Preview Mode Links will not work in preview mode

Prison Professors

Dec 23, 2020

Previous modules offered insights we believe leaders should consider when designing an effective compliance program and risk-management strategy for their organizations. The more leaders customize their compliance and best-practice programs, the better they safeguard against intrusive investigations that could threaten the business and its team members.

Regardless of what efforts team members make to protect a company, possibilities always exist for a breakdown, or for a rogue team member that could expose the organization to liability. For that reason, all companies should create a plan that would coordinate a team response in the event of an inquiry from regulators or law enforcement.


Lack of Planning Brings Vulnerabilities:

In the absence of a structured response plan, team members may not know what to do if they learn that authority figures have taken an interest in the company or in a team member. Sometimes, leaders act rashly. People have gone to prison for their response to a government investigation, rather than for the underlying reasons behind the inquiry.

Consider the case of the famous celebrity, Martha Stewart. Many people are familiar with her brand, which sells household products. In 2001, however, a personal scandal over a stock sale completely disrupted her life. Her response to a government inquiry led to criminal charges.

According to the U.S. Securities and Exchange Commission, in late December 2001, her stockbroker at Merrill Lynch, Peter Baconovic, called her. Peter revealed that Sam Waksal, the CEO of ImClone Systems had placed an order to sell all of his shares in his company as a result of an adverse decision by the Food and Drug Administration. In response, Martha sold approximately 4,000 shares that she owned, avoiding losses of more than $45,000.

When government investigators began making inquiries, Martha did not have a good plan. The responses she gave to the government investigators resulted in criminal charges. The fees and costs associated with the disruption likely exceeded several million dollars. Besides losing money for legal costs, Martha’s response to the investigation led to a prison term, a shareholder derivative suit against Martha Stewart and other directors at her company, and five months in prison. With a felony conviction, Martha endured lifelong complications, including bans on travel to some countries.

Clearly, Martha Stewart did not have a principled plan that would guide her response to a government inquiry. Sadly, many people find themselves in the same predicament. Those who operate businesses without designing a response plan for government inquiries may leave themselves vulnerable to knee-jerk reactions that can exacerbate troubles.

A lack of a plan can lead to confusion during the first few hours, days and weeks of an inquiry. The unfolding drama can distract team members, as everyone may worry about personal liability. If people don’t know what to do, they may make futile attempts at self-preservation, such as destroying incriminating evidence, or lying to government investigators. Either response would expose the individual, and potentially others, to criminal charges.


Risk Management:

A good response plan will ensure that all team members have guidelines to follow. Whether government regulators inquire about business operations or potential fraud, everyone should know what steps to take. To protect both the business and the team members, corporate leaders should articulate the appropriate protocol any time an investigator makes an inquiry.

  • Does everyone in your organization know how to respond in the event that an investigator asks a question?

Leaders can easily get an answer to that question by creating a plan. Then, they should create a training exercise for all team members. The more transparency leaders bring to an investigation-response plan, the more they will strengthen arguments that the organization has made a genuine effort to act in compliance with all regulations and laws.

Point for business leaders to consider:

  • Regulators and judges are increasingly asking not just whether a company has an anti-fraud, anti-money laundering, or corporate ethics policy in place. They are also asking how well such programs work and whether their quality and results make sense. They are asking, in other words, how good are they? This trend raises the stakes for those charged with governance.

An example of an effective “anti-fraud policy” may prove helpful to business leaders that want to create an organizational-specific plan. Our team at Compliance Mitigation offers the following as a template:


1.              INTRODUCTION

  • Our company (the “Company”) has a commitment to high legal, ethical and moral standards. We expect all members of staff to share this commitment. The Board of Directors tries to ensure that a risk (and fraud) awareness culture exists in this organization. Fraud is an ever-present threat and hence must be a concern to all members of staff. Our Company views fraud as an extremely serious matter and is committed to the promotion of an Anti-Fraud Culture throughout the
  • We created this document to provide direction and help to those who find themselves having to deal with suspected cases of theft, fraud or corruption. This document gives a framework for a response, advice and information on various aspects and implications of an investigation. It is not intended to provide direction on prevention of
  • This Policy applies to any irregularity, or suspected irregularity, involving employees as well as consultants, vendors, contractors, customers and/or any other parties having a business relationship with the Company. Any investigative activity required will be conducted without regard to any person’s relationship to this organization, position or length of service. All managers and supervisors have a duty to familiarize themselves with the types of improprieties that might be expected to occur within their areas of responsibility and to be alert for any indications of



