Fraud can occur in any company. What action should you take if you spot suspicious activity?

According to the 2020 report by the Nations of the Association of Certified Fraud Examiners (ACFE), each year organisations lose on average 5% of company revenue to fraud. Nearly half of frauds were detected by tip-off.

Why start an investigation

Fictitious invoices, fly-by-night or fictitious suppliers, employee theft, misappropriation of assets from a company or mobbing are the first things that often come to mind when thinking of misconduct. However, misconduct may also take other, less often-encountered forms with equally serious business, financial and reputational consequences. These may include corporate espionage, current or departing employees stealing confidential data, setting up mirror companies, or business sabotage. Regardless of the source or type of misconduct, every company should have a basic understanding of how to carry out an effective internal investigation.

Sample situations that could trigger an investigation:

• directors or officers are informed by an external whistleblower that sales employees in one of their offices influence their client's store clerks so that they recommend only their own products and provide the store clerks with unevidenced cash or gifts of considerable value;
• directors or officers are informed that the head of procurement gives preference to one of the company’s IT subcontractors, relying entirely on such preferred subcontractor when deciding on the company’s business operations.

In both cases the initial scope of forensic work is easy to predict, however, the course of the investigation itself will largely depend on the information collected.

The quality of such information is likely to significantly improve when the EU Whistleblower Directive, aimed at protecting individuals who report possible breaches, is eventually implemented into Polish law (though the date for this is currently uncertain with Poland along with 23 other countries missing the 17 December 2021 deadline set by the EU).

Selected individual employees and the sales and purchase processes require a special focus in the above cases. It is also worth considering whether the Management Board members were aware of these issues, who played a key role, and whether the misconduct was an isolated case or a common practice in the company. Many such cases are direct results of a lack of supervision in a given area, some may have been accepted by the management, downplayed in the past or incorrectly explained.

Tip of the iceberg effect

In most cases, the scale and type of the actual misconduct and breaches are far greater than initially assumed. Unethical behaviour often involves more employees than originally thought. When analysing the evidence, it often turns out that many other areas are also affected, which makes investigations volatile as the work progresses and new evidence or concerns emerge.

Example 1 - An investigation to identify a possible business corruption.

Having analysed e-mail correspondence, we noticed that the company obtained confidential information about competitors' bids and influenced the terms of reference (ToR) in tender proceedings. This was of key importance to public tenders conducted by the company, where entirely different risk levels were at stake. The task was to identify the individuals involved in, or aware of, these activities.

Example 2 – An investigation carried out in an SPV which is a member of a corporate group operating in the construction sector.

Nearly half of the company's employees handed in their termination notices. As a result, the company's continued business operations were at risk. The management of the capital group conducted an investigation which revealed a number of irregularities and activities taken to the detriment of the whole group. The local Management Board set up a mirror company which took over construction contracts thanks to acquiring key employees. At the same time, all of the SPV’s key assets were transferred out.

Internal investigation

Before starting an internal investigation, it is important to assess the situation so as not to make mistakes that would cause major work limitations in the subsequent phases of the process, or which might possibly disrupt the company’s operations.

Three steps that should be taken before commencing work:

Step 1

Specify:

• the persons involved in the potential misconduct and their short-term and long-term impact on the company's business operations;
• the period when the potential misconduct occurred;
• the IT environment, including employees’ computers and telephones, the financial systems and other infrastructure that may contain data relevant to the investigation;
• whether the investigation findings will be presented for internal use or communicated to an external entity - a law firm, an opposing party to the dispute, or a regulator.

Step 2

Set up a forensic team that is familiar with the potential misconduct, while also being independent from the employees involved in the case.

Step 3

Analyse internal policies and regulations as well as legal acts applicable to the possibilities and limitations of the investigations.

In recent years, technology has changed the nature of investigations. Responsiveness currently plays an increasingly important role. The current pace of business means that decisionmakers can no longer wait weeks or months for the results of an investigation. For this reason, it is vital to have the right resources, plans and procedures in place. Most companies have no forensic or legal teams that specialise in similar matters. If the volume of misconduct turns out to be significant to the company, it is important to immediately contact external advisors who have appropriate expertise and technical background.

