Professional Documents
Culture Documents
Forensic Accounting
AY 2021/22, Semester 2
Week 7
2
Forensic Investigations - Reporting & Communications
3
Forensic Investigations - Reporting & Communications
“Mueller has displayed a crimped understanding of his civic obligations. He has accepted essentially no
responsibility for helping public understand his report, beyond the dense legalistic language in the document
itself. … He could have made this more coherent & understandable for us. He explicitly chose not to.”
- Ronald Brownstein, The Atlantic
4
Course Outline
Objectives
The objectives of this lecture is to enable our students to:
1. Understand the importance of stakeholders’ engagement and communications in
forensic investigations,
5
Course Outline
Learning Outcome
By the end of the lecture, you will be able to:
1. Recite the fundamental steps in the forensic investigation communication process
2. Apply the critical report writing skills to develop a clear and succinct forensic
investigation report
6
Forensic Investigation
Communication Process
7
Forensic
Investigations –
Stakeholder
communications
8
Forensic Investigations – Our Stakeholders (revisited)
Authorities
Creditors Employees
BoD
Management
Shareholders Victims
Insurers
9
Essential Traits of Investigation Communication
Reporting
Report
03
Recommend
Initiation & Planning
Remediate
Allegation Receipt and
Evaluation
Investigation plans
01 02 Execution
Evidence collection,
preservation, analysis and
conclusion
11
Stakeholders Engagement
1. Initiate investigation
Audit
Comm Mgt 2. Approval of investigation plan and SME engagements
Chair
3. Investigation status and preliminary findings
Investigatn
4. Engagement with authorities (e.g. regulators, police, etc)
lead
Investigation 5. Subject of interest (SOI) management
Risk Mgt
6. Witness and victim management and communication
Committee 7. Settlement proposals
Legal
Counsel
8. Civil litigation suits
*invitation basis only 11. Post-mortem -> lessons learnt -> remedial measures
12
Forensic Investigation –
Construct the
Time Machine
13
CONTROL ROADMAP – An illustrative example
Mar 2010: Written
instructions from Jan 2012: Independent Apr 2018: Automated
customers for outward signature verification Feb 2016: Hold mail post transaction alerts
remittances by Operations services terminated sent to customers
1 3 5 7
2 4 6
Internal transfers
1st
amendment to from customer Fraud uncovered
RM commenced 1sttransfers from customer contact accounts to shell after bankruptcy
employment 1 hold mail service Accounts B, C and D numbers
st
accounts petition against RM
Feb Jun Sep Mar May Oct Jun Dec Feb Mar Sep
2010 2010 2010 2012 2012 2012 2014 2015 2016 2016 2018
1st transfer from Forged customer 1st transfers from Set up accounts of 1st amendment to
Account A transfer instructions Accounts E and F shell companies mailing addresses
with nominee of customers
shareholders
15
CONTROL ROADMAP – An illustrative example
Mar 2010: Written
instructions from Jan 2012: Independent Apr 2018: Automated
customers for outward signature verification Feb 2016: Hold mail post transaction alerts
remittances by Operations services terminated sent to customers
1st amendment to Internal transfers Fraud uncovered
1 3 5
RM commenced customer contact from customer 7
after bankruptcy
1st transfers from
employment 1st hold mail service numbers accounts to shell petition against RM
Accounts B, C and D
accounts
8
Feb Jun Sep Mar May Oct Jun Dec Feb Mar Sep
2010 2010 2010 2012 2012 2012 2014 2015 2016 2016 2018
May 2019: 3-way call
back by Operations for
amounts > $100K
1st amendment to
1st transfer from Forged customer 1st transfers from Set up accounts of mailing addresses
2
Account A transfer instructions Accounts E4and F shell companies 6
of customers
with nominee
Aug 2010: Signature May 2014: Customershareholders Aug 2017: New
verification call back requirements customer data
requirement by RMs by RMs implemented management app
implemented
16
Forensic Investigation
Report
17
Background Results Impact
Executive
Findings Recommend
Summary
Report
Structure Scope Approach
Reporting
documents
18
Background
Illustrative Example:
On [insert date], XYZ bank received a call from a customer reporting to an assistant relationship manager that
there had been unauthorized transfers of funds out of her account for the period from April 2012 to August
2018.
Based upon this initial predication, a fraud examination was conducted, which included reviews of relevant
records, processes and interviews of appropriate personnel.
19
Executive Summary
20
“
The fraud examination commenced after XYZ bank received a
call on [insert date] from Customer A who reported to Assistant
Relationship Manager B that there had been unauthorized
transfers of funds out of her account for the period from April
2012 to August 2018.
