Article

Be prepared: A guide to internal and external fraud investigations

Practical steps to take to recognize, investigate and report fraud

Dec 05, 2023
#
Business risk consulting Financial investigations

While there is no absolute defense against fraud, companies that reward ethical behavior, through compensation plans or other rewards-based programs tend to have fewer cases of illicit activity. Similarly, business leaders who understand how to identify early signs of fraud, apply best practices in an internal investigation and take proactive steps to coordinate external reporting can reduce the financial impact of a fraud event and often have a better chance to improve their outcomes with regulatory or investigative agencies. On the other hand, when an organization’s leadership team is not prepared to conduct fraud investigations or does not understand its risk factors, the consequences are often detrimental and expensive.

Since the onset of the COVID 19 pandemic to the present, the U.S. Department of Justice (DOJ)  enforcement actions have increased in number with concentrations on FCPA violations, COVID 19 Paycheck Protection Program (“PPP”) loan fraud and Healthcare fraud, among other areas.DOJ enforcement actions have also focused investigations and prosecutions towards individual actors—not just corporations. And although leadership in place at both the DOJ and the Securities and Exchange Commission tends to change hands after several years, there is no expectation that government scrutiny and enforcement actions will diminish under any change in leadership. Accordingly, companies should remain vigilant and carefully monitor how prosecution and enforcement priorities evolve among these agencies, especially as it relates to the Foreign Corrupt Practices Act, the Bank Secrecy Act, and other laws and regulations aimed at punishing fraudulent actions by individuals and corporations.

Identifying threats and vulnerabilities: Assessing fraud risk

The steps to identify the potential fraudulent activity begin with a candid, clear-eyed view of the business and its operating landscape, including third-party external business relationships. When assessing fraud risk at the employee or department level, it is helpful to identify the areas of greatest opportunity for fraudulent activity. For instance, since sales representatives often receive the majority of their compensation by meeting or exceeding revenue targets, there is an inherent incentive for these individuals to engage in bribery, kickback or other corruption schemes. Accounting departments are another high-risk zone for most privately held and middle market businesses, given potential control deficiencies that may exist in billing, expense reimbursement, payroll, and financial statement processes. And warehouse and procurement employees working for businesses that carry a great deal of inventory—such as manufacturers, distributors, and retailers—represent a potential threat for asset misappropriation schemes and non-cash frauds. In the majority of cases, higher risk correlates with loose or nonexistent internal controls.

Given the range of potential industry and workforce threats, an;independent and objective risk assessment;performed by an external team can be a sound investment. When developed in collaboration with business leaders, an external team-led risk assessment can apply industry-specific data analytics and forensic investigative techniques to stress test fraud defenses and controls. The assessment can also identify company-specific fraud vulnerabilities based on business segment, geographic operations, government interactions, and supply chain in addition to other critical factors. When the investigative portion of the assessment is complete (after any course corrections mutually agreed upon midstream), company leaders typically develop a fraud risk matrix, which highlights operational and control strengths, identifies weaknesses and control gaps, shows how the company performs against industry peers, outlines corrective action recommendations, and offers specific steps to help the company conduct ongoing fraud risk monitoring.

Preparing for the worst: Developing a fraud response plan

Companies with a clear, documented fraud response strategy are more likely to initiate investigations versus companies that have no such road map. Without a plan, an organization’s reaction to allegations or identification of fraud can be unnecessarily chaotic, disjointed, ineffective, and stressful. Needless to say, a coherent fraud response plan can offer business leaders a road map to follow in what many times is a fast-moving and reactionary situation. A plan may also result in considerable savings for the organization in terms of professional fees to investigate the fraud and time spent by internal resources used to assist in an investigation.

While a written first-response strategy is highly advisable, it should contain key specifics that can be quickly read—and understood—when a fraud event occurs. For example, the strategy should identify a decision-making chain of command, as well as defined (and agreed-upon) action steps to be taken by senior executives and corporate directors. The fraud response strategy should clearly state what information beyond initial discovery will be communicated, to whom it will be communicated, and under what circumstances. Having this level of planning available prior to the occurrence of a fraud event will help ensure that the initial response is thoughtful, coordinated, timely, and effective. This can help the company avoid potentially negative financial, operational, legal, and reputational issues that can arise when resolving internal and external fraud.

