7 Steps for Investigating Data Breaches

7 Steps for Investigating Data Breaches

According to the NSW Information and Privacy Commission, a data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to your organisation’s data. The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Investigation is an integral part of a data breach response. The goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation. Most often the breach is caused by a hacking, but sometimes involves a negligent employee. It’s important to understand the necessary procedures for privacy and security breaches in order to minimize potential risks and limit access to leaked information before it’s too late. 

A well-executed incident response can help minimize breach impact, reduce fines, decrease negative press, and ultimately help your company get back on track. There are a number of important considerations to make when investigating privacy and security breaches.

This blog will cover:

  • Data Breach Detection
  • Potential Impacts of Data, Privacy and Security Breaches
  • 7 Steps for Investigating Data Breaches
  • Best Prevention and Response Plan 

Data Breach Detection

A company typically learns they’ve been breached in one of four ways:

  1. The breach is discovered through detection systems (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts).
  2. The breach is discovered by your own employees.
  3. External parties discover the breach while investigating another matter.
  4. A customer complaint.

Potential Impacts of Data Breach

 

The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised. 

Serious impacts of a data breach could include:

  • Risk to individuals’ safety
  • Financial loss to an individual or organisation
  • Damage to personal reputation or position
  • Loss of customer or public trust in an organisation or the services it provides
  • Commercial risk through disclosure of commercially sensitive information to third parties
  • Threat to an organisation’s systems, impacting the capacity to provide services
  • Impact on organisation reputation, finances, interests or operation.

Breaches of personal data can result in significant harm, including people having their identities stolen or the private home addresses of protected or vulnerable people being disclosed. In some circumstances, this can expose an individual to a significant risk of harm. 

Organisations should also consider the risks that could result from data breaches:

  • that result in a loss of data integrity, i.e. where information is maliciously altered
  • a loss of availability, where important systems may no longer be useable
  • where data may not be disclosed, but is rendered inaccessible, with potentially harmful consequences for individuals.

7 Steps for Investigating Data Breaches

 

Here is a general guide of the steps you need to take when responding to and investigating a cybersecurity incident. Steps may vary depending on each investigation, requirement, industry, etc.

1. Detect the privacy and/or security breach

Each investigation begins with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.

According to the National Institute of Standards and Technology (NIST) of the United States Congress, there are two types of data breach signs: precursors and indicators.

A precursor is a sign that an incident may occur in the future. It can be:

  • Web server logs indicating a search for vulnerabilities in an organization’s network
  • Discovery of a vulnerability that affects the organization’s network
  • An announcement by a hacker group that they intend to attack the organization

 In general, precursors are rare and mostly help organizations to stay vigilant.

An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:

  • Buffer overflow attempts against a database server
  • Multiple failed login attempts from an unfamiliar remote system
  • Bounced emails with suspicious content

Here are some important questions to ask yourself:

  • Who is affected by the breach? The assessment may include reviewing whether individuals and organisations have been affected by the breach, the level of sensitivity of the data that is affected, how many individuals and organisations have been affected, and whether any of the individuals have personal circumstances which may put them at particular risk of harm.
  • What was the cause of the breach? The assessment may include reviewing whether the breach occurred as part of a targeted attack or through inadvertent oversight. Was it a one-off incident or does it expose a more systemic vulnerability? What steps have been taken to contain the breach? Has the data been recovered? Is the data encrypted or otherwise not readily accessible?
  • What is the foreseeable harm to the affected individuals/organisations? The assessment may include reviewing what possible use there is for the data. For example, could it be used for identity theft, threats to physical safety, financial loss, or damage to reputation? Who is in receipt of the data? What is the risk of further access, use or disclosure, including via media or online?

2. Take Urgent Incident Response Actions

There are a number of urgent steps you should take when a data breach is detected. The first thing you should do after detection is to record the date and time of detection as well as all information known about the incident at the moment.

Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.

