The Mechanics of Fraud Investigation

More articles

CA Syed Mohammed Faraz
CA Syed Mohammed Faraz
Faraz is Associate Chartered Accountant. He worked with firms like Goldman Sachs, KPMG and EY in Risk Consulting, Audit and Fraud Investigation division before joining as Assistant Manager in Audit with KPMG, India

Nirav Modi and Mehul Choksi are household names now, but for all the wrong reasons. The issue of fraud in corporates, especially in the financial services sector has been a long standing one, much like a soda bottle ready to fizz out; the Modi-Choksi episode being the can opener. Amidst the overwhelming buzz around tax and corporate reforms, Chartered Accountants have been seemingly forced to busy themselves with catching up with the tax-audit trends while the whole fraud sector misses their attention.

Cases like Vijay Mallya are seen as an aberration rather than hinting at a more-than-meets-the-eye problem. Between 1 April 2013 and 31 December 2016, all commercial banks (including private ones) lost INR 66,066 crore to 17,504 frauds[1].

CAs can play a pivotal role in preventing such frauds by conducting regular forensic audits, identifying loopholes and implementing controls. Unfortunately though, most corporates do not invest enough in this measure and end up learning the lesson only after the perpetration of fraud. That leaves CAs to then perform investigative procedures to identify the root cause. This article lists down indicative procedures in a fraud investigation. It uses the aid of a simple simulation to explain the procedures.


Able and Associates, Chartered Accountants’ are approached by ‘Troubled Corporation’ to investigate the claims of a whistle blower within their firm, according to whom there is an ‘Employee Referral Scheme’ fraud happening in the corporation. As per the claim, ineligible employees are earning referral rewards by exploiting loopholes in the system.

Indicative procedures

Understanding the organisation and the process in question

The entire process concerning the fraud in question needs to be understood in detail. Also, details of what controls the organisation currently has in place to check against frauds and errors need to be analysed. Proper, independent documentation needs to be made by the investigator rather than merely using the policy manual. This is because what the actual practice could vary significantly from what is in the manual.

Sameer, a Senior Associate at Able is tasked with the primary investigation of the case. He begins with setting up meetings with the managers at HR handling different HR processes. He gets a 360-degree understanding of the recruitment process at Troubled Corporation. He prepares a flow chart to understand the flow of events leading to a prospect’s employment and the subsequent pay out of the employee referral bonus to the referring employee. He also peruses the HR manual to learn about the policies of the corporation and understands that certain employees – those at the senior manager level and above, and all employees working in the HR department are not to be paid referral bonus.

Identifying suspects

The whistle-blower had mentioned a particular senior manager who was allegedly making his subordinates refer candidates on his behalf. The referral bonus was then apparently split between the senior manager and subordinates. While he was a natural first suspect, many of his subordinates who openly shared close relations with the senior manager were also included in the list of suspects.

Gathering information:

Data is then gathered to confirm or reject the allegations and to find out if the problem is deep rooted. Various tools are utilised in gathering the data. They are detailed thus:

  1. CAAT
  2. Mapping the suspects’ systems

This is perhaps the most important data source. Forensic technology is utilised here. The support of the leadership in the IT department is taken and with their help, a bug is sent to the suspect’s computer which causes the computer to crash. Quite naturally, the suspect turns in his computer to the IT department, who inform him / her that it might take a few hours to fix the issue. This is the time when data on the suspect’s computer is mapped and stored on a separate hard drive of the IT department. The advancement of technology is such that all data saved on the suspect’s computer, including the data subsequently deleted, is retrieved. The ‘bug’ is then fixed and the computer returned to the suspect who is still unbeknownst to the fact that his computer data has been mapped.

The analyst then makes a list of keywords that would be used to extract relevant information from the data that has been mapped from the suspect’s computer. Keywords are chosen by keeping the context of the alleged fraud in mind.

Sameer finalises keywords that include among others, “referral”, “reference”, “bonus”, “bank statement”, and the other suspects’ names.

One question that might arise in your mind is the legal implication of obtaining data from an employee’s computer without his knowledge. The data could include personal information which the employee would want to be kept confidential, such as bank statements. The point to note here is that most companies specify a clause while handing over IT assets such as a company provided computer to the employees, that the said asset needs to be utilised for official purposes only and the company has a right to access all information that is stored on the asset. Most employees accept such a clause without as much as a reading or a thought as to its implications (like the company’s right to map the system and track the usage). Many such employees use the company laptop for personal purposes and even store personal, confidential data on it. In such cases, it makes the job of the investigators easier. Hence, the company here may be within its legal right to access their employees’ data on their official computers, with or without their knowledge.