2.              DEFINITIONS – WHAT IS FRAUD?

  • We define Fraud as “dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party.” The term “fraud” commonly includes activities such as theft, corruption, conspiracy, embezzlement, deception, bribery and extortion. It may involve:
    • manipulation, falsification or alteration of records or documents;
    • suppression or omission of the effects of transactions from records or documents;
    • recording of transactions without substance;
    • misappropriation (theft) or willful destruction or loss of assets including cash; and
    • deliberate misapplication of accounting or other regulations or
  • The criminal act is the attempt to deceive, and attempted fraud is therefore treated as seriously as accomplished
  • Computer fraud arises where information technology equipment has been used to manipulate programs or data dishonestly (for example, by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system was a material factor in the perpetration of fraud. Theft or fraudulent use of computer time and resources is included in this definition.
  • Some illustrations of incidents which would be classified as fraud are contained in Appendix A to this




  • The purpose of the Fraud Response Plan (the “Plan”) is to ensure that effective and timely action is taken in the event of a fraud. The Plan aims to help minimize losses, reduce liability and increase the chances of a successful
  • The Plan defines authority levels, responsibilities for action, and reporting lines in the event of a suspected fraud or irregularity. It acts as a checklist of actions and a guide to follow in the event of fraud being suspected. The Plan is designed to enable the Company to:
    • prevent further loss;
    • establish and secure evidence necessary for criminal, civil and/or disciplinary action;
    • determine when to contact the police and establish lines of communication;
    • assign responsibility for investigating the incident;
    • minimize and recover losses;
    • review the reasons for the incident, the measures taken to prevent a recurrence, and determine any action needed to strengthen future responses to



  • The company will undertake fraud investigations where there is suspected fraud and take the appropriate legal and/or disciplinary action in all cases where that would be justified. Whether there is fraud (proven or suspected), the Company should make any necessary changes to systems and procedures to prevent similar frauds from occurring in the future. The Company should establish systems for recording and subsequently monitoring all discovered cases of fraud (proven or suspected).
  • Responsibility for exercising disciplinary actions rests with the Director of Human Resources [or the Director of Compliance, for a company large enough to have independent compliance personnel], although this should be done in consultation with other Executives where



  • The Executives (CEO and CFO) of the Company are responsible for establishing and maintaining a sound system of internal controls that support the achievement of Company policies, aims and objectives. The system of internal controls is designed to respond to and manage the whole range of risks that the Company faces. Managing fraud risk will be seen in the context of the management of this wider range of
  • Overall responsibility for managing the risk of fraud has been delegated to front line managers and an internal auditor (whose duties are defined below). Their responsibilities include:
  • developing a fraud risk profile and undertaking a regular review of the fraud risks associated with each of the key organizational objectives in order to keep the profile current;
  • designing an effective control environment to prevent fraud from happening;
  • establishing appropriate mechanisms for:
    • reporting fraud risk issues,
    • reporting significant incidents of fraud to the CFO and Human Resources [or the Compliance Department].
  • making sure that all staff are aware of the Company’s attitude to fraud and know what their responsibilities are in relation to combating fraud;
  • developing skill and experience competency frameworks;
  • ensuring that appropriate anti-fraud training and development opportunities are available to appropriate staff in order to meet the defined competency;
  • ensuring that vigorous and prompt investigations are carried out if fraud occurs or is suspected;
  • taking appropriate disciplinary action against supervisors where supervisory failures have contributed to the commission of fraud;
  • taking appropriate action to safeguard the recovery of assets;
  • ensuring that appropriate action is taken to minimize the risk of similar frauds occurring in the future.
    • Line Managers are responsible for:
  • ensuring that an adequate system of internal controls exists within their areas of responsibility and that controls operate effectively;
  • preventing and detecting fraud;
  • assessing the types of risk involved in the operations for which they are responsible;
  • regularly reviewing and testing the control systems for which they are responsible;
  • ensuring that controls are being complied with and their systems continue to operate effectively;
  • implementing new controls to reduce the risk of similar fraud occurring where frauds have taken
    • The Internal Auditor is responsible for:
  • delivering an opinion to the CFO and Audit Committee on the adequacy of arrangements for managing the risk of fraud and ensuring that the Company promotes an anti-fraud culture;
  • assisting in the deterrence and prevention of fraud by examining and evaluating the effectiveness of controls commensurate with the extent of the potential exposure/risk in the various segments of Company’s operations;
  • assisting management in conducting fraud
    • Every member of staff bears responsibility for:
  • acting with propriety in the use of Company resources and the handling and use of Company funds whether they are involved with cash or payments systems, receipts or dealing with suppliers or
  • being conscious to the possibility that unusual events or transactions could be indicators of fraud;
  • reporting details immediately through the appropriate channel, if they suspect that a fraud has been committed or see any suspicious acts or activities;
  • co-operating fully with whoever is conducting internal checks, reviews or fraud investigations.



