Managing Corporate Risk when Employee Fraud is Suspected

This is the first article in a series on employee fraud. Additional articles are:

Part 2 - Mitigating the Company’s Risk After an Employee Fraud

Part 3 - Collecting on a Loss Following an Employee Fraud

Part 4 - Preventing and Detecting Employee Fraud


When a company first becomes aware of financial irregularities in its business, the first reaction is usually to get to the bottom of the concerns. When the issue is suspected fraud, the increased sensitivity needs a quicker response. In those cases, the company may expose itself to increased risk if the next steps are not undertaken with care and consideration as to the preservation of evidence, the protection of information, the involvement of employees and third parties, and the potential outcome of the review. 

This article provides some tips, and traps to avoid, for a company faced with suspected employee wrongdoing to minimize those risks. 

Depending on how the concern was detected, the first step is to understand the allegations or the nature of the financial issue. In some cases, this may simply be accounting records that do not make sense for the business, such as a deteriorating financial position or cashflow shortage, unexplained losses, or concerns from customers or vendors with respect to their accounts. In other cases, employees or third parties may raise their suspicions with respect to the actions of an employee that warrant further investigation.  Regardless, it is important to fully understand the information that is raising the alarm and assess what further information is needed to complete the picture. In carrying out this review, keep in mind the following key areas.

Develop an Investigation Plan – Before taking any further steps, an investigation plan should be prepared to guide management in carrying out an internal investigation. The plan should include who will be on the investigation team, what information is required, how that will be obtained to preserve the integrity of the data, and when others will be apprised of the situation.  Specifically:

  • The “who” is extremely important. At the early stages, the investigation team should be limited to only those key individuals who need to be involved and should exclude any individuals who could be involved in the suspected wrongdoing. This also protects the company from a complaint from the suspected employee if it is found the allegations do not have merit.

  • The information required to address the specific allegation should be identified. This typically includes accounting and bank records, as well as other business records, specific to the allegation. For instance, if the concern relates to unauthorized purchases on a corporate credit card, the information required would include those credit card statements, expense reports, supporting receipts, bank statements, and the accounting entries for those transactions. Often relevant information is contained in electronic communications such as emails or text messages. Protocols should be put in place to recover such information and ensure the integrity of data is maintained, as discussed in further detail below.  

  •  Timing may be important as the investigation will need to start promptly but may need to be adapted if information cannot be gathered without raising suspicions with other employees. If that is the case, gathering information may need to be done outside business hours.  

  • The company should inventory the suspected employee’s physical and electronic access to the company’s premises and systems, as well as other information. If the company could be exposed to imminent risk, it may be necessary to lock the employee’s access to key information technology systems (including remote access) and the physical premises before the investigation is complete. Regardless, if action is taken against the employee it will be critical to obtain all corporate devices and other records from the employee and remove all access at that time.

  • Dealing with a suspected employee is one of the most difficult decisions to make. Caution should be exercised in taking any steps with a suspected employee until at least a preliminary investigation is completed and should not be done without first obtaining legal advice. The company should consider the risk in keeping the employee in their role, the access to sensitive information and risk of further malfeasance or loss, and the impact on the suspect and other employees as a result of any decision.

  • If the initial review supports the suspicions of wrongdoing, the investigation may need to be expanded to other areas. For example, if unauthorized credit card transactions are identified, consider other areas that the employee has access to such as payroll, bank authorization, etc. Also consider whether the initial review shows signs of involvement of other employees or third parties that may need to be investigated further.

  • Once the internal investigation is complete, consider when other parties need to be advised. This may include more senior members of management or the board of directors, a lawyer for employment and corporate advice, the company’s insurance company, and potentially an independent investigator or forensic accountant.  This will be discussed in greater detail in our next article – Mitigating the Company’s Risk After an Employee Fraud.      

Preserve Evidence – In carrying out the internal investigation, it is critical all information and data is handled as if it may become evidence at a later date. While some of the information may reside within the company’s own systems (such as the accounting software), there may be other physical documents or records stored electronically. For many companies, most of the business records and communications will be stored electronically and may even be held by the employee on personal devices. In gathering information, we recommend the following best practices:

  • Data stored on devices – If the employee uses a corporate device (computer, mobile phone), do not undertake any review without first having a forensic image of the drive prepared by a qualified IT person. By just reviewing the contents of the employee’s device, data may be altered, so it is best to maintain a clean copy and for the review to be done on a working copy. A forensic image can also restore data that was previously deleted but remains on the device in the background. Consider whether servers or other devices may also need to be reviewed and therefore preserved.

  • Physical documents – If physical records are being gathered, make a note of where they were stored. For instance, make a note of whether the records were in the regular filing system, in the suspected employee’s office, or with another employee. If documents are clipped together or have notes, be careful to identify whether there is any relevance before reviewing. Do not make any notations or markings on the documents – if required, maintain the original version and make copies that can then be marked by the investigation team during the review.

  • Employee’s workspace – If the employee has an office or workspace, perform a search to identify any additional information that may be relevant to the allegations. It is best to take a photo or draw a map of the workspace and identify on that map where any relevant documentation was identified (i.e., if copies of altered cheques were stored in a cabinet, that should be identified on the map).

  • Personal devices – If the employee uses a personal device or is working from a location outside of the corporate premises, which is much more common in the current environment, consider whether that information can be accessed. Legal advice may be required as to the company’s ability to access personal devices in particular.

Review Insurance Policies – Some companies have fidelity or crime policies that may provide coverage for a fraud loss. The insurance policies should be reviewed for details of the company’s coverage and specific requirements under the policy, including when the insurer must be notified. 

Obtain Legal Advice – Before taking any action with an employee, the company should seek legal advice in order to manage the risk of any potential claims from the suspected employee.  The company will also need to consider its legal remedies for potential recovery of any fraud losses from the employee.  

Important considerations to be addressed with insurers and lawyers are the subject of our next article in the series – Mitigating the Company’s Risk After an Employee Fraud.          

Written by:

Breanne Campbell
b.campbell@svrlawyers.com
403.231.8215

Breanne is a partner at SVR Lawyers and advises clients on a broad range of fraud claims including theft of corporate opportunity, employee embezzlement, and insurance fraud.

Bailey Rivard, CPA, CA·IFA, CBV, CFE, CFF
bailey.rivard@mnp.ca
403.536.2185

Bailey is a partner in MNP’s Valuations, Forensics and Litigation Support Services group. She provides independent investigation and litigation support services to clients and counsel when fraud or other wrongdoing is suspected.

Disclaimer: This article is provided solely for information purposes. The information presented does not constitute legal or professional advice and should not be relied upon for such purposes or used as a substitute for legal advice.