Conducting Whistleblower Investigations – Part 2: Triage and Gathering of Evidence

Scott Moritz, Managing Director Protiviti Forensic
James Gibson, Director Protiviti Forensic

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit



As discussed in yesterday’s post, a triage phase is a limited investigation designed to test the validity of an allegation of fraud or bribery.

Let’s look at a hypothetical example: A whistleblower complaint against the company’s chief technology officer (CTO) alleges that she has undisclosed conflicts of interest with several of the vendors providing services to the company, has been paid kickbacks by other vendors, has manipulated competitive bid processes in favor of companies that she either owns or has been bribed by, and has a number of offshore bank accounts into which she has deposited the money generated from the scheme. Part of the investigative planning process includes breaking down the investigation into component parts and developing a list of investigative steps designed to gather information on each part in an effort to prove or disprove what has been alleged.

Let’s take the allegations one at a time:

Undisclosed conflicts of interest in technology vendors

One possible way to triage this allegation is to perform a background investigation of the CTO to see if any of the vendor companies have been registered in her name or using her home address. Some embezzlers are so bold, they use the company’s own mailing address to register shell companies and simply intercept the mail that comes to the company from the Secretary of State’s Office. Legal research databases, such as Lexis-Nexis or Thomson-Reuters, can provide electronic access to U.S. public record repositories, including corporate registrations for the 50 states. Corporate registrations are available in many other countries, too.

Of course, it might be helpful to know the names of the companies to which the whistleblower is referring in case the companies are not registered in the CTO’s name or using her home address.  If the whistleblower used a hotline website or a toll-free number to communicate the complaint, these should enable you to communicate with the whistleblower confidentially, one-on-one, to ask follow-up questions. Asking the whistleblower targeted questions is a good way to assess the merits of his or her complaint. If it transpires from this conversation and your database search that there are indeed companies registered or connected to the CTO, this may provide you with a sufficient business case to advance from the triage phase to a more comprehensive investigation comprised of the following steps:

  1. Reviewing the vendor master file to see if any or all of the companies are on the list and, if yes, examining the aggregate spend for each
  2. Obtaining and reviewing the vendor file for supporting documentation for each transaction associated with the suspect vendors, including purchase orders, invoices, bills of lading and associated approvals
  3. Interviewing procurement, accounts payable or other personnel in a position to know the company’s vendors for any additional information in an effort to confirm that the work was performed and/or the products were delivered
  4. Quantifying the potential losses or financial benefit to the CTO associated with the undisclosed conflicts of interest

Payment of Vendor Kickbacks and Manipulation of Competitive Bid Processes

Investigations of vendor kickbacks and bid manipulations are among the more difficult and time-consuming types of fraud investigations.  Once it’s been determined, in the initial phase of the triage, that the alleged vendors are on the vendor list and any possible connections to the CTO have likewise been examined, the following steps should take place:

  1. Review any competitive bid selection process documents in which any of the suspect vendors may have been included.
  2. Determine if the lowest bidder was selected.
  3. Review emails of the CTO and other bid process participants for any relevant correspondence related to the bid process.
  4. Review invoice pricing and compare to those of other, similar providers in an effort to determine if the prices or overall invoices are above market pricing and may have been inflated in order to generate the alleged kickback.
  5. Quantify the overall disbursements for each vendor suspected of paying kickbacks, including any excessive charges that appear to be above market.

Offshore Bank Accounts

Perhaps even more difficult than proving kickbacks is proving the existence of an offshore bank account into which illicit money has been deposited.  Short of seeing direct transfers from company accounts into the offshore accounts, such accounts are often identified through other, indirect means after the triage phase has been completed.  Phase II activities that could lead to the identification of offshore bank accounts include:

  1. Reviewing corporate emails and computer hard drives for corporate or personal emails to private bankers, receipts confirming international travel, email confirmation of deposits or other transactions, online or electronic account statement, or personal financial records and phone records evidencing calls to offshore financial institutions or advisers
  2. Identifying any signs of international travel to locations not associated with professional activities, especially locations known for bank secrecy, such as the Cayman Islands, Cyprus, Latvia or Belize
  3. Performing background investigations and field investigations in any country in which you believe the CTO may have established accounts or to which she has traveled in the past two years.

As made evident above, a lot of the activities at this investigative stage involve email, computer hard drive and network drive file reviews, as well as, in some cases, office searches. Having an understanding of the various electronic systems that may contain evidence, including telephones, company-issued smartphones, instant messaging accounts, accounting, payroll and travel & entertainment expense systems (and the audit trails for each); access control and closed-circuit television systems is crucial in getting the evidence you need to prove or disprove an allegation. Part of the general investigation planning process should be an in-depth understanding of these systems, including how far back their records are archived, the names and contact information for the individual(s) managing each system (including cell phones), and some level of assurance that the systems are being archived correctly and can be restored for future analysis. The individuals with knowledge of and access to these system may need to be part of your investigative team when the time comes.

Let’s assume you’ve done the triage following the steps above and have enough evidence to confront the subject or subjects. We’ll discuss the interview process in our final post in this series, tomorrow.


1 comment

Subscribe to Topics

Subscribe to Industries