6.              FRAUD DETECTION

  • Line Managers should be alert to the possibility that unusual events or transactions could be symptoms of fraud or attempted fraud. Fraud may also be highlighted as a result of specific management checks or be brought to management's attention by a third party. Additionally, irregularities occasionally come to light in the course of audit
  • The factors which gave rise to the suspicion should be determined and examined to clarify whether a genuine mistake has been made or an irregularity has occurred. An irregularity may be defined as any incident or action which is not part of the normal operation of the system or the expected course of
  • Preliminary examination may involve discreet enquiries with staff or the review of documents. It is important for staff to be clear that any irregularity of this type, however apparently innocent, will be



  • When any member of staff suspects that a fraud has occurred, he/she should notify his/her Line Manager or Internal Auditor immediately. Speed is of the essence and this initial report can be verbal and must be followed up within 24 hours by a written report addressed to the Line Manager/Internal Auditor which should cover:
    • The amount/value if
    • The position regarding
    • The period over which the irregularity occurred, if
    • The date of discovery and how the suspected fraud was
    • Whether the person responsible has been
    • Whether any collusion with others is
    • Details of any actions taken to
    • Any other information or comments which might be


  • Before completing the report above, line management may want to undertake an initial inquiry to ascertain the facts. This enquiry should be carried out as speedily as possible after suspicion has been aroused: prompt action is essential. The purpose of the initial enquiry is to confirm or negate, as far as possible, the suspicions that have arisen so that, if necessary, disciplinary action including further and more detailed investigation may be initiated. The Internal Auditor is available to offer advice on any specific course of action which may be necessary.


  • As the gravity of each irregularity might be different, a reporting member of staff may wish to act in accordance with the "Policy on Reporting and Investigating Allegations of Suspected Improper Activities."




  • On verbal notification of a possible fraud the Line Manager/Internal Auditor must immediately contact the CFO. He/She will inform and consult with the CEO (General Director) in cases where the loss is potentially significant or where the incident may lead to adverse
  • The CFO will maintain a log of all reported suspicions, including those dismissed as minor or otherwise not investigated. The log will contain details of actions taken and conclusions reached and will be presented to the Audit Committee for inspection annually. Significant matters will be reported to the Board of Directors as soon as
  • Where a member of staff is to be interviewed or disciplined, the CFO and/or Internal Auditor will consult with, and take advice from, the Director of Human Resources [or Director of Compliance]. He will advise those involved in the investigation in matters of employment law, Company policy and other procedural matters (such as disciplinary or complaints procedures) as




  • If it appears that a criminal act has not taken place, an internal investigation will be undertaken to:
  • determine the facts;
  • consider what, if any, action should be taken against those involved;
  • consider what may be done to recover any loss incurred; and
  • identify any system weakness and look at how internal controls could be improved to prevent a recurrence.


After proper investigation, the Company will take legal and/or disciplinary action in all cases where leaders consider further action appropriate. There will be consistent handling of cases without regard to position or length of service of the perpetrator.