Data analytics

Data Analytics (DA) is the latest buzz word in the corporate world. DA analysts being in red-hot demand is not a fad, but a recognition of their true utility in various fields, including audit. In forensic, it is specifically useful, as it unveils the needles from the haystacks they are in, thus aiding the investigator in narrowing down samples for analysis.

Sameer employs the services of Kiran, a DA analyst in his organisation, to identify gaps in the data he receives from the forensic technology team. This helps him connect the dots to arrive at meaningful conclusions on the case. Kiran scans the data and (using tools such as Microsoft VB) sorts, categorizes and presents the data under various parameters such as “top 10 referrers by amount”, “top 10 referrers by number of referrals”, etc.

  • Conducting enquiries

Enquiries are usually made from the policy makers and policy implementers. Most of this understanding is taken at Step 1 – Understanding the organisation and process. Further enquiries are conducted based on necessity, to better fit the data received in a framework, to help analyse it.

  • Corporate intelligence

Corporate intelligence (CI) from a forensic perspective is to gather information inside and outside the company that would be of relevance. Inside information could be about the suspects and their relationship with others in the company, their activities, etc. Outside information could be vetting the genuineness of vendors – whether or not they really exist, etc.

Roshan, the CI consultant at Able, is tasked with gathering such information. He uses his network within the firm to understand that the suspect has personal relationships with two of his peers and three of his subordinates. The suspect’s Facebook profile evidences the fact that he regularly goes out on personal, leisure trips with these colleagues / aides.

  • Analysing data

Arguably, this is the most important step. The quality of analysis will determine the outcome of the entire investigation. The analyst gathers data received from the forensic team, data analytics team and the corporate intelligence team, apart from his own enquiries with various parties.

Sameer analyses the emails of the suspect and his aides, whose computers were mapped. He finds several emails wherein the suspect senior manager has forwarded resumes of candidates known to him, to some of his subordinates. These subordinates have then sent the resumes by attaching them to a fresh email, to the HR (for referral), as if to hold out those candidates as their own referrals. The selected candidates have thus earned referral bonuses for their referring employees. The bank statements saved by the suspect on his computer also came handy to determine the fact that the subordinates have transferred the referral money, after keeping some money for themselves as commission (say 10%). This entire trail – from the senior manager sending resumes to receiving money in his bank account, could be traced for several of the senior manager’s aides. In fact, the analysis found newer suspects in the trail whose computers were subsequently mapped and data retrieved. It was also found that these new suspects were dealing with a different senior manager as well, and now a whole new set of people are brought into the suspicion net. Steps 1-4 are followed for these new suspects.

  • Conducting interviews

Post the analysis, evidence is gathered, and a list of suspects and others who can provide valuable information or clues, is finalised. Interviews are conducted with these individuals in a discreet manner. Every candidate interviewed is quarantined in a separate room and monitored to prevent contact with other suspects. This is important because the element of surprise is necessary to elicit an unprepared and honest response from the interviewees. The interviews must be conducted with a tact such that the interviewer must try best to get the interviewees to volunteer the information. That way the interviewees might say things which were not found during the analysis.

Sameer makes logistic arrangements to facilitate the conduct of interviews, by booking an interview room at the client place and another meeting room, large enough to accommodate all candidates who have finished their interviews. The interview is mostly conducted by a partner of Able, with assistance from a manager. The HR head of Troubled also joins the interview. Sameer provides supporting evidence during the interview, and takes minutes of the interview which will later be summarised and documented. The senior manager is first asked if he knows of any wrongdoing or unethical practices being carried out in the organisation. Quite naturally, he first denies knowing anything. It is then that the conversation is steered specifically towards employee referral scheme. At this point, the senior manager gets jittery, yet maintains that he is unaware of any such issue. The first evidence of the email-to-bank account-trail is presented to him. He is left with no choice but to accept the findings. He then gets defensive, trying to justify his act by stating that he wanted to get good employees into the firm and since the firm policy prevents him from referring candidates, he had to take this route. When it is asked how many such cases of referrals he has earned, he says this is the only such case. At this point, another evidence is presented to him. He then starts to volunteer information and lists out a few candidates, some of whom were already found so in the analysis and some whom were not. The newly identified cases are freshly investigated. Once it is determined that all of what could be retrieved from him in the interview has been retrieved, the HR head fires the senior manager with immediate effect. He is then escorted to the meeting room where all the other interviewees are gathered. His company-provided mobile phone and all IT devices are confiscated until all interviews are completed, to ensure he does not tip off his aides or other interview candidates. Interviews of other candidates are held on similar lines, depending on whether he / she is a suspect or a person having knowledge of the matter.

