least a breach of trust/employee discipline statement?
Who will deal with the fidelity insurance company and any procedures they require for evidence collection and claims?
If disciplinary action is taken against an employee who feels discriminated against, how can retaliation claims be avoided?
Does an appeals process, arbitration, or union representation exist for employees?
How can searches and seizures be done without triggering false imprisonment lawsuits?
Should the investigation proceed overtly or covertly, and with or without publicity?
Is the goal to get someone convicted in criminal court or for the offending employee(s) to leave quietly?
NARROWING DOWN THE SUSPECT
Give some initial thought to whether you have a conspiracy on your hands, a small group acting independently, or a solo offender, but be prepared to use a variety of approaches to narrow down the list of usual suspects. The "usual suspects" will be those who occupy key positions identified in the risk assessment (if the organization has done one), or those who occupy positions that have historically been involved in fraud (from an industry fraud trend comparison that you do). If the company you are investigating has a history of past fraud, use your knowledge of that history (and employee personnel records, if accessible) to provide a clue to future frauds that you can set up observation of. Most crime committed in an organizational context is similar in concept, and only different in the manner of execution, and the past is a guide to the future. Various specialized analytical procedures that accountants do may help you zero in on key areas of the organization (e.g., if the crime involves receivables, payables, or payroll). In such places, clandestine recording of computer interfaces, keyboard strokes, and PC audit trails might be the way you begin collecting evidence. Depending upon the crime (e.g., theft, embezzlement), you might want to consider using fixed, moving, audio, or video surveillance, although a lot of companies swear by security checkpoints, random searches, and polygraphs. Be advised that the use of these measures may be restricted at the constitutional, statutory, or local level. However, the crimes you are dealing with are complex. Bribery and price fixing, for example, are two of the most difficult crimes to solve, and just about require using informants or surveillance. Somehow, try to keep your "pool" of suspects from leaving the jurisdiction, taking vacations, or going on sick leave.
The private residences of employees are definitely off limits, and the general rule for high-powered tools like wiretaps is that the more high-powered the tool, the more important it becomes that you are definitely seeking a criminal conviction. Likewise, by using informants (which is not all that bad a strategy), you run the risk of entrapment. Regardless of which methods you rely on (and again, you should be prepared to use a variety of methods), remember that it helps if all your strategies are documented in a fraud investigation manual that you, the forensic accounting firm, have developed. This manual should also document exactly how you handle chain of custody issues in evidence gathering. On a final note, once you have achieved probable cause on a zeroed-in suspect, it's best not to show your hand too quickly by calling in law enforcement to make an arrest, although top management may want you to make the arrest and get it over with as quickly as possible.
GATHERING THE EVIDENCE
The formal investigation is a follow-up to your preliminary investigation which essentially established that you acted upon a whistleblowing or complaint by exercising "due care." Due care should not be confused with "due diligence" which is another type of forensic accounting investigation that checks out the background, reputation, and integrity of a prospective business partner (see sample checklist). However, a due diligence investigation may be necessary if dealing with more than one company or subsidiaries of a parent company. Before you begin gathering evidence, care must be taken to conform to the standard procedures mentioned in your manual, or at least the best practices in this newly emerging field. It is currently best practice in the field to use standardized formats for any interviews or questionaires with employees; i.e., each employee questioned should receive exactly the same questions (about work habits, etc., anything of relevance). If surveillance is done, it is important to keep records and logs. Make careful documentation a habit for just about anything that might tread on employee rights, confidentiality, and privacy. On the other hand, you may not have any time to do things as properly as you'd like, and the following paragraph explains why.
Top management may feel the organization has suffered enough from its losses, and businesses being what they are (always putting business before security), a claim might be made by the company against its fidelity (or crime) insurance carrier. If this happens, your investigation rapidly becomes a criminal investigation because the insurance carrier will require a report be filed with law enforcement. You will have to gather evidence that proves guilt beyond a reasonable doubt. A civil trial might come later (to recover additional losses), but the effect of involvement by insurance companies and the police drastically changes the nature of your investigation, not to mention that it opens the door to publicity. By contrast, let's assume you (and top management) have decided to pursue a civil (not criminal) remedy, or just to make some suspected employee go away. The standard of proof in civil cases is preponderance of the evidence, so in this case, you'll need to move quickly and seize everything (and I mean everything) that might be under the control of the perpetrator. This usually results in the seizing of boxes and boxes of records, files, papers, and computers, along with warrants or court orders freezing the assets of the suspected employee and their family. This, again, can draw publicity, and sometimes is used (along with the "perp walk") in criminal cases for shock and awe, but it is more typical of a civil investigation. These are just some of the problems you might face in going for "full prosecution" or getting the culprit to pay back what they owe and then resign. Note that when top management decides to let them resign, and even gives them a severance or golden parachute along with good references, this is not a good idea since civil liability may be incurred from the suspect's next employer. Keep top management and the Board informed via weekly progress reports, but do not let them "soft-pedal" the matter or "sweep it under the rug" because if they succeed in that, they have "condoned" the crime. The most common defense in a white collar crime, like in any employee misconduct case, is the claim that upper management condoned the misdeed, or didn't draw clear lines between right and wrong.
