by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice
In recognition of the 25th anniversary of the Association of Certified Fraud Examiners (ACFE) and International Fraud Awareness Week, Protiviti, whose practitioners include more than 100 members of the ACFE, will be releasing a series of tips on fraud awareness to help raise awareness of the various ways that fraud can affect an organization and the proactive steps organizations can take to better position themselves in the ongoing fight against fraud.
If you were to survey company executives whose responsibilities include the oversight of internal investigations, few, if any, would respond positively when asked if they have written protocols and processes for the performance of investigations. Many investigations necessitate quick response for several reasons; among them, there usually are concerns that vital evidence will be lost if the subjects learn of the investigation, as well as worries that the company will suffer monetary losses until the investigation has reached a point where the company is in a position to stop the illegal activity.
Without an investigative plan, precious time will be lost in deciding who will lead the investigation; determining whether outside counsel, forensic accountants, investigators or computer forensic experts will be needed; contracting with those outside professionals; and marshaling the internal resources and gathering the information needed to perform the investigation.
While it may be difficult to anticipate every type of investigation that your company may need to undertake, there are certain skillsets and protocols that usually are required. Understanding what those skillsets and protocols are and taking an inventory of which exist internally and which must come from the outside are important first steps in the development of your investigative plan.
Most often, the general counsel (GC) – or his or her designate – will oversee the investigation. If the issue at hand represents a potential breach of one or more of the company’s compliance policies, the GC may wish to designate the chief compliance officer to lead the investigation. This will enable the company to perform the investigation under attorney-client privilege.
Part of the planning process often entails establishing the point at which the company may wish to involve outside counsel. In some parts of the world, attorney-client privilege can only be established through external counsel.
Understanding the legal nuances that govern the performance of investigations in the various countries in which you maintain offices and are active is a critical part of the planning process. Investigations are triggered for any number of reasons: whistleblowers, internal audit findings, contact with law enforcement or regulatory agencies, and legal disputes.
Regardless of the reasons why an investigation commences, there are certain things that come up virtually every time that can be investigated in a more timely manner with advanced planning. Such planning should include identifying internal stakeholders who have access to information, documents, personnel and the premises, and ensuring there are procedures in place to contact these individuals after hours.
While you are inventorying internal stakeholders from a point-of-contact standpoint, you can also assess to what extent some can play a role in the internal investigation. Frequently, internal stakeholders who can play a role in an internal investigation include internal audit, corporate security, legal, information technology and human resources. Gaining an understanding of these potential cross-functional partners will help focus you on resources that you don’t have and thus may need to supplement with external resources.
Many companies that have a recurring need for investigative support develop a list of various service providers, such as outside counsel, investigators, and computer forensics, electronic discovery and forensic accounting professionals, who are preapproved and with whom they already have master services agreements (MSA) in place that provide the legal framework that governs the relationship. That way, the only negotiation that takes place at the onset of an investigation is about scope, timing and budget, and even the budget can be addressed preemptively if the MSA includes an agreed-upon rate card and “menu” of activities. Having these contractual agreements in place will significantly increase the speed with which you will be able to deploy an investigative team.
Once you identify all of the stakeholders and outside parties and contracts are in place, the roles and responsibilities can then be formalized within an investigative plan. As the organization learns from the investigations it encounters over time, the plan can be expanded to include different investigative steps that are nuanced to certain categories of investigation, such as the different activities associated with the investigation of product counterfeiting allegations as opposed to investigating allegations related to the payment of vendor kickbacks.
There are several benefits to planning investigations in advance. The first is speed. Companies that think through these issues in advance are able to act much more quickly than flying by the seat of their pants. The second is effectiveness. Brainstorming around the “what ifs” without being under extreme time pressure reduces the likelihood that you will omit an important step – such omissions happen far more often when investigations take place under time pressure and without any prior planning.
Lastly, having an investigative plan better positions the organization to demonstrate to company leadership as well as outside law enforcement and regulatory agencies that the people charged with performing investigations in your organization understand the various types of scenarios that could trigger the need for an investigation, and have anticipated them and responded very effectively and in a timely and efficient manner.
Your thoughts? How has your organization prepared effectively for fraud-related investigations?