The 5 Essential Steps of Internal Fraud Investigation

The 5 Essential Steps of Internal Fraud Investigation

August 14, 2024

At the Association of Credit Union Audit and Risk Professionals (ACUARP) Annual Conference in June, ViClarity hosted a breakout session on internal fraud and how to investigate it. This article summarizes the presentation shared by Carrie Helmle, Senior Director of Audit Services.

Internal fraud is an uncomfortable subject; no organization wants to assume their employees and staff would ever cross that line. But it does happen, and you should be prepared.

In a National Credit Union Administration postmortem review, 13 of 16 failed credit unions cited insider fraud as a contributing factor to their failure. To prevent harm to the credit union and members, you should get serious about implementing processes and procedures for detecting and dealing with internal fraud.

Insider fraud most often occurs because an individual is faced with some type of stressor and then is presented with the right opportunity. Areas like sales, accounting, and positions of power tend to see more insider fraud. Typically, the fraud is conducted through falsified financial statements, such as manipulated accounts or records, misappropriation of assets like fake invoices, or corruption.

Detecting Internal Fraud: Know the Types

There are three common methods of detecting internal fraud:

  1. Hotline tips
  2. Internal or external audits
  3. By accident

It’s important to be on the lookout for signs so you can catch internal fraud early. Watch for potential red flags among your employees, such as lifestyle improvements, significant personal debt, behavioral changes, refusal to take vacations, or violation of policies like splitting wires to avoid approval authority.

Whether you are management or staff, you can catch internal fraud by paying attention to company culture characteristics and ethics. For instance, does your organization not have bank bribery, fraud or whistleblower policies, or are policies controlled by one or two members of management? Are certain employees provided “perks” like expensive vehicles, trips or houses? How are these situations defined in policy?

Who is responsible for oversight of internal audits and determining who the external auditors should be? No CEO should have control over both areas. Requests to abruptly change your external auditors or legal counsel, trying to control which groups are audited, or dictate who the auditors can speak to could also be red flags.

While knowing what behaviors and actions to look for and how to identify internal fraud is important, it is also important for everyone at your organization to know how to handle it when they see it.

Investigating Internal Fraud: Be Deliberate & Thorough

When a credit union suspects internal fraud, these are the steps to take.

1. Assess the Situation

First, assess the situation:

  • Who is being accused and what’s the severity?
  • Have they had other accusations in the past?
  • Were there any red flags?
  • Did they break a law or policy?
  • What risks are involved, such as reputational risk to the credit union?
  • Will the investigation be conducted internally, externally, or both?

2. Plan the Investigation

After assessing the situation and answering those questions, begin to plan your investigation.

  • Who will be the lead investigator? (It may not always be best for your internal audit team to lead the investigation depending on the expertise needed.)
  • Set a timeline for your investigation, but don’t rush. You’ll want to be thorough.
  • Identify what you know and what information you still need.
  • Plan out interviews of the reporter (if there is one), managers, and direct colleagues of the accused individual.
  • Identify groups that may need to be involved like HR, senior management, accounting, security, IT, legal, etc.
  • Gather documents that need to be reviewed.
  • Identify those that may need to be notified of the fraud like the board, regulators, or members.

3. Review Records

Once you’ve created a plan, get into the records. There could be a variety of documents, photos, videos, invoices, receipts that need to be collected and sorted through. You’ll want access to personnel files, email and chat histories of the accused — ensure that policies are clear that you have access to their work email and chats at any time. Review logins to credit union systems, especially when working with remote employees. Retain copies of all documents.

4. Conduct Interviews

Now that you’ve reviewed all the files, you can start talking. This part of the process is important for gathering additional evidence. You’ll start to get a clearer picture of what occurred. To have the most successful interview possible keep these tips in mind:

  • Have more than one person present.
  • Be clear about the objective of the interview.
  • Clarify that when possible, responses will be kept confidential and that interviewees will be protected from retaliation.
  • Start with background questions.
  • Ask open-ended questions.
  • Ask questions you may already know the answer to.
  • Remain impartial and unemotional.
  • Revisit subjects or details for clarification.
  • Talk about concerns that the interviewee may have.
  • Keep the interviewee talking.

5. Analyze Evidence & Build the Report

Once you’ve completed the bulk of your investigation process, it’s time to start looking through evidence and building your report. Only use evidence that is relevant, specific and concrete — use direct quotes when possible and avoid inflammatory language. Don’t add any of your own opinions or judgements, just stick to the facts. Ultimately, this will help you determine if you have enough evidence to draw a strong conclusion.

After you’ve completed the investigation and reported on the fraud appropriately, you should address your credit union’s management team by sharing what lessons you can learn from this experience. Discuss whether new policies and internal controls or updates to existing ones could possibly prevent a similar issue from happening again in the future.

Preventing Internal Fraud: Make Changes Now to Protect the Credit Union in the Future

One of the most impactful steps you can take is to put controls in place to prevent internal fraud from happening in the first place. This also means educating your staff on fraud awareness, so they are prepared to identify and report on suspicious behavior if they suspect it.

By taking the right steps to prevent and handle internal fraud, your credit union reduces the risk to members, your reputation, and even potential credit union failure.

Back

Recent/Related Articles

Keeping Risk & Compliance Teams in Harmony

August 29, 2024

When working together, compliance and risk teams can help achieve their organization’s strategic and operational objectives, but lack of communication and cooperation can put them at odds.
Video: Risk Management Best Practices for Credit Unions - Highlights from the World Credit Union Conference

August 01, 2024

Global CEO, Ogie Sheehy connected with Mike Lawson of CU Broadcast to talk about highlights and takeaways from Ogie's breakout session at WCUC 2024 about top risks facing credit unions around the world.