Expect the perpetrator to have influence, power, wealth, and the best legal support money can buy. Reassure the perpetrator's lawyer(s) that you are carrying out a rigorous, systematic investigation that is not a "witch hunt" and will look fairly for evidence of an exculpatory nature, and that you will freely disclose or "discover" whatever you find with them. The most successful defense strategy in a white-collar crime case is for the defense to argue that vital information was never disclosed to them in a timely manner via the discovery process. Be especially careful to gather solid evidence of a character, opinion, hearsay, or motive nature. You need motive evidence to investigate most financial crimes, but what you don't need is a defamation lawsuit, and you can very likely expect one from a resourceful and powerful criminal like the one you're trying to catch. Therefore, confidentiality, secrecy, or covert operation is important. Organizations being what they are (with grapevines and scuttlebutt), as soon as word gets around that "they are investigating so-and-so for a crime," you've got a defamation lawsuit in the making which is a personal injury lawyer's favorite kind of case. Organizations which claim to have a so-called "zero tolerance policy" toward fraud, and engage is full-scale prosecutions with publicity, open themselves up to the problem of defamation. A lot depends on whether the employee disciplinary machinery is in working order because if there is mention in an employee manual of the appropriate actions taken in a breach of trust between employer and employee, then the employee can be gotten rid of, regardless of what happens with the criminal or civil case against them. Handling something as an internal disciplinary matter usually avoids the risk of defamation because no mention is made of "crime" or criminal aspects of the case. Sometimes, a case heads directly to arbitration.
Evidence to be collected includes motive, modus operandi, testimony, results of interviews or questionaires, results of analytical procedures, audit trails, background checks (financial reports on the suspect), real evidence, and informant or surveillance data. For any real evidence (like fingerprints, handwriting, or computer printout) and evidence generally, make sure you work with copies of it and not the originals. The best evidence must be carefully bagged, tagged, and documented in a chain of custody that ensures no contamination or tampering was involved. The Best Evidence Rule (Rule 1002) requires that anything of a documentary or "content" nature must have the originality of it authenticated by a witness competent enough to vouch for the factual basis of it upon recognition of the original even though that original may have changed hands. In fact, all evidence must pass at least three "hurdles" before it will be admitted: relevancy, competency, and materiality (sometimes called sufficiency), and then there are dozens of objections based on each hurdle. Basically, evidence is relevant if it helps to prove or disprove a factual basis in the case. Real, direct evidence usually falls in this category, as does eyewitness testimony, but circumstantial evidence (like hearsay about motive, or financial reports that show income from unknown sources) is likely to be objected to on grounds of irrelevancy. Competency is likely to come up if and when co-workers are put on the stand, since bias, jealousy, and being involved in office politics generally disqualify someone as a competent witness. Materiality, or sufficiency, objections are likely to be encountered if the investigation was sloppy, the chain of custody was broken, or the way evidence is presented tends to confuse the jury or seems to waste the judge's time. For the latter, most prosecutions of white-collar crime rely on demonstrative evidence which makes use of replicas, plaster casts, charts, and diagrams for simplifying the offense and presenting a pictoral view. Another standard, called the Daubert Test, must be applied to any scientific evidence, and this includes forensic accounting evidence. For example, any analytical procedures that were carried out by fraud auditing, showing a particular pattern of cash flow, for example, would have to explained not only in simple terms that a non-accountant would understand them, but the expert would have to be published in the field, and there would have to be a body of peer-reviewed literature that not only reflects general acceptance but articulable (Type I and Type II) error rates. This may be somewhat overwhelming, and forensic accountants as expert witnesses are discussed in a subsequent lecture. For now, let's just repeat a list of the evidence to be collected along with where you might find that kind of evidence or who is competent to present it:
motive evidence -- hearsay, interview, or background check
modus operandi -- risk assessment, industry patterns, data mining, organizational history
testimony -- witnesses of a character, opinion, or hearsay nature
results of questionnaires -- statistics, stylistics (style of writing), lie detection
results of analytical procedures -- statistics, fraud auditors, forensic accountants
