LOS ANGELES — Even when employers have good cases against internal fraud, they often don’t refer them to law enforcement. Many companies handle instances of such fraud internally and very quietly make the employee “go away.”
But that can be a mistake, said fraud experts and prosecutors at Information Security Media Group’s Fraud Summit in Los Angeles last week.
So why do many organizations not report? The fear of bad publicity and that their share price will take a hit if investors and customers learn that the organization’s poor controls left it vulnerable to internal fraud, said Allan Bachman, education manager at the Association of Certified Fraud Examiners.
“A lot of times [the company] wants to sweep it under the rug and make the person disappear because they don’t want negative publicity,” Bachman said during a session called, “Fraud Investigations: How to Work Effectively with Law Enforcement, Government and Litigators.”
However, fraud cases that are referred to law enforcement are often prosecuted very successfully, he said. Moreover, criminal prosecutions coupled with civil lawsuits very often yield positive results for organizations.
“It sends an example” for other would-be fraudsters and embezzlers “that if the organization finds evidence of fraud it will prosecute without exception — it creates deterrence,” Bachman said. But “it starts at the tone at the top to prosecute.”
Tracy Wilkison, deputy chief in the U.S. Attorney’s Cyber and Intellectual Property Crimes section in Los Angeles, said that she understands why many organizations do not report internal fraud and other crimes, but not doing so can hurt them.
Prosecutors need to get the correct law enforcement agency involved as soon as possible, so evidence can be preserved. “When we and law enforcement are not involved soon enough, there is a possibility that evidence is lost,” Wilkison said. “[Companies] are not being careful enough about their computers, or do not send out ‘preservation requests‘ to various social media companies.”
A preservation request can greatly benefit a prosecution. Any information on Facebook or other social media outlets about a suspect needs to be preserved, particularly if a suspect brags about his or her crimes, she said. “Save everything and be patient, because it can take a while for us to investigate and for the case to proceed, but we try to get results,” Wilkison said.
Many organizations prefer to first solicit a private-sector company to investigate suspected internal fraud, said Katya Hirose, director, global risk and investigations practice at FTI Consulting in Baltimore.
Private investigators typically can be more flexible and act more quickly than law enforcement, particularly if incidents occur during off hours on the weekends, but many organizations may have budget constraints that can limit the investigation, Hirose said.
Indeed, oftentimes investigations are taken out of the hands of private investigators midway through and handed over to law enforcement.
FTI Consulting prefers to handle cases that it can maintain control from start to finish, with the presumption that the cases would ultimately go to trial — even if the firm ends up working hand in hand with law enforcement, Hirose said.
“Ultimately the goal is catching the bad guy, so sometimes it’s frustrating if we can’t see it through,” she said. “I need transparency up front with what an organization is experiencing, and if I only get admissions of part of what’s happening, we’re already starting off poorly.”
Sometimes private investigators don’t learn of all of an organization’s goals and politics until the decision is made later on whether or not to prosecute, Hirose said.
“I worked on one particular product tampering case, but then the company decided not to do anything about it,” she said. “I asked them why on earth not, and they told me that it would be bad PR if it were made public.”