Internal investigations are also initiated by external parties, for example in the event of misconduct or irregularities at a regulatory or national level. These types of matters carry with them much greater business, legal and reputational implications, and require an appropriate approach and much greater attention from managers.

Identifying information sources

Identifying the key data sources that require analysis is the lifeblood of an investigation. The COVID-19 pandemic has undoubtedly not only accelerated, but made companies view digitisation as essential, with electronic sources replacing paper.

in addition to eDiscovery/IT specialists and individuals, the process of identifying data and establishing a plan for securing it involves individuals from relevant company departments such as the Management Board, HR, the legal department, security and IT. Initial meetings are held to identify data protection risks or investigation confidentiality risks.

For example, an IT employee is suspected of unethical conduct. In this situation a colleague who maintains close relations with the IT employee should not be involved in the process of securing the employee’s mailbox. Knowledge of the investigation may result in an attempt to delete important data, and influence perception of the employee and the atmosphere in the team. It is important to remember that accusations and suspicions may turn out to be unfounded.

Depending on the nature of the investigation, forensic technology analysis can be conducted on different types of corporate assets. However, the standard elements are:

• employee devices (computers, telephones);
• data from email servers and corporate communication systems;
• platforms for storing and sharing documents;
• financial system data;
• data from company-specific tools (e.g. warehouse management systems (WMS) for companies in the manufacturing sector).

Forensic technology

When establishing a plan for securing electronic data, it is critical to ensure the company’s business continuity. Unless deemed absolutely necessary, securing entire disk spaces for all employees involved is being used less and less frequently in these investigation. As an example, imagine a situation where 20 key employees in a sales department are unable to perform their duties for hours because their company computers and phones have been taken away.

Modern digital forensic tools allow the filtering of selected data formats already in the phase of securing evidence, thereby significantly shortening the time of the whole process and minimising disruption to company operations. In addition, the data is filtered by applied time filters (e.g. when looking for email correspondence from a given year), file type filters or data filters from specific applications. Migrating emails and co-sharing documents in the cloud allows the team to remotely secure the data without having to take equipment away from persons suspected of having committed a fraud.

Usually, the secured evidence contains a large amount of data that is irrelevant to the case. In addition to applied time filters, methods which considerably improve the process of searching for information include Optical Character Recognition (OCR), exclusion of duplicate documents, visual analysis of the course of e-mail communication, and keyword reports.

eDiscovery technology tools allow forensic teams to be instantly provided with key documents for review and report on the progress of the investigation in near real-time, which translates into the Management Board members’ ability to take key decisions in these types of crisis situations.

Investigations involving the analysis of electronic data can vary, and one cannot rely only on tried-and-tested methods.

Example 1

An employee attempted to transfer out confidential company data.

The unprecedented size of the PowerPoint file caught the attention of the forensic team. According to system log analysis, the file had been copied to an external USB drive. Embedded in the file was a video containing screenshots of the client's strictly confidential intellectual property. In this case, a standard keyword search approach would not yield results.

Example 2

Detected alternative business communication channel of which the Management Board was unaware.

As a result of the investigation, the forensic team determined that much of the relevant communication was conducted through an encrypted application on employees' phones. In many cases the phones were employees’ private phones, so there was no authority to secure and analyse them, resulting in significant information gaps in the early stages of the investigation.

Many companies fear that investigations will have a negative impact on the way the company is perceived which may translate into loss of employees’ confidence. Internal company regulations regarding the form of investigations and selection of the forensic team are of key importance here. If many employees are being questioned as a result of an investigation, this may quickly become the topic of discussions or hearsay within the company. On the other hand, if a smaller, selected number of employees are involved and the activities are carried out within the confines of attorney-client privilege, the level of disruption to the company is minimal.

We hope that the upcoming legislative changes and resulting requirements will streamline internal processes, allowing faster and more efficient internal investigations.