  • Consolidating evidences and making inferences

Post all interviews, summaries of conversations with individual candidates are drawn up and the candidate is asked to sign on such summary attesting to what he / she said in the interview. The newfound evidences and leads from the interview are subject to further analysis and certain earlier steps are repeated, if necessary.

Based on all evidences gathered, Sameer concludes that the senior manager and few others were involved in the referral reward scheme fraud. That apart, there was another senior manager involved in a similar scam, who was also fired along with his aides.

  • Reporting

Reporting is usually in the form of a presentation to the leadership of the company. Alternatively, a detailed document is prepared describing the background of the case, the investigation performed, the evidences and findings.

  • Root Cause Analysis (RCA) and Controls Audit

The company can also request the consulting firm to do an RCA and identify loopholes in the existing system, if any, and suggest corrective controls to prevent such frauds in the future.

Troubled had Able do the RCA, perform an audit of the internal controls and suggest preventive measures. Sameer returns to the HR manager and seeks exhaustive data on referrals for the entire firm across regions and across divisions. He passes on the data to Kiran, the DA manager, to do the same categorisation and presentation as was done on the previous data. Sameer then analyses and finds that the top two referring employees have more than 10 referrals each, while the third highest referring employee has only three referrals. This indicates an aberration in the case of the top two referring employees. Both of them were from a specific geographic location. CI inputs from Roshan indicated that both of them were in fact close friends – inside and outside office. They had a common friend too, who also incidentally was from the same office location as these two and was an HR executive handling recruitment function. This was a clear red flag, enough for Sameer to investigate those three as suspects and steps 2-7 were repeated. It was found that the HR used to route casual applicants as referrals from the two friends and then earn the referral bonus from them, given that HR personnel are barred from referring candidates per the policy.

Of the many control loopholes in the referral system identified, one glaring one was that for referral bonus approvals, all that the HR recruitment executive had to do was send an email with a list of referring employees and the referred candidates to the manager. The manager would approve it and it was passed on to finance for pay-out in the appropriate pay cycle. That way, any casual applicant or a walk-in candidate could be turned into a referral candidate by merely assigning a fake referring employee to the candidate and the said referring employee would earn the referral money. As a control measure, it was suggested that the candidates, upon application, be given a job application form which they would have to fill up necessarily, before being shortlisted for an interview. The form would have, apart from other fields, a question on whether he / she was being referred to the company by an employee and if so, the name and employee number of such employee. This simple measure would ensure that casual applicants and walk-in candidates who have no referring employees could not be assigned a one later, since the referral field in their application form would be blank. This form had to be verified by the HR manager before approving any referral amount. For added controls, in cases where a candidate mentions a referring employee in the form, he / she could be asked about the relationship with the referring employee and for how long they have known each other, and in what capacity and division the referring employee is working in the company. This is to ensure that the candidate is actually known to the referring employee. Another control could be automation of the referral approval process such that once the candidate is selected and his / her details uploaded on the system, the system would automatically determine the eligibility of the referral bonus pay-out when the time is due (say, after three months of joining depending on company policy) by going through a logarithm having questions such as – Is the referring employee on notice period? Is the candidate on notice period? etc. Depending in the response, either the approval auto-mailer would reach the HR manager or no email would be sent out and pay-out naturally not be made. This would eliminate manual errors in data entry and also fraudulent inputs.


It may be noted the above steps need not necessarily be performed subsequent to one another, rather, some steps could overlap, and repetition might become necessary as evident from the simulation. Also, the simulation used here is one amongst the simpler fraud cases a CA may be consulted for and the steps mentioned most certainly do not constitute an exhaustive list. Investigation of complex frauds such as Financial Statement fraud, money laundering through shell companies, etc. require far more planning, deliberation and strategizing, the explanation of which is beyond the scope of this article. Interested CAs may consider doing the Certificate Course on Forensic Accounting offered by National Stock Exchange or attaining the global gold standard in fraud examination – Certified Forensic Accounting Professional offered by the Indiaforensic Center of Studies.

With a billion-dollar industry beckoning, practising CAs would do good to hone their forensic skills to bring out their inner Sherlock Holmes and help rid the corporate world of frauds and white-collar criminals. The corporate world calls their messiahs and here’s hoping that Indian CAs answer the call!

[1] RBI data – TOI[

- Featured Certification-spot_img