The investigations contact person is usually the integrity manager, internal auditor, risk manager, head legal or anyone in the organization that is independent of the processes in which the fraud took place.
Continued from Part 2.
Fraud cases have high reputational risk. For this, I always encourage the CEO to bring all fraud cases to the attention of the board. You want the board to be part of the decision early one so that there are no surprises. Many times, the CEO is the investigations report owner working closely with the audit committee chair.
The Group CEO assigned the Internal Auditor as the key contact person to help coordinate the investigations, who became my Suspect 1. This suspect gave me a list of staff in IT and operations including Head IT, suspect 2 – a senior and long-serving staff with access to all IT systems, and custodian of the ‘sa’ or super administrator password to the bank’s core banking system. The ‘sa’ password works like a master key. With it, one can access the entire system and do anything they need. In financial institutions, there controls over the use of the ‘sa’ password. Some banks’ security policies provide for two or more people to maintain the password with each person knowing part of the password such that two people are required to use it. In other banks, one needs dual authentication to get to the main server – one person opens the door with biometric access, and the other has the password.
Then five database managers, who entered in the book as suspects three to seven. The Uganda subsidiary team including James and four other people became my suspects eight to 11. The two executives EDs suspects 12 and 13. Personal assistant to the Group CEO, suspect 14. And seven IT staff in network and support suspect 15 to 21. Finally, the bank operations and large accounts management team of ten staff suspect 22 to 31.
The objective of the investigation was to identify the fraudster out of these and any other suspects supported by evidence. Not an easy task.
I wrote the engagement letter and sent it for signing, describing the scope, issues, and objectives of the investigation oblivious of the fraud examination disclaimers: fraud even if it exists, may not be uncovered as rest of our investigations, and we shall use all such evidence-gathering procedures which include but not limited to forensic imaging and analysis of suspect digital devices, statement taking and interviews of witnesses and suspects, overt and covert operations to obtaining evidence relevant to the case. Since the objective of an investigation is to establish evidence, you approach the assignment with an open mind as objective as possible. Everyone is a potential suspect until you obtain evidence that shows otherwise.
Never start an investigation without a signed engagement letter. With this secured, I went into assembling the team.
Don’t miss Chapter 3.
Copyright Mustapha B Mugisa, 2020. All rights reserved.