Addressing the situation: Responding to fraudulent activity

If evidence of internal or external fraud is discovered despite a company’s best efforts to prevent such actions, there are a number of items that management should consider to minimize the impact to business operations. And while a fraud response plan—along with input from senior executives—should address a variety of potential concerns and questions, the following are three steps senior management can take to investigate fraudulent activity:

1. Stop the bleeding.

When any suspicion or evidence of fraud is reported, ensure that a response plan is in place. This plan should enable leaders in any specific company location to quickly assess the root cause of the fraud, stop the illicit activity to prevent further damage, and determine what legal or regulatory exposure the company may have. The response plan should also cover how fraud-related information is escalated to the board of directors, senior corporate officials, and employees (if necessary), and when outside professionals should be contacted and retained to assist with the investigation. If business leaders do not take quick action when fraud is identified, the company may be at risk for potential fines, legal issues, and reputational damage.

2. Collect and organize information.

The fraud investigation team’s work begins with clarifying (as much as possible) the fraud’s point of origin, along with identifying potential internal and external actors involved in the illicit activity. This includes documenting the initial fraud response strategy, developing a chronology of the facts and allegations, identifying the circumvented controls that allowed the fraud to occur, detailing any specific items unique and pertinent to the matter, determining if all relevant records have been gathered, and establishing an internal and (if necessary) external interview list for fact-finding purposes. Additional considerations in this phase of the work may also include identifying forensic technology tools to facilitate and organize emails, files, communications, and other evidentiary data. These careful steps will help senior leaders understand core issues and chart the next steps, which may include retaining third-party investigators to handle complex fraud situations. When relevant information is gathered and documented early in a fraud discovery process, it strengthens the credibility of future decisions the company may need to make regarding legal issues or regulatory self-reporting decision points.

3. Protect management from baseless allegations.

When a fraud incident gains visibility, a frequent knee-jerk response from external parties is that senior management is to blame for the situation. Consequently, it is critically important for any investigative team to concentrate on credible data and evidence, stay focused on the direction set by legal counsel or third-party resources, and make no statements about any potential involvement by management or staff until the fact-finding process is complete. That said if the investigation reveals that senior management knew about the fraudulent activity—or took no credible actions to stop illicit behavior once uncovered and reported—then the investigative team should rely on legal counsel, the board of directors, and human resources to chart a strategy for handling that situation.

Recognizing fraud complexity: Considering the use of outside professionals

No two fraud events are the same. Some schemes are relatively straightforward acts that can be clearly verified through documentation, surveillance, or witnesses, and can be quashed with swift action by senior management. In such cases, the investigation can be handled by internal compliance, human resources, legal staff, or other employees knowledgeable in fraud risks and characteristics, and experienced in conducting internal investigations. However, other cases involving a more complex web of illicit activity may well signal the tipping point for engaging qualified external resources, such as outside counsel and forensic accountants, who can provide a more focused, disciplined investigative approach.

The use of outside professionals can deliver several distinct advantages. For example, service providers well-versed in conducting investigations can offer unique perspectives, drawing on many years of experience responding to similar types of improper corporate activities. Similarly, qualified third-party firms typically have forensic accountants with experience and skillsets using data analytics and artificial intelligence tools, e-discovery platforms, and other forms of forensic technologies, in investigative work. Such experience and skillsets may not be readily available within a company’s internal team members. And since outside consultants are not employed by the company, they can provide a high degree of investigative objectivity, because they are free from job-related bias and office politics.

Communicating the issues: Reporting fraud to regulators and external parties

The decision of whether to self-report a fraud event or a potential violation to a government agency requires thoughtful consideration, as it involves the conveyance of highly sensitive company information. The release of such information can potentially generate negative fallout, such as reputational damage, criminal or civil enforcement actions, and/or monetary penalties. Thus, any such process must be guided by experienced internal and external resources that have deep experience dealing with the legal, regulatory, or public relations issues that might arise.  Recent DOJ white-paper guidance addresses their perspectives and expectations regarding self-reporting by corporations.

As a general rule, a wise self-reporting policy should include sticking to defensible data or evidence; avoiding vague terms or references; communicating in clear, declarative sentences; and using fact-based visual elements (such as charts, graphs, or tables) to help clarify key points.

Putting all the pieces together

From an internal viewpoint, tone at the top and a corporate culture of fraud prevention and detection matters. For senior leaders, that means establishing clear, concise boundaries on what is—and what is not—acceptable ethical behavior. In addition to strong internal controls and a no-nonsense stance on holding offenders (at all levels) accountable for their actions, companies can also strengthen their compliance climate through the use of regular anti-fraud training programs and whistleblower hotlines. Companies that have proactively considered how they will handle the initial discovery, investigation, and self-reporting of a fraud event or a potential violation to a government agency are in a far better position to navigate the complexities and potential issues that typically accompany illicit activity.

Related insights

RSM risk, fraud and cybersecurity services

We help executives thrive by offering solutions focused on your goals based on a deep understanding of your industry