  • Where an investigation involves a member of staff and it is determined that no criminal act has taken place, the CFO will liaise with the Director of Human Resources [or Director of Compliance] and appropriate Line Manager to determine which of the following has occurred and therefore whether, under the circumstances, disciplinary action is appropriate:
  • gross misconduct (i.e. acting dishonestly but without criminal intent);
  • negligence or error of judgment was seen to be exercised; or
  • nothing untoward occurred and therefore there is no case to
    • Where, after having sought legal advice, the CFO judges it cost effective to do so, the Company will normally pursue civil action in order to recover any losses. The CFO will refer the case to the Company’s legal advisers for
    • Where initial investigations point to the likelihood of a criminal act having taken place, the Executives (CEO or CFO) will contact the police (or appropriate Federal agency, as the case may be) and the Company’s legal advisers at once. The advice of the police will be followed in taking forward the
    • The investigations described above will also consider whether there has been any failure of supervision. Where this has occurred, appropriate disciplinary action will be taken against those responsible for this


10.           RECOVERY OF LOSSES

The recovery of losses should be a major objective of any fraud investigation. To this end, the quantification of losses is important. Repayment of losses should be sought in all cases. Where necessary, the Company will seek external advisors and legal advice on the most effective actions to secure recovery of losses.



11.           MANAGERS’ DUTY OF CARE

  • Managers conducting initial enquiries must be conscious that internal disciplinary action and/or criminal prosecution may result. If such action is later taken, then under proper procedure the member of staff concerned has a right to representation and may have the right to remain silent. Utmost care is therefore required from the outset in conducting enquiries and
  • In addition, in order to protect the Company from further loss and damage from destruction of evidence, it may be necessary to suspend the member of staff concerned immediately after the allegation has been made or following the submission of the Manager’s initial verbal report. Specific advice should be sought from Human Resources [Compliance] before




If the initial examination confirms the suspicion that a fraud has been perpetrated, then to prevent the loss of evidence which may subsequently prove essential for disciplinary action or prosecution, the person heading up the investigation (“Head of Investigation”) should:

  • take steps to ensure that all original evidence is secured as soon as possible;
  • be able to account for the security of the evidence at all times after it has initially been secured, including keeping a record of its movement and signatures of all persons to whom the evidence has been transferred. For this purpose, all items of evidence should be individually numbered and descriptively labeled;
  • not alter or amend the evidence in any way;
  • keep a note of when investigators came into possession of the evidence. This will be useful later if proceedings take place;
  • remember that all memoranda relating to the investigation must be disclosed to the defense in the event of formal proceedings against an employee, so it is important to carefully consider what information needs to be recorded. Particular care must be taken with phrases such as “discrepancy” and “irregularity” when what is really meant is fraud or theft;


  • ensure that electronic evidence is appropriately handled by certified




13.1     Executives of the Company will nominate in writing the Head of Investigation on a case by case basis depending on the gravity of issues and potential losses involved. The Internal Auditor will oversee and control the subsequent investigation, therefore for this purpose the Head of Investigation will report to the Internal Auditor.

  • The Terms of Reference should be agreed between those involved in the investigation. The Head of Investigation should arrange for an action plan to be put in place with, as far as is possible, a set timeframe and regular reviews. He should call on the assistance of various sources of help at all stages (technical assistance, personnel, external audit, attorneys, etc.) but ultimate responsibility and accountability in progressing the case should remain with the Head of Investigation.
  • The Head of Investigation should have the necessary authority (i.e. the appropriate rank and experience) to enable him/her to properly discharge these duties. Depending on the volume of work to be performed and the issues involved, this person might be released from his/her main duties in the Company on a temporary
  • The Head of Investigation should also be independent from the matter in question. It is the responsibility of the Head of Investigation to keep the Internal Auditor abreast of developments and report all material developments promptly to facilitate onward reporting to the Executive Team and Audit




Following completion of the case, the Internal Auditor should prepare a summary report on the outcome and lessons learned circulating it to all other interested parties who must take the appropriate action to improve controls to mitigate the scope for future recurrence of the fraud. Where a fraud has occurred, Management must make any necessary changes to systems and procedures to minimize prospects for similar acts of fraud.



