Information Technology Considerations
Typically in any fraud, the discovery of the fraud itself is the beginning of an emotional rollercoaster ride for the employer. Often the perpetrator is a trusted friend or long time employee and the deception may have been occurring over years and involve substantial amounts of money. In such an emotion charged situation, collecting and preserving electronic data (books and records) is not front of mind. At this point, if at all possible—do not alert the fraudster! As long as the perpetrator isn’t aware that you know, the data is relatively safe. Once they know, they will attempt to delete notes, emails, transaction records, and destroy papers etc. We all remember the famous Enron shredding!
Identifying and preserving electronic data is critical in any fraud investigation. We have all watched a movie or television show where someone like Abby from NCIS, the Forensic specialist, can seemingly recover data in any circumstance. The reality is often not so glamorous and when facing a fraud, the real questions are: Where do you look? What do you collect? How do you collect it and retain the data’s integrity?
Generally, the data required includes accounting data, emails and user documents (Word, Excel, and PDFs etc). A primary focus of any fraud investigation is to determine the quantum of the loss. To do that this requires forensic accountants to access the business’s accounting systems, more often than not, while ‘normal’ business continues.
According to David Caldwell of Forensic IT (a digital forensics, electronic discovery and IT consulting practice) “…the system can often be imaged (forensically copied) and virtualised off site away from the business so that the investigation can take place out of sight. While some accounting systems are simple (MYOB, Quicken etc) some are far more complex. More often we find that online or Cloud accounting systems are being used (think Xero and MYOB Essentials). With these a different approach is needed as the servers or systems the data is stored on, cannot be physically accessed.”
Forensic collection of email is also crucial to ensure that deleted email is captured. Various email configurations can exist including in-house servers, outsourced IT and Cloud services such as Office365. Caldwell also recommends user’s computers are inspected as often email backups and archives are located on the local computer.
It is critical that electronic evidence is professionally collected. Copying the data yourself may not produce desirable results! Proper collection of data protects the entity against fabrication allegations and preserves the chain of evidence that is imperative when pursuing criminal charges. Whether criminal, civil or only for insurance, you must protect yourself by complying with relevant laws and rules. If you don’t, your fraudster may walk off free, leaving you with a substantial hole in your bank account.