By: David Clements , Formal Principal Director Deloitte Forensics

Edited by: Meenakshi Razdan


Despite recent surveys pointing to increase in instances of fraud, the discovery of a suspected fraud within any organisation is not an everyday occurrence for most people and initial reactions may include shock and surprise. Action taken in the first few hours and days after discovery significantly impacts the course and outcome of full investigation.

Most organisations have controls in place to prevent and detect fraud being committed against them from outside the organisation. In the banking industry in particular, external fraud is an expected occurrence and banks employ sophisticated processes and technology to prevent and detect such occurrences. The bigger problem occurs when fraud has been committed from within. Apart from the cost involved, there is always some collateral damage caused including loss of reputation, brand damage and reduced employee morale. Seniority of the suspect is also a factor, the more senior the employee, the more serious the damage.

History shows that  in the absence of any structured response plan, the amount of time and effort it takes for management to respond, particularly in the initial weeks, is excessive and severely impacts the normal business activity of the organisation. When a potential fraud is first discovered, the following few hours or days can be very confusing and stressful if the organisation is not prepared.

In the absence of a Fraud Response Plan, experience has shown that managers handle the same problem in different ways

Sometimes with disastrous consequences such as destroying the evidence by inappropriate handling, inadvertently tipping off the suspect and enabling them to destroy incriminating evidence, failing to keep the matter confidential and taking inappropriate action due to insufficient information.

In a recent fraud incident that occurred in a UAE organisation, the suspect was in charge of procurement for the organisation and it came to light that he also operated a supply and contracting company which had been paid in excess of 3 million dirhams by this company, all ordered and authorised by the suspect. After discovery, he was made aware of the issue but was allowed to remain in his position for another month, during which time he destroyed a large number of incriminating documents.

In an incident which occurred in another Middle East country, it became widely known throughout the organisation that a fraud had been uncovered. Unfortunately, the matter which became public knowledge was only a small part of a much larger conspiracy between a number of employees and suppliers. By failing to keep the matter confidential, the company management enabled the conspirators to destroy incriminating records, electronic data and to dispose of stolen property which rendered any future investigation a limited exercise. The identities of the suspects were not confirmed, which means that the company may still employ people who are actively seeking ways to defraud it.

The purpose of a Fraud Response Plan is to ensure that incidents are handled in a systematic and efficient manner, not only to conclude a successful investigation, but also to show that the organisation acted in a prudent and lawful manner and that it does not tolerate fraud.

The Fraud Response Plan should outline how far an individual line manager should go in collecting initial information before invoking the Response Plan. The key is to provide the line manager with an effective framework to resolve concerns, rather than leave such resolution to individual initiative.

Initial Action

It is important to remember that when fraud is first suspected, the matter may well be more serious than it may initially appear. This is because fraudsters rarely restrict their activities to only one modus operandi or method. Therefore, every effort should be made to obtain as much information as possible before anyone is confronted or interviewed. This is particularly important in organisations or business units with a close working environment, where there may be a strong temptation to simply question an employee as soon as suspicion arises.

It is also important to be aware that large scale frauds are often international in nature. Therefore, any fraud contingency planning must include measures for investigation and  legal action across jurisdictions.

In addition, most frauds involve the use of a computer during planning or execution. This is particularly evident in today’s environment, when majority of white collar employees are allocated a computer by their employer. Business is conducted on computer and normally involves – widespread use of corporate email. The pervasive involvement of the computer into most facets of corporate life means that electronic evidence is often vital to investigating corporate fraud. Obtaining that electronic piece of evidence is a specialist skill which should be discussed with forensic specialists.

Initial actions are crucial to the eventual outcome of an investigation and if a proper strategy is put in place and adhered to, the extent of fraudulent activity can be assessed and resolved successfully. This usually means assimilating sufficient evidence to dismiss errant staff and commence civil and/or criminal proceedings against those involved in the fraud.

