Internal audit vs. forensic investigation: two visions of an internal investigation

Forensic? This is an Anglo-Saxon term that comes directly from police jargon. First used in forensic medicine, the word was then used in the computer field with the advent of the computer for FBI purposes. More generally, it could be used to describe a method, a collection of data and its analysis, which could be used in legal proceedings.

This Forensic method is not new to Europe, and the private sector was quick to understand the benefits it could bring to the Litigation sector. In this way, investigators tracked down falsified results and secondary accounting. A few years later, in the face of cybercrime, forensic techniques have evolved to thwart attacks and help strengthen information systems. In this case, it was a question of analyzing log files and other technical files. In recent years, forensic investigations have been used in internal investigations in response to the growing complexity of social regulations. The human factor is therefore becoming increasingly important, since it is now a question of foiling fraud, uncovering corruption or even establishing harassment.

Forensic investigations have not yet reached their full potential on the European market. This is particularly due to the fact that most Group Audit Directors are more inclined to apply their standard methodology when an alert or suspicion of fraud or corruption comes to their attention. It’s an understandable mistake, given that Audit and Forensic are close cousins in the investigation family. Our Anglo-Saxon neighbors have long understood the main qualities and advantages of a forensic investigation in such a situation. It’s a safe bet that this trend will spread across Europe with the development of ethics alert systems within international groups.

So why use Forensic methodology rather than Internal Audit?

Of course, as an expert forensic investigator, I’m part of this debate, but let’s try to analyze the facts objectively… just as a forensic investigation would.

Let’s start with the Audit methodology. The latter is not suited to handling a report of fraud or corruption raised by the whistleblowing system. First of all, it is organized to follow the opposite direction of a survey, starting from the general risk (the company’s operations) and moving towards the specific (the subject of the survey) as the work program is implemented. More generally speaking, auditing takes place upstream of the offence, whereas forensic investigations act in reaction. Fraud, corruption and money laundering are not rooted in a general problem, but in one or more individuals within a company who exploit a weakness for personal gain. It’s not the flaw in a system that produces the offence. The loophole is simply the opportunity exploited by the individual to achieve his or her ends. It is from this individual that the forensic investigation begins, growing in ever-widening concentric circles until it has covered the entire offence.

By focusing on the flaw in the system, an auditor’s investigation does not take the best angle to understand the facts it reveals, as it necessarily lacks information. Fraud and corruption are offences whose modus operandi lies at the heart of the perpetrator’s personality. In a forensic investigation, on the other hand, investigators start with the individual. They gather information from his closest environment to deduce his psychology, which will tell us where and how to look for evidence. Whereas an audit can point to a lack of organization and responsibility, or a flaw in procedures, forensics can understand the suspect’s motivations and personal goals, and trace the chronology of his or her actions. In auditing, the internal workings are the central element of the investigation; in forensics, they are merely the backdrop around the actor. Thus, auditors audit a process or situation with a view to evaluation, whereas forensic investigators investigate a person in order to establish opposable facts.

The suspect’s personality, motivations and motives are all necessary information for a forensic investigation. To obtain them, the investigators will retrieve the subject’s almost personal data, i.e. that contained in his or her computer hardware. Coming directly from the suspect, this information will tell us about his actions, habits, background and relationships. A portrait will be drawn and the motive will emerge. We will therefore have a solid working hypothesis that will allow us to broaden our research depending on the anteriority of the facts, their scope, the involvement of possible accomplices, etc…

To achieve this intimate knowledge of the subject, the Forensic team needs to investigate in close contact with the subject. His computer, phone and e-mails will be analyzed. This is when the cat-and-mouse game begins. The suspect may be tempted to hide or erase evidence of his actions. To do this, we have powerful tools at our disposal that enable us to track down the original information. Hidden or formatted partitions, encrypted messages, deleted or hidden documents – these are just some of the tricks the Forensic Investigator has learned to spot and foil. His in-depth knowledge of the technical workings of computers and telephones means he’s always one step ahead. When you’re familiar with the loopholes exploited by forensics, you understand that it’s very difficult to conceal digital data, and that any use of it leaves a trace that can be traced back. Sometimes, the Forensic team has to analyze large volumes of data. How do you find the incriminating e-mail among millions? Here again, Ediscovery software helps us to find the needle in the haystack in the shortest possible time. Better still, in the age of artificial intelligence and maching learning, analysis stations behave like a real investigator, sorting out the interesting data from the uninteresting. Where the auditor works with statistical samples, the forensic investigator uses profiling and systematic analysis of all the data.

Corporate Intelligence research techniques then come into play. In addition to the quasi-personal information discovered on its hardware, the company will also be able to access information found outside the company: social networks and open databases. Illegal interest-taking, influence peddling and other illicit agreements will not stand a chance.

One might think that the differences between auditing and forensic science stop at the digital investigation stage. In my experience, there’s another major difference: the interviews.

Of course, an auditor knows how to conduct interviews. No audit can take place without an exchange between the auditor and the person being audited. However, it’s not a question of evaluating an employee’s performance or compliance with protocols; it’s a question of building trust and cooperation. I usually compare an Audit interview to hearing a witness. In the case of the subject of the investigation, the procedure is quite different, as it may incriminate a person for facts that could lead to dismissal for serious misconduct, or even criminal liability. The stakes are quite different for the person being heard. This interview with the suspect calls for the use of very specific techniques and strategies, since it must be borne in mind that the subject’s personal and professional situations may be affected. The latter will therefore instinctively seek to defend itself to protect them. Denial will be his first reflex, followed by lies and half-truths. By pointing out the inconsistencies in his lies, he will soon be cornered, bogged down in his declarations and unable to resist the facts that will be set against him. A forensic investigation interview, like a police hearing or a hearing with a judge or lawyer, provides a criminal demonstration of the facts established, demonstrating one by one the elements constituting the offence. It unfolds like a game of chess, with each player advancing his pawns as he tries to unfold his strategy. One seeks to save his king, while the other seeks only to establish the truth on the chessboard.

It would be impossible to be honest about the differences between auditing and forensic science without taking stock of what we have in common. As I said in my opening remarks, we’re cousins from the same family: Investigation. The notions of strict compliance, integrity, objectivity, evidence management and ethics are shared by Forensic auditors and investigators, and are essential to their investigations.