Using Digital Forensics To Tackle Payroll Fraud

Despite employers’ best efforts, not every staff member will act in an honourable way. Sometimes they commit crimes, such as fraud and theft, and will usually try to conceal them. As such crimes are not always detected immediately, the repercussions can be huge, and ultimately hit the bottom line.

In relation to payroll, the most common types of fraud are perpetrated internally. They include creating ghost employees, which entails putting non-existent staff on the payroll; overpayment; double, or multiple, payments, and misdirected payments. The latter involves legitimate salary costs being remitted to a bank account controlled by the fraudster.

But between employee files, payroll details, timekeeping systems and other human resources data, it amounts to large amounts of data that must be collected and analysed by digital forensics teams.

The digital forensic investigations process is based on a methodological approach that uses technology to bring sense, scale and order to this wealth of available data. It starts with an incident being reported. The case is then carefully managed through a number of different stages until its conclusion.

The analysis element of the process is automated and highlights those areas of information that require closer inspection, reducing large data sets to only those transactions that are most likely to be of interest to investigators. 

Whether the forensics are digital or physical, the goal is fundamentally the same – to prove exactly what happened during a given period, and to attribute such actions to a specific individual or group of people so that an effective and appropriate response can be made.

Both types of forensics rely on acquiring and analysing data in an efficient way. We live in a digital age, and every action leaves a digital footprint that can be tracked and understood. Even in exceptional circumstances, such as a computer being tampered with (we had one thrown into a lake), forensic evidence can be recovered to help trace what happened and when.

Investigations of any kind, whether they consist of disputes, corruption allegations or regulatory reporting issues, tend to involve both the analysis of financial data and a review of corporate emails. Written communications between different parties and any instructions given by them often play a significant part in helping to piece together the whole story. Even though most people are aware that email can be recovered and reviewed, many still use it when undertaking payroll fraud. 

How investigations are carried out

Official statistics from the UK’s Financial Conduct Authority reveal that, in Great Britain at least, the vast majority of forensic investigations are initiated by whistleblowers reporting suspicious behaviour. This situation highlights the importance of having effective, well-communicated policies in place to assist individuals in raising their concerns and ensuring they are protected against retaliation. Examples here include open-door policies, 24-hour whistleblowing websites in multiple languages and a clear, written commitment to non-retaliation.

When undertaking a probe, it is important that investigations teams are aware of which systems and devices those suspected of wrongdoing may be using or have access to. Such systems often include corporate email accounts, network drives, computers, external storage, such as thumb drives, and mobile phones, as well as payroll and other financial applications.

Investigators may start with a ‘behind-the-scenes’ probe to explore what can be ‘lifted’ from the shared network. This is especially useful if the individual in question regularly works outside of the office or uses a laptop, which means there is no immediate access to their machine’s hard drive.

If they are tipped off about the investigation though, forensics professionals tend to focus on a ‘funnelled approach’, starting with easier, less observable data sources and moving on when there is enough evidence to warrant further evaluation.

Once it is believed there is enough evidence and a good understanding of what has been taking place, the interview process can begin. Typically, investigators start by speaking to people who are suspected of having minimal involvement and finish with those they believe to be most closely involved. Taking this approach enables them to build up a concrete knowledge base.

While each company handles investigation procedures differently, the main focus is to determine whether the immediately available evidence supports or refutes the allegation. If the evidence is there, it acts as a trigger point to help the organisation make an informed decision as to whether they would like to take things further. But evidence is imperative to demonstrate there is fire to go with the smoke.

Once an investigation has reached its conclusion, it is important to use the experience productively to fill any gaps in existing policies, processes and procedures. This exercise serves the dual purpose of mitigating the risk of a potential fraudster using established methods, and sending a strong message to all staff that fraud can, and will, be detected, and action taken.

So while it is vital for employers to trust their employees, this does not mean they should not be vigilant and check things out if a red flag has been raised. Companies have a duty of care to other staff and stakeholders, so it is imperative for both their reputation and their bottom line that any potential issues are resolved as quickly as possible.

 Phil Beckett  Daniel Barton

 Daniel Barton and Phil Beckett are joint managing directors of disputes and investigations at Alvarez & Marsal. Daniel has over 20 years of professional experience in forensic accounting investigations, specialising in fraud, bribery and corruption, and regulatory issues. Phil has worked with global clients across a wide range of sectors and has more than 19 years of experience in forensic technology, advising clients on forensic investigations of digital evidence and the interrogation of complex data sets.