ACC4712

Forensic Accounting
AY 2021/22, Semester 2
Week 7

Adjunct A/P Tay Puay Hui

Adjunct A/P Iain Potter
Forensic Investigations
Reporting
& Communications

2
Forensic Investigations - Reporting & Communications

“This report by its very length, defends

itself against the risk of being read”
- Winston Churchill

3
Forensic Investigations - Reporting & Communications

The Mueller report is that rare Washington tell-all

that surpasses its pre-publication hype.
Sure, it is a little longer than necessary. Too many
footnotes and distracting redactions. The writing is
often flat, and the first half of the book drags,
covering plenty of terrain that has been described
elsewhere. The story shifts abruptly between riveting
insider tales and dense legalisms. Its protagonist
doesn’t really come alive until halfway through, once
Volume I (on Russian interference) gives way to
Volume II (on obstruction of justice). The title — far
too prosaic, really — feels like a missed opportunity…

- The Washington Post, April 20, 2019

“Mueller has displayed a crimped understanding of his civic obligations. He has accepted essentially no
responsibility for helping public understand his report, beyond the dense legalistic language in the document
itself. … He could have made this more coherent & understandable for us. He explicitly chose not to.”
- Ronald Brownstein, The Atlantic
4
Course Outline

Objectives
The objectives of this lecture is to enable our students to:
1. Understand the importance of stakeholders’ engagement and communications in
forensic investigations,

2. Reconstruct the chronology of events vis-à-vis the control environment

3. Identify control gaps and provide recommendations for remedial measures

4. Prepare the forensic investigation report

5. Develop a monitoring framework for the implementation of the remedial measures

5
Course Outline

Learning Outcome
By the end of the lecture, you will be able to:
1. Recite the fundamental steps in the forensic investigation communication process

2. Apply the critical report writing skills to develop a clear and succinct forensic
investigation report

3. Develop an effective framework for monitoring the implementation of remediation

measures with the necessary quality assurance reviews

4. Achieve a concise overview of the insurance recovery process

6
 Forensic Investigation
Communication Process

7
Forensic
Investigations –
Stakeholder
communications

8
Forensic Investigations – Our Stakeholders (revisited)

Authorities

Creditors Employees

BoD
Management

Shareholders Victims

Insurers

9
Essential Traits of Investigation Communication

• Unbiased mental • Avoid • Reflect severity of the

attitude & phrasing redundancies observations
• Focus on findings, • Exclude irrelevant, • Facilitate collaborative
deficiencies in insignificant & solutions
processes & unnecessary • Facilitate positive
execution information changes

Accurate Objective Clear Concise Complete Constructive Timely

• Disclose all • Language clearly • Include all • Ongoing escalation

material facts understood essential • Informal
• Free from errors & • Free from information communication
distortions technical jargons • Target audience • Formal
• Precise wording • Consistent reach same communication
supported by terminology vs conclusion deadlines
evidence industry
10
 Engagement during the Investigation Process

Reporting
Report
03
Recommend
Initiation & Planning
Remediate
Allegation Receipt and
Evaluation

Investigation plans
01 02 Execution

Evidence collection,
preservation, analysis and
conclusion

11
Stakeholders Engagement
1. Initiate investigation
Audit
Comm Mgt 2. Approval of investigation plan and SME engagements
Chair
3. Investigation status and preliminary findings

Investigatn
4. Engagement with authorities (e.g. regulators, police, etc)
lead
Investigation 5. Subject of interest (SOI) management
Risk Mgt
6. Witness and victim management and communication
Committee 7. Settlement proposals
Legal
Counsel
8. Civil litigation suits

9. Insurance claims and recovery

Compliance
SME* 10. Investigation Report -> Draft -> Preliminary -> Final

*invitation basis only 11. Post-mortem -> lessons learnt -> remedial measures
12
Forensic Investigation –
Construct the
Time Machine

13
CONTROL ROADMAP – An illustrative example
Mar 2010: Written
instructions from Jan 2012: Independent Apr 2018: Automated
customers for outward signature verification Feb 2016: Hold mail post transaction alerts
remittances by Operations services terminated sent to customers

1 3 5 7

May 2019: 3-way call

back by Operations for
amounts > $100K

2 4 6

Aug 2010: Signature May 2014: Customer Aug 2017: New

verification call back requirements customer data
requirement by RMs by RMs implemented management app
implemented
14
FRAUD PERPETRATION TIMELINE – An illustrative example

