At the outset of an investigation, we are almost always presented with a huge amount of data. Not just unstructured data such as emails and documents, but also database information such as accounting and banking records, communication recordings and social media interactions. As the amount of data produced by a business continues to grow, these are typically stored in a variety of locations and formats, including the cloud.
But when it comes to a fraud or corruption case, this makes it more difficult to quickly identify the issues. It can also be costly, both in monetary and reputational terms. When a fraud is uncovered, swiftly finding its source and addressing any vulnerability in the company’s processes and systems is essential to stem losses. When it comes to shutting down a fraud, time really is money. The data explosion has had considerable implications for the roles of lawyers, digital forensics analysts and forensic accountants.
Know where your information is held, and by whom, and ensure good data mapping and accounting practices
Huge data volumes often make it difficult, time-consuming and expensive to identify the evidence required to commence legal or disciplinary proceedings. Data analytical tools enable experts to identify and focus on the transactions, correspondence or other evidence that shows what occurred. Forensic accountants can also identify any weaknesses or vulnerabilities in internal systems and controls that allowed the fraud or other misconduct to take place.
Legal advice is also vital to ensure the investigation is handled correctly to ensure evidential integrity. With data protection and privacy rules varying from country to country, it can sometimes be a criminal offence to move data beyond its borders or recover information from employees’ devices without a court order. The new legal framework, the EU General Data Protection Regulation (GDPR), is due to come into effect on the 25 May 2018.
However, Brexit may mean that all businesses will need to review and reconsider their legal standing. Once Britain leaves the EU, it will still be necessary for international businesses to consider and prepare for both GDPR and the UK Data Protection Act in order to do business digitally. And so any compliance or regulatory investigation process involving data also has to be baked-in to these review processes.
It does pay to be prepared and ensure that any future investigations can be conducted efficiently, limiting both professional costs as well as reputational and regulatory implications.
Know where your information is held, and by whom, and ensure good data mapping and accounting practices. This includes knowing how and where new data is generated and how historical data is handled. For example, using Excel spreadsheets to document employee expenses is a frequent vulnerability when it comes to corruption prosecution.
Have clear policies on how employees store data and what they can and can’t do with their devices. It is not only important that these policies are in place, but that employees are aware of them and have consciously agreed to them. For multinational businesses, these policies need to comply with the data protection, privacy and employment laws of each of the jurisdictions in which they operate and in many cases need to cover the use of personal devices for business.
By treating information governance and data hygiene as a potential crisis management issue, the reputational and financial damage of fraud and corruption can be considerably reduced.
A happy side effect of keeping on top of your data is that good information governance will significantly reduce your exposure to fraud.
Ching Liu is director of forensics at Control Risks