Deloitte, one of the world’s largest business consultants, offers the following guidance for businesses that want to begin a fraud-response plan:

  • Create an allegation system:
    • In what ways does the company systematically receive complaints?
    • What process exists to assess the validity of complaints?
    • How does the company train team members on what they should do if they suspect fraud?
    • How does the company train team members on what they should not do if they suspect fraud?
  • Allegation Triage:
    • How does the company determine when to escalate a complaint to a formal investigation?
    • How does the company document the criteria to determine which complaints get investigated?
    • What protocols guide the investigator’s assignment?
  • Case Investigation:
    • What work plan exists to guide investigations?
    • How do investigators handle evidence?
    • What level of competency do investigators have?
    • How does the company review case status?
    • Who has access to case files?
  • Communication and Reporting:
    • How do investigators communicate with stakeholders?
    • How does the company reveal investigations to team members?


Action List

The following checklist of actions may guide a person that suspects fraud within the company.

  1. Do not act on emotion. It’s time to gather all the facts.
  2. Alert appropriate management within your organization. This, of course, heavily depends on who’s suspected of committing the fraud. Fraud discovered at the lower echelons of the company can probably be handled by the direct manager in association with the compliance supervisor. Things get a bit more complicated the higher you move up the corporate ladder. Accountability, though, goes straight to the President, CEO and Board of Directors. So, make sure compliance is amply prepared and authorized to do what’s necessary even upon discovery of high-level fraud with the company.
  3. Document date, time and details of initial report/discovery. This is important for both the reporting of the suspected fraud and ongoing investigation.
  4. Take notes (and/or pictures and video) of all observations and actions. Important information can quickly be forgotten or confused over time. Creating copious notes and/or documenting photographic evidence helps ensure you have all the information the company needs to maintain the integrity of the investigation.  
  5. Maintain confidentiality (only inform those people who need to know about the suspected act). Loose lips sink ships – and investigations. Prematurely alerting the suspect(s) leads to destruction of evidence and cover-ups.
  6. Do not confront the suspect. You could be putting yourself in danger, in addition to undermining the investigation.
  7. Write out in full the suspected act or wrongdoing in as much detail as possible, including:
  • The alleged occurrence,
  • Who was involved in the occurrence,
  • Whether the activity is ongoing,
  • Location of occurrence,
  • The value of the loss or potential loss, and
  • A list of who else may know of the activity.


Collection of evidence is critical for proving the crime. Corporate investigations can take months and legal ones even longer.


  1. Identify all documentary and other evidence connected to the activity, such as:


  • Invoices,
  • Contract and Agreements,
  • Purchase orders,
  • Checks,
  • Computers,
  • Laptops,
  • Tablets,
  • Cell phones,
  • Cloud access accounts,
  • Credit card statements, and
  • Relevant social media accounts.


  1. Immediately gather the evidence (only if doing so will not alert the suspects) and place it in a secure area. Bear in mind a need to maintain a legitimate chain of evidence in case it becomes necessary to bring in outside authorities.
  2. Protect the evidence from damage or contamination. This includes all confiscated electronic devices. You may need the evidence for civil or criminal proof, or even use it in a countersuit should you need to against a litigious fired employee.
  3. Identify all potential witnesses. This includes people within and without your organization. Certain people may even alternate from witness to suspect and vice-a-verse during the course of your investigation.
  4. If possible, secure and/or remove the suspect’s access to relevant computers and security systems. This decision is delicate and may need to be made at the highest levels of authority within the organization. There’s a fine balance between mitigating damages and continuing to collect evidence. You may want to consult outside legal and accounting firms and request an Opinion Letter regarding your decisions, depending on the situation.
  5. Ensure regular back-up of all files and secretly place additional security on all accounts the suspect(s) may have access to.
  6. Contact the company’s outside counsel and accountants for advice and recommendations. This should occur early on in the process but, typically, at the highest levels of management.
  7. Contact the company’s insurance carrier. You may or may not be covered for the type of fraud under investigation. Should you be covered, the insurer may have its own processes for conducting investigations and you may unwittingly forfeit certain rights or claims by not alerting them early enough. The insurer, moreover, may try to deny the claim and you might be forced to retain additional counsel to sue your insurer for coverage.
  8. You may need to retain a forensic accountant. Some frauds can be quite elaborate and complex, involve multiple jurisdictions and/or require advanced training in computer programming. A full investigation may require particular expertise.
  9. Continue to monitor suspicious personnel and activities to ascertain the full breadth and extent of the fraud.