Internal fraud: what to do if you suspect fraud in your business

The third article in our Fraud 101 series explores how you should respond if you think someone within your company has been stealing from the business and how to mitigate the situation.

Microsoftteams Image (97)
John Holden and Brendan Weekes
Published: 10 Jul 2023 Updated: 10 Jul 2023

Our Fraud 101 series is your guide to help you detect, prevent, and respond to fraud within your organisation.

The series starts by looking at insider fraud: understanding what it is and the devastating impact it can have on a business.

The second article outlines eight key steps that business owners can take to help stop insider fraud happening in their company.

This third article considers how you can best respond to internal fraud to mitigate the harm already done and maximise the potential remediation. What should you do if you think someone within your company has been stealing from the business?

When to trigger an investigation

Something or someone has alerted you to a problem.

Perhaps a whistleblower or an auditor is worried about money going missing. Maybe a staff member is uneasy as one of their colleagues is behaving strangely. Or a client has gotten in touch as they think someone from your business has been leaking data about theirs.

Whatever has sparked suspicions, it’s time to spring into action.

Put your business first

Your priority must be damage mitigation. You must try to stop the business losing any more money, assets or data.

However, remember that an internal fraudster could also be targeting your customers or suppliers.

Many business owners think it best to do nothing overt while investigating what’s going on. But doing nothing could mean the fraudster could carry on stealing from you. If they think they haven’t been found out, they could even get bolder – and losses could spiral out of control.

Many fraudsters start off taking small amounts of money to test the systems and controls, and then increase the amounts they take as they increase in boldness.

Tread carefully

Whatever you do has to be done cautiously. So far you have a suspect: nothing has been proved. Even if you know fraud has happened, you don’t know who is responsible yet. It might be your suspect – or they might be an innocent party and the victim of an elaborate scheme.

This is where you need external support. Experienced investigators know how to navigate the pitfalls that can arise during an investigation. Working with your legal team and HR, they can plan how best to disrupt the fraud to prevent any more losses while not alerting those involved that you are taking specific action to stop them.

Make sure you keep a record of your suspicions, any evidence you gathered and the reasons for taking actions that are needed.

Plan what you want to happen after the investigation

An inquiry could have several possible results. Setting your priorities before you start can mean more effective directing of resources to achieve what you want.

The investigation results could be direct:

  • Removing a fraudster from their post to prevent more loss
  • Prosecuting the fraudster
  • Recovering losses through civil remedies

The findings could help you make changes:

  • Improving the business’ culture
  • Developing a positive and ethical tone from the top
  • Improving financial and other controls
  • Reviewing and refining systems

 But there can be other objectives to consider:

  • Minimising disruption to the business
  • Ensuring your investigation is proportionate to the damage
  • Checking that everyone has been treated fairly and properly under employment law
  • Maximising opportunities for the business to repair itself and recover any losses

Perform an initial review

Once you’ve identified the problem, it’s time for a first review. Establish what you know so far, what has happened, and what you suspect. This includes working out who the main people involved could be, how much has already been lost – and how much is at risk.

The most important part of the investigation process is to prevent and disrupt any further losses. This needs to be embedded in all the activities carried out in order to protect the business.

You want to isolate your suspected fraudster(s) from being in a position where they can do harm, such as authorising new suppliers or payments.

This could mean removing their access from IT systems, which could stop any further damage, or mean they cannot destroy evidence of anything they may have done. But if you do this, you need to make sure there is a plan in place so the business can run as usual without them. 

Plan, investigate, conclude – repeat

The next stage is to build a theory of what’s happened based on what you know so far. Once you have this, it’s time to test it. Your investigation team should:

  • Set objectives and plan how to test the theory in a way that prevents any further losses
  • Carry out the steps needed to test the theory
  • When the tests are finished, review the results
  • Take the results back to the planning stage. How does the theory stack up now?
  • Revise the theory based on the results and repeat the test stage as needed

Put people first

People are at the centre of any inquiry. Any investigation involves witnesses, suspects, the investigation team, expert support, and internal and external stakeholders.

Unfortunately, it isn’t always clear who falls into which category. Suspects may in fact be witnesses, team members could be suspects and those making the allegations might have dubious motives.

And personal relationships can often be overlooked in an investigation. The suspected fraudster might have acted in isolation – or they may have worked with others who take actions on their behalf.

This is why people management is a crucial element of any inquiry. The investigators have to be able to assess and manage all those people and their relationships, reworking the hypothesis based on the results of different interviews to arrive at the truth.

Why you should keep an activity log

Things move very fast during an investigation. Your investigation team needs to keep a log of everything that’s been said and done. All activity, decisions and meetings must be accurately recorded to give a full picture that can be relied on later.  Memories fade, but ink lasts a lifetime.

What data should you collect, and how?

There are two types of data in any investigation. Dynamic data is likely to disappear, either through natural processes or because someone decides to delete it. The other is information that can be easily collected. 

The second type can be collected relatively easily from central systems without raising any alarm bells.

The first presents more challenges. This can require covert work so as not to raise suspicions that might lead to the data disappearing.

It can be difficult to get data from the suspect’s area of work. There are the usual devices, such as laptops and mobile phones. But there are other less obvious sources of information. These could include onsite servers, USB drives, cameras, portable games, tablets, or cloud-based storage accessed through work or other accounts.

Non-digital evidence can help crack an investigation. Often suspects have notebooks, diaries, calendars or sticky notes with their passwords that can help you access vital evidence.

Access logs can provide useful evidence of when suspects were (or weren’t) in the building at crucial periods when the fraud was perpetrated.

Who do you report to?

The investigation will reach a point where all the evidence you need to prove or disprove the initial allegations is in place. How you conclude depends on what your original aims were.

If the original complaint was through HR, then an internal memo might do the job.

However, if you want to go to court to prosecute the perpetrator or to reclaim losses, then you must follow civil and criminal procedure rules. This means working with legal teams from the start to ensure all the correct procedures are followed in building up a case and gathering evidence.

If your business is regulated, there should be a process for bringing your allegations and evidence to the regulator.

How to get your message out

You need to control the timing of any information provided to the business or to the public. Take steps to minimise the risk of news emerging before you’re ready to announce it. At the same time, pre-empt what you would do if there were a leak – or if there is a public relations fallout when the news breaks.

Be prepared

Investigations are always incredibly stressful times for everyone involved. The more you can front-load your decision making, the better.

Our top tips are:

  • Your biggest priority is to prevent more harm and protect the business
  • Front-load decision making by having scenario plans in place before there is a problem. This can take much of the stress and emotion out of the situation
  • Be clear from the start what your expected outcomes are, who you need to report to, and what form those final reports would take
  • Be flexible. Your investigations might lead you down new lines of inquiry. Adapt your tests and interviews to take these findings into account
  • Document everything, no matter how small
  • Look after your people. Fraud investigations are stressful for everyone, especially those who have been let down by someone they liked and trusted
  • Control how your message of what happened goes public

Talk to Evelyn Partners

If you want to find out how we can help you investigate potential internal fraud, please get in touch with our experts.

Speak to an expert