Internal transfers
1st
amendment to from customer Fraud uncovered
RM commenced 1sttransfers from customer contact accounts to shell after bankruptcy
employment 1 hold mail service Accounts B, C and D numbers
st
accounts petition against RM

Feb Jun Sep Mar May Oct Jun Dec Feb Mar Sep
2010 2010 2010 2012 2012 2012 2014 2015 2016 2016 2018

1st transfer from Forged customer 1st transfers from Set up accounts of 1st amendment to
Account A transfer instructions Accounts E and F shell companies mailing addresses
with nominee of customers
shareholders

15
CONTROL ROADMAP – An illustrative example
Mar 2010: Written
instructions from Jan 2012: Independent Apr 2018: Automated
customers for outward signature verification Feb 2016: Hold mail post transaction alerts
remittances by Operations services terminated sent to customers
1st amendment to Internal transfers Fraud uncovered
1 3 5
RM commenced customer contact from customer 7
after bankruptcy
1st transfers from
employment 1st hold mail service numbers accounts to shell petition against RM
Accounts B, C and D
accounts

8
Feb Jun Sep Mar May Oct Jun Dec Feb Mar Sep
2010 2010 2010 2012 2012 2012 2014 2015 2016 2016 2018
May 2019: 3-way call
back by Operations for
amounts > $100K
1st amendment to
1st transfer from Forged customer 1st transfers from Set up accounts of mailing addresses
2
Account A transfer instructions Accounts E4and F shell companies 6
of customers
with nominee
Aug 2010: Signature May 2014: Customershareholders Aug 2017: New
verification call back requirements customer data
requirement by RMs by RMs implemented management app
implemented
16
Forensic Investigation
Report

17
 Background Results Impact

Executive
Findings Recommend
Summary

Report
Structure Scope Approach
Reporting
documents

18
Background

Ø Generally two paragraphs

Ø Reasonably succinct on why forensic investigation was conducted
q Anonymous tip
q Audit findings
q Discovered during the ordinary course of business
q Third party feedback

Illustrative Example:

On [insert date], XYZ bank received a call from a customer reporting to an assistant relationship manager that
there had been unauthorized transfers of funds out of her account for the period from April 2012 to August
2018.

Based upon this initial predication, a fraud examination was conducted, which included reviews of relevant
records, processes and interviews of appropriate personnel.

19
Executive Summary

Ø Typically no more than 2 pages

Ø Overview of the actions performed during the forensic investigation

q Reviewing documents

q Interviewing SOI, witnesses, customers

q Conducting analyses and tests

q Outcome of the examination

20
 “
The fraud examination commenced after XYZ bank received a
call on [insert date] from Customer A who reported to Assistant
Relationship Manager B that there had been unauthorized
transfers of funds out of her account for the period from April
2012 to August 2018.

The Relationship Manager was C who had resigned on 30

Executive September 2018 following the discovery of a bankruptcy
petition filed against her on 14 September 2018. C joined the
Summary – bank on 1 Feb 2010.
An illustrative
The Fraud Examination Team conducted the following
example procedures:
• reviewed funds transfers records involving customer
accounts managed by C for the period from 1 February
2010 to 31 March 2019 (the “relevant period”),

Continued on next page…

21
 “
Continued from previous page…

• reviewed funds transfers records involving customer

accounts not managed by C but transferred funds to/from
the above accounts managed by C during the relevant
period,
• interviewed existing and past RMs, ARMs, Operations
Executive personnel and relevant customers who may have
information pertaining to this alleged fraud incident,
Summary – • Reviewed the operations processes of customer onboarding
An illustrative •
and payments transfers during the relevant period, and
Interviewed C who provided a signed confession of her
example fraud perpetration.

Based on our investigations, unauthorised funds transfers

amounting to $X mio were made out of X customer accounts
during the relevant period.