Initial responsibility designation

Fraud investigation is a confidential and sensitive matter for the vast majority of organisations. It is vital that all allegations of fraud are treated seriously and that responsibility for handling fraud incidents is assigned to a senior trusted individual or group of individuals. In many organisations, this responsibility is handed to a corporate security advisor, internal audit manager or risk management director. In other organisations the responsibility is shared between members of senior management or an audit committee and the organisation’s human resources personnel and corporate lawyers are involved from the start. Fraud incident management r is an important role and those chosen to administer the role must have appropriate legal and management authority to  investigate and co-ordinate the organisation’s overall response to fraud incidents.

As part of their overall fraud control plan, organisations should assign responsibility for fraud incident management to appropriate person(s) as a precursor to adopting an incident management plan. Involvement of corporate lawyers and human resource personnel at appropriate levels is essential.

Fraud Response Team

Some Fraud Response Plans only deal with situations where an employee discovers a fraud and hands it over to an investigation department to follow up. However, some frauds have impact far beyond the remit of the investigation department to deal with (such as when the organisation’s liquidity is threatened). The Plan also should cater for such eventualities.

Most large organisations have formed crisis management committees to respond to major incidents (such as a fire or explosion), so it is not unusual to have a similar approach in a Fraud Response Plan. Typically, this means forming a Fraud Incident Management Team comprising essential members and co-opted members.

In some types of fraud the victim may only have a few hours to take action to freeze funds which have been illicitly transferred. It is essential that contact numbers for essential service providers are established beforehand, including internal support departments, such as legal, corporate security, insurance external lawyers, police and telecommunications agencies, forensic accountants and investigators.

Receipt and initial assessment of suspicion, allegation or ‘tip off’

Fraud investigations are often initiated after an allegation or a tip-off (often anonymous) is received. This will usually be sourced from inside the organisation, although external tip-offs are not uncommon. Many fraud incidents are initially discovered by accident, perhaps as a result of an audit, job change or resignation. Very few frauds are discovered as part of a deliberate attempt to uncover fraud, as very few organisations implement a proactive fraud detection program.

The checklist below highlights initial actions to be taken /avoided upon discovery of fraud or tip-off.

At the conclusion of this stage, a decision must be made as to whether the allegation or suspicion warrants investigation or is implausible or vexatious. However, this decision must be made carefully. If an allegation cannot be quickly dismissed as false, further action should be taken.

A typical Fraud Response Plan contains:

  • purpose of the plan,
  • policy statement,
  • definition of fraud,
  • roles and responsibilities including fraud response team,
  • objectives including civil and criminal response,
  • reporting of suspicion and collection and preservation of evidence.


Initial action checklist upon discovering a potential fraud:

  1. Alert the fraud incident manager that an allegation or suspicion exists
  2. Document date, time and details of initial report/discovery
  3. Take notes of all observations and actions – if something is worth taking a mental note, it is worth a written note
  4. Maintain confidentiality (only inform those people who need to know about the suspected act). Unwarranted disclosure can seriously damage potential successful investigations. Do not confront the suspect.
  5. Write out in full the suspected act or wrongdoing including:

What is alleged to have occurred

  • Who is alleged to have committed the act
  • Is the activity continuing
  • Where did it occur
  • What is the value of the loss or potential loss
  • Who knows of the activity


  1. Identify all documentary and other evidence connected to the activity
  • Invoices
  • Contracts
  • Purchase orders
  • Cheques
  • Computers
  • Credit card statements
  1. Obtain evidence and place in a secure area. (only where it is possible without alerting any suspects)
  2. Protect evidence from damage or contamination
  3. List each item individually taking note of acquisition (incl. time, date and location) and where the item was securely stored
  4. Identify all potential witnesses
  5. Unless electronic evidence is in the process of being destroyed do not go into the suspect/target computer systems
  6. If possible, secure and/or remove suspect’s access to relevant computers/systems. Do not allow IT department to examine computer
  7. Consider other potential suspects and extent of fraud