Discovered Fraud …… What Now?

Christo Snyman Director of Forensic Mazars

The COVID-19 pandemic may have restricted the activities of law-abiding citizens, but not so with fraudsters who have found the current environment much to their liking. As many as half of all companies have reported an increase in fraud.

The best way to limit fraud losses is, of course, to prevent them from ever happening in the first place, with a comprehensive fraud response plan. Making critical decisions in an environment of stress can have unwanted results. The plan should address factors which will aim to reduce reputation damage, minimise legal fees and remediation fees, while preventing further losses. However, fraud may nonetheless still occur and one needs to know how to respond once a case has been uncovered. The following is Mazars’ five-point strategy:

Mitigation of risk: The first step is to immediately limit the suspect’s access to company assets, including the company’s bank account, information networks, email and physical premises, by confiscating keys and changing passwords. Restrict the number of people that any information is shared with to only limited and trusted parties. I have seen cases where the suspect can delete multiple files even in the brief moment of ‘collecting their belongings’.

Secure the evidence: Collect the necessary electronic and physical evidence such as documentation and backups that are at risk of being destroyed. This includes confiscating any electronic devices such as mobile phones, flash drives, laptops and hard drives. Refrain from downloading or moving files from a laptop, as the evidence may become inadmissible as it’s considered to have been tampered with and can be challenged in court. Companies should consider employing a cyber forensic specialist to ensure the evidence is not compromised and forensic images are obtained for evidentiary purposes. Maintain an audit trail of the chain of evidence obtained. Some third-party information might require legal assistance to obtain.

Conducting the investigation: Make sure a responsible individual conducts the investigation while following company policy and applicable legislation. An external party should be appointed to investigate the matter in any case whether there is a potential conflict of interest.  The investigation should cover: documents and data analytics; bank statements; people tracking; interviews with employees; research on similar matters at the company or elsewhere; and consulting with advisers. The bank should be contacted to obtain an audit of all changes to beneficiaries that the suspect might have affected. Cyber specialists can be appointed to make copies of relevant computers.

Reporting obligations: The Prevention and Combating of Corrupt Activities Act requires that any incident involving more than R100,000 needs to be reported to the police. This should be done in the form of an affidavit, with all contact details and a clear and concise description of exactly how it occurred. Remember to always keep a certified copy and police case number. In the case of a public or listed company it needs to be reported to investors and the JSE. It also needs to be reported to the company’s insurers. The company investigator should liaise with the SAPS investigating officer. Whether bail is offered or not depends on a number of factors that relate more to the suspect than the actual crime – whether they are a flight risk and whether they have previous convictions, as well as the seriousness of the offence.

Employee management: In certain instances where the suspect is an employee,  the employee management process is guided by legislation and company policies. The following sources provide guidance on what to do: the Constitution; Labour Relations Act (LRA); Basic Conditions of Employment Act; and the Employment Equity Act. Suspension of the employee has to be done according to company policy, and the employee is entitled to be placed on precautionary suspension with pay while the investigation is happening. An employee has the right to challenge the suspension. The reason for the suspension is that the company works with and manages confidential information, and the employee must be prevented from influencing or compromising such information or the investigation, as well as to maintain a good working environment. At some stage after suspension the disciplinary process commences. The Constitution and LRA provide the foundation for managing the employment relationship, and company policy provisions must comply with legislation, while the BBBEE Codes of Good Practice merely provide guidance.

Best practice today in respect of company policies is to include policies spelling out fraud prevention, anti-bribery and anti-corruption, which impose an obligation on employees to report fraud, bribery and corruption. Best practice similarly calls for an IT policy defining access to the company as including access to computers laptops and mobile phones. There would be policies governing whistleblowing and activities which give rise to conflicts of interests. Training provides a system of identifying fraud and staff have to be trained to understand the relevant policies.

Mazars recommends that all employers have such policies in place.

  • Christo Snyman, Director: Mazars Forensic Services


Please enter your comment!
Please enter your name here