22
Scope

Ø One paragraph

Ø Possible scope
q Whether the alleged fraud had indeed taken place
q The extent of the alleged fraud (amount, parties involved, parties impacted)
q Whether there were any lapses in controls

Illustrative Example:

The objectives of the fraud examination are as follows:

• Determine whether the alleged unauthorised transfer of funds from customer accounts had taken place,
• Assess the amount of alleged unauthorised transfer of funds and the customer accounts impacted,
• Analyse the root causes of the alleged incident (typically requested by regulators)

23
Approach

Personnel interviewed

Examination procedures
(documents, tests)

Fraud examination team

24
 Fraud Examination Team
• XXX (Investigation Lead)
“
• XXX (Team Manager)
• XXX (Team Senior)
• XXX (Cyber Forensics Specialist)
Procedures performed:
Approach – • Obtained, reviewed and analysed the funds transfers
transactions in customer accounts managed by C during
An illustrative the relevant period,
example • Obtained, reviewed and analysed the funds transfers
transactions in other customer accounts which are
connected to the above transactions,
• Conducted searches on the recipients of the funds transfers
to determine the extent of association, if any, among the
involved parties,

Continued on next page…

25
 “
Continued from previous page…

Procedures performed (cont’d)

• Obtained, reviewed and analysed the static data of relevant
customers,
• Reviewed the policies and procedures on customer
onboarding and funds transfers and determine the extent
to which they have been adhered to during the relevant
Approach – period, and
• Determined the responsible persons and/or supervisors
An illustrative involved in the relevant transactions
example
Individuals interviewed (cont’d)
The following individuals were interviewed in person by the
Fraud Examination Team in the presence of the external legal
counsel:
C (RM)
B (ARM)
XXX (Head of Private Banking)
A (Customer)
26
Findings

Ø Tasks performed
Ø Findings and results (based on chronology or topic)
Ø Details of transactions (dates, amounts, involved parties, intermediaries, etc)
Ø References to documents and exhibits as supporting evidence

Illustrative Example:

Our examination revealed that the following alleged unauthorised funds transfers took place in Customer A’s
account:
• On 5 May 2012, $100,000 was transferred out to an account Knight Rider at ABC bank in Singapore. Our
corporate searches showed that Knight Rider is owned by a person named XXX who shared the same
address as RM C. Based on the taped lines records…
• On 23 August 2013, $200,000 was transferred from Customer F’s account into Customer A’s account
before being transferred out to an account Pandora at National Bank of Cyria on the next day, 24 August
2013. The director of Pandora is a person named Asran who shared the same contact number as the
registered telephone number of Customer E. From our forensic examination, we have reason to believe
that the written transfer instructions purportedly signed by Customer A may be forged (Exhibit A).
27
Summary

Ø Summarize the results of the fraud examination (narrative or tabular format)

Illustrative Example 1:

Based on our examination, we have identified the following funds transfer transactions to/from customer
accounts involving suspicious third parties:
S/N Customer A/c Customer Name Gross inflows Gross outflows Net inflows/ Suspicious parties
(USD) (USD) (outflows) (USD)

1 324685 Pute*** Sam 351,000 1,425,000 (1,074,000) Knight Rider AG (USD 700K)
New Century Ltd (USD 350K)
Goldmine BVI Ltd (USD 24K)

2 328432 Tr**tsid* 450,000 - 450,000 Pandora BVI Ltd (USD 400K)

F&F Pte Ltd (USD 50K)
3 401235 L. Me**i - 570,000 (570,000) Knight Rider AG (USD 450K)
Tradeup BVI Ltd (USD 100K)
Lucky Joy Ltd (USD 20K)

Total 801,000 1,995,000 (1,194,000)

28
 “
Based on our examination following the receipt of an
anonymous tip-off through our whistle blowing hotline that
the Sous Chef Arias of hotel XXX had solicited and accepted
bribes in the form of loans of $253,000, we have determined
that the allegation is corroborated by documentary evidence,
interviews of witnesses as described herein, and the signed
confession by Arias.
Summary –
Illustrative
example 2

29
Impact

Ø Describe how the fraud impacted the victim organization and any other victims (e.g. customers,
suppliers, service providers, etc)

Ø Tangible and intangible damages (e.g. regulatory scrutiny or restrictions, litigation claims, etc)

Ø Provide an estimated dollar amount of potential losses involved in the alleged fraud

Ø May be combined with ”Summary” section

30
 “
Pursuant to our examination following the receipt of a
telephone call from Customer A that there had been
unauthorised funds transfers from her account with the bank,
we have identified suspicious transactions amounting to USD
14.1 mio in aggregate to/from at least 25 suspicious parties
involving 14 customer accounts during the relevant period
from 1 February 2010 to 31 March 2019. These customer
Impact – An accounts were managed by RM C, who had since left the bank
on 30 September 2018.
illustrative
example Of the customers impacted, 10 customers have commenced
litigation suits against the bank. The aggregate litigation
claims amounted to approximately USD 25 mio as of the date
of this report.

