1. Theft investigation methods help to investigate fraud because they allow the investigator to determine specific facts about the fraud such as how the fraud was perpetrated and how the fraud was concealed. Three main methods are used to investigate theft in suspected frauds. They include surveillance and covert operations, invigilation, and physical evidence. Surveillance and covert operations are used in three ways: stationary or fixed point, moving or tailing, and electronic surveillance. Invigilation is used to determine if fraud is occurring, while physical evidence is used to analyze objects such as inventory, assets, and broken locks.
2. Determining the existence of predication is the most important factor to consider when deciding whether to investigate a case of fraud. Predication is defined as circumstances that would lead a reasonable prudent professional to believe that a fraud has occurred, is occurring, or will occur. Other important factors include:
a. Expected strength of evidence.
b. Exposure or amount that could have been taken.
c. The signal that investigation or noninvestigation will send to others in the organization.
d. Risks of investigating and not investigating.
e. Public exposure or loss of reputation from investigating and not investigating.
f. Nature of the possible fraud.
3. A vulnerability chart can be useful when coordinating theories about a suspected fraud. A vulnerability chart coordinates the various elements of the possible fraud, including assets that were taken or are missing, individuals who have opportunities to commit fraud, promising methods to use in the theft investigation, concealment possibilities, conversion possibilities, symptoms observed, pressures on possible perpetrators, potential rationalizations for the fraud, and key internal controls that had to be compromised for the theft to occur.
4. A surveillance log is a detailed record used in an observation. A surveillance log includes the date and time of observation, the name of the observer, the names of corroborating witnesses, the position from which the observation was made, its distance from the scene, and the time the observation began and ended, along with a detailed time log of all the movements and activities of the suspect.
5. Invigilation is a condition where management imposes strict temporary controls on an activity so that during the observation period, fraud is virtually impossible. Management keeps detailed records before, during, and after the invigilation period. By comparing the activity during the three periods, management can obtain evidence about whether fraud is occurring.
6. Physical evidence, such as paints, stains, fingerprints, and tire marks, can help determine who stole certain assets. For example, by tracing the fingerprints on the safe to a certain employee, we can determine who accessed the safe and if they had authorization to do so.
7. The steps may vary from case to case, depending upon the media being seized. However, the general pattern is:
a. Step 1: After ensuring that you have the legal right to seize, secure the device and perform initial tasks
b. Step 2: Clone the device and calculate a CRC checksum
c. Step 3: Search the device manually
d. Step 4: Search the device using automated procedures
8. If perpetrators suspect they are being investigated for fraud, they could do two things that would affect the outcome of the investigation: destroy or conceal important evidence and completely stop their fraudulent acts so that they cannot be caught in the act.
9. It is important to consult legal counsel to ensure that the suspect’s legal rights will not be violated in the course of the investigation, and that the evidence being obtained will be able to be used in a court of law. It is important to consult with human resources to ensure that company privacy policies are being followed throughout the investigation, and that the investigation will not cause problems with other employees.
10. The Fourth Amendment to the Constitution protects the right of a person against unreasonable searches, and limits the extent to which investigations can be conducted.
11. The fraud triangle plus inquiry approach to investigation includes four things:
a. Theft investigative methods
b. Concealment investigative methods
c. Conversion investigative methods
d. Inquiry investigative methods
a. The CDs are free to download and use.
b. The included tools generally include very advanced tools.
c. The CDs can boot directly into the computer, bypassing Windows passwords.
d. Since the tools mount drives in read-only mode, no tracks are left in log files or file timestamps.
a. The tools are based on Linux and can be more difficult to use than more user-friendly, non-open source solutions.
b. The tools do not have the precedence in court that EnCase and FTK have.
c. The CDs are a combination of many different, stand-alone utilities. EnCase and FTK are all-in-one solutions that do much of the work for you. They are not nearly as user-friendly as non-open source, proprietary solutions.