Simon Yarwood and Ching Liu, from Control Risks looks at how financial organisations can reduce the risks created by the explosion of data in the fight against fraud and corruption.
Fraud is changing and so too are the means required to fight it. As businesses venture into new markets and get involved with suppliers, partners and customers in unfamiliar environments, the risks of doing business are increasing. Meanwhile corruption and bribery also pose an increasing reputational and financial risk for the financial sector as the law gets tougher and public scrutiny grows.
The almost total reliance on technology to trade is also creating vulnerabilities for many financial organisations. The exponential growth and amount of data that is generated and stored by companies’ means that the data must be organised appropriately in the event of a fraud investigation, enabling rapid retrieval and analysis. Failure to do this will expose organisations and significantly complicate the fight against fraud and corruption.
In the event of an investigation, we are almost always presented with vast quantities of data – not just unstructured data such as emails and documents, but also database information such as accounting and banking records, communication recordings and social media interactions. These are stored in a wide variety of locations and formats, increasingly including the ‘Cloud’.
This creates a problem for investigators because it makes it much more difficult to identify the issue quickly and anything that slows down the investigation process can be costly – both in monetary and reputational terms. When a fraud is uncovered, quickly finding its source and addressing any vulnerability in the company’s processes and systems is essential to stem the flow of losses. When it comes to shutting down a fraud, time really is money.
Bringing order to chaos
The growth of big data has had a number of profound implications for the roles of the professionals (such as lawyers, digital forensics, and forensic accountants) that are tasked to investigate major frauds. The first task is to locate the data, work out who the custodians of it are and what format it is in. Once the data mapping has been performed and the relevant sources identified, it will need to be secured in an evidential and defensible manner. It can then be analysed to quickly and efficiently focus on the key issues and to filter out any irrelevant information.
One consequence of this is that the role of the forensic accountant has grown in importance as has the need for forensic computing expertise. The vast quantities of data that organisations now generate can make it much more difficult, time-consuming and expensive to identify the evidence required to commence legal or disciplinary proceedings. The specialist tools available to forensic accountants and forensic computing consultants enable them to identify and focus quickly on the transactions, correspondence or other evidence, that shows exactly what occurred. Whilst doing this, the forensic accountant can also identify any weaknesses or vulnerabilities in internal systems and controls that allowed the fraud or other misconduct to take place.
The role of other professional groups in fraud investigations is also rapidly changing, in particular that of the lawyers involved. Legal professionals are now the golden thread that runs through the whole investigation from start to finish, as so much business data is now spread across a range of legal jurisdictions and data protection and privacy rules vary widely from country to country. In some it can be a criminal offence to move data beyond its borders; in others it can be illegal to recover information from employees’ devices without a court order, even if both the machine and the data it contains are the property of the company.
Consequently, legal advice is required at the outset of an investigation to ensure that it can be recovered lawfully and handled correctly to ensure its evidential integrity. Evidence gained by lawyers is usually subject to legal professional privilege, which can be important in some situations, and lawyers also have extremely useful experience of information management and handling gained from the ‘e-discovery’ process that has become an essential part of major litigation.
Preparing for the worst
All of this comes at a price, and the more professional time that needs to be allocated to a fraud investigation, the greater the cost can be. There are, however, a number of things that companies can do to ensure that any future fraud investigations can be conducted efficiently.
The first is for companies to develop a good understanding of where their information is held – and by whom – and to have a clear idea of how and where new data is generated, as well as how data is handled historically. In our experience, financial institutions generally have a good grasp of this, but the speed at which the information infrastructure financial businesses develops means that the data map needs to be redrawn regularly if it is to remain relevant.
Secondly, it is essential to have clear policies on how employees store data and what they can and cannot do with their devices. If data is to be collected efficiently in the event of an investigation, It is not only important that these policies are in place, but that employees are aware of them and have consciously agreed to them.
For multi-national businesses these policies need to comply with the data protection, privacy and employment laws of each of the jurisdictions in which they operate and in many cases will also need to consider the use of personal devices for business purposes. In latter regard, technical solutions are also available to segregate personal from business data to enable company information to be recovered without intruding on private information.
Finally, it should be recognised that data preparedness needs to be considered to be a critical part of a business’s crisis management and business resilience plans. By treating information governance as a potential ‘crisis management’ issue in this way, the reputational and financial damage of fraud and corruption can be considerably reduced. Moreover, a happy side effect of keeping on top of your data is that good information governance will significantly reduce your exposure to fraud.
Simon Yarwood is Associate Director for Forensic accounting within the Corporate Investigations division. He provides specialist financial and accounting assistance to clients conducting internal or external investigations, or involved in complex legal disputes. Simon.Yarwood@controlrisks.com
Ching Liu is Practice Leader for Digital Forensics at Control Risks. He is a forensic specialist in many different operating systems, ranging from personal devices to business networks and mainframe architecture. Since joining Control Risks he has been involved in numerous civil and criminal cases involving computer fraud and misuse.Ching.Liu@controlrisks.com