audit trails -- auditors, fraud auditors, forensic accountants
background checks -- investigators, law enforcement, criminologists
real evidence -- fingerprints, handwriting, documents, forgeries
informants and surveillance -- operatives, logs, recordings
demonstrative evidence -- replicas, charts, diagrams
scientific evidence -- qualified experts on error rates in field
FALLOUT FROM AN INVESTIGATION
The good name of the organization ought to be protected, except when you're investigating corporate crime and everyone in the organization knows they are producing bad products, polluting, or creating irreparable social harm. A forensic accounting investigation can either be resisted like nothing else on earth, or the employees can willfully cooperate. It behooves the investigator to keep up company morale and reputation, as these things tend to produce cooperation and minimize the fallout. You should be aware of the many "dirty tricks" that might go on. If the perpetrator remains unidentified and is still active in the organization, they may intimidate or blackmail other employees into non-cooperation. This may happen, anyway, if the perpetrator happens to be one of their bosses who is seen as someone who can do no wrong. It is a good idea to fast-track an investigation the higher up your primary suspect. It may be necessary to offer non-cooperative employees some kind of immunity or offer of protection. Private sector employees generally have fewer rights than public sector employees because in the public sector, they cannot be dismissed for failure to cooperate with an investigation. Polygraphs may be outlawed in some states, but the ban is generally relaxed whenever economic loss is involved. Access to personnel files may require approval from the head of personnel under certain statutory or organizational requirements. A climate of fear and paranoia may develop within the organization if investigators are perceived negatively, and rumors will spread like wildfire, some of which risk becoming grounds for defamation lawsuits. People may come forward with all kinds of gossip and innuendo on other employees for "payback" purposes. Some employees will quit for no reason at all, and you'll need to decide if the expense is justified to track them down, just as you would for any ex-employee of interest.
It is a good idea to "tone down" the language of your investigation in some way, and preferably do things as covertly as possible. Never use the words fraud, crime, conspiracy, lie, or deception. Instead, use words like irregularity, inconsistency, or breach of procedure. Interview and/or confront your prime suspect(s) last, but do not ask questions of anyone that would force them to incriminate themselves, and learn to read body language and handwriting. Your goal should be to hint at enough overwhelming evidence against them (and their co-conspirators) so that when confronted by it, they break down and confess. Make sure you accurately record the confession, but it may be wishful thinking to expect a confession. Most perpetrators, when confronted, will simply refuse to cooperate and lie. Another large group will break down emotionally and ask to be immediately excused from the interview, and then go under intensive medical care of some sort.
About.com Guide to Defamation Lawsuits
All About Qui Tam Lawsuits
Association of Certified Fraud Examiners
CISSP Open Study Guide to Information Security Management
Drug Courier Profiling Checklist
Introduction to Crime Insurance
Kessler International Forensic Accounting
Lecture on Demonstrative Evidence
Lecture on Hearsay Evidence
Lecture on Informants and Surveillance
Lecture on Objections to Evidence
Lecture on the Principles of Criminal Procedure
Lecture on Probable Cause
Lecture on Scientific Evidence
Nolo.com Article on Non-Disclosure Agreements
Nolo.com Privacy in the Workplace FAQ
Profiling an Internal Fraudster
Recent Developments in Fidelity Insurance
Toolkit on Fidelity Bonds
What You Should Know about Conflicts of Interest
Allen, G. (1999). The Fraud Identification Handbook. NY: Progressive Press.
Bologna, J. & Lindquist, R. (1995). Fraud Auditing and Forensic Accounting. NY: Wiley & Sons.
Brightman, H. (2004). Understanding and Investigating White Collar Crime. Thousand Oaks, CA: Sage.
Davia, H. (2000). Fraud 101: Techniques and Strategies for Detection. NY: Wiley & Sons.
Klotter, J. & Ingram, J. (2004). Criminal Evidence. Cincinnatti: Anderson.
Manning, G. (2005). Financial Investigation and Forensic Accounting, 2e. Boca Raton, FL: CRC Press.
Pasco, G. (2012). Criminal Forensic Investigations: The use of Forensic Accounting Techniques and Indirect Methods of Proof. Boca Raton: CRC Press.
Pickett, K. & Pickett, J. (2002). Financial Crime Investigation and Control. NY: Wiley & Sons.
Silverstone, H. & Sheetz, M. (2003). Forensic Accounting and Fraud Investigation for Non-Experts. NY: Wiley & Sons.
Williams, H. (1997). Investigating White Collar Crime: Embezzlement and Financial Fraud. Springfield, IL: Charles C. Thomas.
Last updated: Jan. 19, 2014
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (2014). "Investigation and Forensic Accounting," MegaLinks in Criminal Justice. Retrieved from http://www.drtomoconnor.com/3220/3220lect08a.htm.