Fraud Risk Management #4 – Investigation and Corrective Measures

In recognition of International Fraud Awareness Week, Matt Stelzman takes a deeper dive into the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO).

Our third article discussed Principle 3: Fraud Control Activities and its relation to the Control Environment and its four underlying COSO principles. This article focuses on Fraud Risk Management Principle 4: Fraud Investigation and Corrective Action.

Principle 4: Fraud Investigation and Corrective Action

“The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.”

Fraud investigation and corrective actions correlate to COSO principles 13 through 15, or more broadly, the Internal Control Component Information and Communication. Below, we list some of the considerations regarding internal and external communication as it relates to fraud, and how organizations can employ best practices for investigation and resulting corrective actions.

How important are whistleblower reporting systems?

The establishment of a whistleblower reporting system that is supported by leadership is one way an organization can be alerted to unethical conduct or fraud. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud: A Report to the Nations, a tip is the most common way an organization detects fraud. The organization should make the existence of the whistleblower system well known to its employees and stakeholders, and it should not be limited to a telephone hotline only. There are multiple other avenues available to organizations regarding a whistleblower system, including, but not limited to email, websites and even smartphone apps. Key points of any whistleblower system are the provision of anonymity and a well-enforced anti-retaliation policy. It is imperative that management fosters an environment where employees feel comfortable voicing their concerns.

What protocols should be established for investigation?

Fraud investigations and response protocols should be established if the organization wishes to succeed in dealing internally with suspected violations or fraud, regardless of the level within the organization that the fraud is suspected. The response system should include some of the following protocols:

• Maintaining anonymity or confidentiality of involved individuals.
• Evaluation of the allegations to determine if an investigation is warranted.
• Notification of employees regarding document preservation and/or securing data.
• Whether independent counsel should be engaged or a forensic accountant should be brought in for support.
• Conducting the investigation while safeguarding evidence.
• Reporting of the results of the investigation.
• Assessing root causes and implementing mitigating controls and/or processes.

When developing and establishing investigative protocols and work plans, there are some other factors that should be considered:

• – Milestones should be set in the investigation to ensure scope is being adhered to and the focus of the investigation is maintained.

What goes into conducting fraud investigations?

Once investigative protocols are in place, conducting the investigation of potential fraud is the next step. An organization should engage with individuals who are credentialed and conduct the investigation with integrity and objectivity. Depending on the credentials of the individual(s) conducting the investigation, they should adhere to their certifying body’s Code of Ethics and Professional Standards (e.g., a Certified Fraud Examiner (CFE) would adhere to the ACFE, and the CFE Code of Professional Standards). It is important to note the investigation team may modify the work plan and the scope of the investigation as the investigation proceeds, based on facts as they are discovered.

Some general procedures an investigation team may follow are gathering evidence, performing analysis, gathering external records from public sources (e.g., customers, social media, stakeholders, etc.), examining computer forensics and interviewing witnesses. Following the investigation, the results should be communicated in a report to the appropriate parties in the organization who oversee the investigation. Common elements of a fraud investigation report may contain:

• Summary or Executive Summary
• Background on the matter being investigated
• Procedures performed
• Findings and/or recommendations based on evidence
• Appendices or exhibits

It is important to note that the investigation report should not make a determination as to whether fraud has occurred, as this is ultimately a legal decision. What the report should contain, however, are relevant facts and evidence, as well as summaries and analyses that are helpful for the ultimate decision-makers.

What corrective actions can take place after the investigation?

After the investigation has been completed and reported, the organization should determine what corrective actions are needed to take in response. Some corrective actions may include, but are not limited to:

• – Referral to a law enforcement agency for prosecution. This may be required under certain regulations or if the organization files an insurance claim.

Ultimately, corrective action includes not only how to address the specific incident of fraud under investigation, but also how to proceed forward with policies and procedures that could prevent such a type of fraud from occurring again.

For more information about fraud investigations, reach out to your Windham Brannon advisor today, or contact Matt Stelzman.

Sources:

• COSO, Internal Control-Integrated Framework (May 2013)
• COSO & ACFE, Fraud Risk Management Guide 2^nd Edition (2023)
• ACFE, Occupational Fraud 2022: A Report to the Nations (2022)