31
Reporting Documents

INDEXES COVER PAGE TRANSMITTAL

LETTER

MEMORANDA EXHIBITS,
ENCLOSURES

32
Cover Page or Transmittal letter

Ø Typically accompanies the examination report to the authorities, regulators, external legal
counsel or insurers.

Ø The cover page should reiterate important information in the report

Ø Summarizes the salient points of the examination.

Ø If the report is submitted to the authorities, the cover letter should:

ü highlight the key weaknesses or root causes which may have contributed to the incident
[Note: Due care and consideration required!!!]

ü Summarize management’s intended remediation measures (including committed

timelines) to address these gaps and weaknesses

33
Memoranda
Ø Document all interviews and other pertinent information discovered during the examination

q Heading q Indicate that one provided his/her identity

q File number/control number q Witness’s affirmation of having been

informed of the nature of the inquiry
q Name of person reporting
q Date of inquiry
q Subject of memorandum
q How the interview was conducted (i.e. in-
q Date person, telephone, video conference, etc)

q Details of facts q Whether the interview was recorded

q Declaration that interview was voluntary q Facts of the interview

34
Exhibits

CHARTS & ORGANIZATIONAL FLOW CHARTS

GRAPHS CHART

TABLES LINK-NETWORK
DIAGRAMS

35
 Gaps and
Recommendations

36
Five Cs of Report Writing

Corrective
Criteria Condition Cause Consequence
action plans

Standards, measures, Address the cause and

expectations, policies & prevent its recurrence
procedures used in Correct the condition
making the evaluation and eliminate adverse
effects [sufficient details
Factual evidence or Risk & exposure (past, of action plans]
description of existing present & future).
controls (i.e. test Consider different types
outcome). Deviation of risks and likelihood.
from Criteria Quantify (if possible)

Root causes of the

condition (i.e. not
merely the symptons)

37
Five Cs of Report Writing

Corrective
Criteria Condition Cause Consequence
action plans
1. Customer data setup and • RMs were granted • System access profiles were •Sensitive and important • IT will remove all front office
amendments should be system access to input not granted on a least customer data were write-access to customer
performed and amend customer privileged basis nor amended unilaterally by data. Monthly access profile
independently and data including contact reviewed regularly to ensure RM in the absence of reviews will be conducted
subject to four-eyes numbers and mailing their appropriateness. independent verification by respective department
principle. addresses. heads
• Customer master data • Rendered fraud prevention
• Inputs and amendments application was not and detection controls • Operations will conduct a
were not subject to enhanced with dual control such as call-backs, post full independent verification
independent functionality until April 2017 transaction alerts and of existing customer data
verification. despite repeated requests client advices and
from Operations. statements ineffective • New or amendments to
existing customer data must
• Customer master data were • $4.5 mio belonging to be independently
not verified prior to seven customer accounts corroborated against
migration to new system were misappropriated supporting documents.
during the period from
• Inadequate emphasis on June 2014 to September • Strategy Implementation
control culture and risk 2018. Committee
mitigation
38
39
Remediation Process and Follow up

1. Post-mortem and root cause analysis

2. Disciplinary measures <- disciplinary framework + disciplinary committee

3. Lessons learnt: corrective actions and remediation

4. Employee training: transparency for advancement (vs “washing dirty linen in public”)
o Red flags
o Gaps and weaknesses
o Control enhancements

5. Civil litigation claims and recovery

40
Monitoring Framework
for Remediation

41
Fraud Examination
Concluding Meeting

1. Separate report on gaps and

improvement opportunities
2. Clarify facts and confirm outcome
of root cause analysis
3. Agree on management responses
including corrective measures and
proposed action plans
4. Agree on responsible owners for
measures, action plans and
committed timelines
5. Procure (and evaluate)
management feedback
6. Agree to disagree?

42
Monitoring Framework for Remediation
44
Insurance Recovery

1. Scope of coverage and deductibles (per incident, annual cap, group entities, gross vs wilful
negligence)

2. Client-attorney privilege

3. Initial incident notification

4. Governance and control environment, processes and policies and procedures

5. Factual report (draft -> preliminary -> final)

6. Pre-notification of any litigation and settlements

7. Formal justification and documentation of approval decisions for settlement proposals

8. Claims submission

45
Conclusion

46
If you can’t explain it simply,
you don’t understand it well
enough…
- Albert Einstein

47
Appendix 1:
Reading materials

48
Prescribed Reading Materials [F = Full reading]

1. Sample Fraud Examination Report*

*please refer to LumiNUS folder

49