22
Scope
Ø One paragraph
Ø Possible scope
q Whether the alleged fraud had indeed taken place
q The extent of the alleged fraud (amount, parties involved, parties impacted)
q Whether there were any lapses in controls
Illustrative Example:
23
Approach
Personnel interviewed
Examination procedures
(documents, tests)
24
Fraud Examination Team
• XXX (Investigation Lead)
“
• XXX (Team Manager)
• XXX (Team Senior)
• XXX (Cyber Forensics Specialist)
Procedures performed:
Approach – • Obtained, reviewed and analysed the funds transfers
transactions in customer accounts managed by C during
An illustrative the relevant period,
example • Obtained, reviewed and analysed the funds transfers
transactions in other customer accounts which are
connected to the above transactions,
• Conducted searches on the recipients of the funds transfers
to determine the extent of association, if any, among the
involved parties,
25
“
Continued from previous page…
Ø Tasks performed
Ø Findings and results (based on chronology or topic)
Ø Details of transactions (dates, amounts, involved parties, intermediaries, etc)
Ø References to documents and exhibits as supporting evidence
Illustrative Example:
Our examination revealed that the following alleged unauthorised funds transfers took place in Customer A’s
account:
• On 5 May 2012, $100,000 was transferred out to an account Knight Rider at ABC bank in Singapore. Our
corporate searches showed that Knight Rider is owned by a person named XXX who shared the same
address as RM C. Based on the taped lines records…
• On 23 August 2013, $200,000 was transferred from Customer F’s account into Customer A’s account
before being transferred out to an account Pandora at National Bank of Cyria on the next day, 24 August
2013. The director of Pandora is a person named Asran who shared the same contact number as the
registered telephone number of Customer E. From our forensic examination, we have reason to believe
that the written transfer instructions purportedly signed by Customer A may be forged (Exhibit A).
27
Summary
Illustrative Example 1:
Based on our examination, we have identified the following funds transfer transactions to/from customer
accounts involving suspicious third parties:
S/N Customer A/c Customer Name Gross inflows Gross outflows Net inflows/ Suspicious parties
(USD) (USD) (outflows) (USD)
1 324685 Pute*** Sam 351,000 1,425,000 (1,074,000) Knight Rider AG (USD 700K)
New Century Ltd (USD 350K)
Goldmine BVI Ltd (USD 24K)
28
“
Based on our examination following the receipt of an
anonymous tip-off through our whistle blowing hotline that
the Sous Chef Arias of hotel XXX had solicited and accepted
bribes in the form of loans of $253,000, we have determined
that the allegation is corroborated by documentary evidence,
interviews of witnesses as described herein, and the signed
confession by Arias.
Summary –
Illustrative
example 2
29
Impact
Ø Describe how the fraud impacted the victim organization and any other victims (e.g. customers,
suppliers, service providers, etc)
Ø Tangible and intangible damages (e.g. regulatory scrutiny or restrictions, litigation claims, etc)
Ø Provide an estimated dollar amount of potential losses involved in the alleged fraud
30
“
Pursuant to our examination following the receipt of a
telephone call from Customer A that there had been
unauthorised funds transfers from her account with the bank,
we have identified suspicious transactions amounting to USD
14.1 mio in aggregate to/from at least 25 suspicious parties
involving 14 customer accounts during the relevant period
from 1 February 2010 to 31 March 2019. These customer
Impact – An accounts were managed by RM C, who had since left the bank
on 30 September 2018.
illustrative
example Of the customers impacted, 10 customers have commenced
litigation suits against the bank. The aggregate litigation
claims amounted to approximately USD 25 mio as of the date
of this report.
31
Reporting Documents
MEMORANDA EXHIBITS,
ENCLOSURES
32
Cover Page or Transmittal letter
Ø Typically accompanies the examination report to the authorities, regulators, external legal
counsel or insurers.
33
Memoranda
Ø Document all interviews and other pertinent information discovered during the examination
34
Exhibits
TABLES LINK-NETWORK
DIAGRAMS
35
Gaps and
Recommendations
36
Five Cs of Report Writing
Corrective
Criteria Condition Cause Consequence
action plans
37
Five Cs of Report Writing
Corrective
Criteria Condition Cause Consequence
action plans
1. Customer data setup and • RMs were granted • System access profiles were •Sensitive and important • IT will remove all front office
amendments should be system access to input not granted on a least customer data were write-access to customer
performed and amend customer privileged basis nor amended unilaterally by data. Monthly access profile
independently and data including contact reviewed regularly to ensure RM in the absence of reviews will be conducted
subject to four-eyes numbers and mailing their appropriateness. independent verification by respective department
principle. addresses. heads
• Customer master data • Rendered fraud prevention
• Inputs and amendments application was not and detection controls • Operations will conduct a
were not subject to enhanced with dual control such as call-backs, post full independent verification
independent functionality until April 2017 transaction alerts and of existing customer data
verification. despite repeated requests client advices and
from Operations. statements ineffective • New or amendments to
existing customer data must
• Customer master data were • $4.5 mio belonging to be independently
not verified prior to seven customer accounts corroborated against
migration to new system were misappropriated supporting documents.
during the period from
• Inadequate emphasis on June 2014 to September • Strategy Implementation
control culture and risk 2018. Committee
mitigation
38
39
Remediation Process and Follow up
4. Employee training: transparency for advancement (vs “washing dirty linen in public”)
o Red flags
o Gaps and weaknesses
o Control enhancements
40
Monitoring Framework
for Remediation
41
Fraud Examination
Concluding Meeting
42
Monitoring Framework for Remediation
44
Insurance Recovery
1. Scope of coverage and deductibles (per incident, annual cap, group entities, gross vs wilful
negligence)
2. Client-attorney privilege
8. Claims submission
45
Conclusion
46
If you can’t explain it simply,
you don’t understand it well
enough…
- Albert Einstein
47
Appendix 1:
Reading materials
48
Prescribed Reading Materials [F = Full reading]
49