Overall, you may stick to this general checklist:

First 24 Hours Response Checklist:

  • Document the time and date the data breach was discovered
  • Notify the response team
  • Isolate the location of data breach
  • Stop additional data loss
  • Gather all possible data about data breach
  • Interview the people who discovered the data breach
  • Document the investigation
  • Perform a risk assessment
  • Notify law enforcement and regulators

3. Gather Evidence

Collecting and checking all evidence related to the data breach is the next step per data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.

First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.

The list of data you should collect includes:

  • The date and time the data breach was detected
  • The date and time a response to the data breach began
  • Who discovered the breach, who reported it, and who else knows about it
  • What was viewed, changed, or stolen and how
  • A description of all events related to the incident 
  • Information about all contacts involved in the breach
  • Identification of the systems affected by the incident
  • Information on the extent and type of damage caused by the incident

When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data used by investigators to determine how and when the breach occurred, and to make recommendations in order to properly secure the network against the current attack or similar future attacks. 

When you discover a breach, remember:

  • Don’t panic
  • Don’t let panic lead you to hasty actions
  • Don’t wipe and re-install your systems (yet)
  • Do follow your incident response plan

4. Analyze the Data Breach

Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident, as well as the scope of the breach and who are the affected parties you need to notify. In addition, you may have to answer a series of questions that will further assist in the investigation:

  • Was any suspicious traffic detected?
  • Did the attacker have privileged access to data?
  • How long has the data been compromised?
  • Were people or special software involved in the data breach?
  • Was the data breach intentional and were outside attackers involved?

Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it. You can also gather a list of affected, or potentially affected parties in preparation for step 5.

5. Notify related parties

Next, you should notify all affected organizations and individuals, as well as law enforcement if the breach was significant enough. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach. Additionally, in many jurisdictions there are mandated notification timeframes, which we will discuss below.

The list of those to be notified will vary depending on the type of compromised data and may include:

  • Employees 
  • Customers 
  • Investors 
  • Business partners
  • Regulators
  • And others

Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines.

Australia

In Australia, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.

United States

As of yet, there has been no federal legislation enacted covering data breach investigation or notification processes, and the laws are a patchwork of state or industry specific laws. For example, organizations that need to comply with the Health Insurance Portability and Accountability Act(HIPAA) must notify each affected individual within 60 days after discovering a breach. Fines for a HIPAA violation may be up to $25,000. The minimum fine is $100. Most states have their own specific laws that deal with security breaches. For example, in California, a business must notify each resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.

United Kingdom

The GDPR requires data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.

Similar guidelines apply to organizations in Canada under the Breach of Security Safeguards Regulations.

Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider local data breach legislation and include its requirements into your incident response plan.

6. Take containment, eradication and recovery measures

The next step is to mitigate and remediate the effects of the breach. Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach. 

Containment measures

The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.

Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.

Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.

Here are possible measures you can take for containment:

  1. Disconnect from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data. 
  2. Document the entire incident. Document how you learned of the suspected breach, the date and time you were notified, how you were notified, what you were told in the notification, all actions you take between now and the end of the incident, date and time you disconnected systems in the card data environment from the Internet, disabled remote access, changed credentials/passwords, and all other system hardening or remediation steps taken.
  3. Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Document old passwords for later analysis. 
  4. Change access control credentials (usernames and passwords) and implement highly complex passwords: 10+ characters that include upper and lower case, numbers, and special characters. (Avoid passwords that can be found in any dictionary, even if you are substituting special characters in place of letter characters.)
  5. If you process payments, segregate all hardware devices in the payment process from other business critical devices. Relocate these devices to a separate network subnet and keep them powered on to preserve volatile data. 
  6. Quarantine instead of deleting (removing) identified malware found by your antivirus scanner for later analysis and evidence. 
  7. Preserve firewall settings, firewall logs, system logs, and security logs (take screenshots if necessary).
  8. Restrict Internet traffic to only business critical servers and ports outside of any payment-processing environment(s). If you must reconnect to the Internet before an investigator arrives, remove your credit card processing environment(s) from any devices that must have Internet connectivity and process credit cards via dial-up, stand-alone terminals obtained from your merchant bank until you consult with your forensic investigator.
  9. If relevant, contact your merchant processing bank (if you haven’t already) and let them know what happened. 

Eradication measures

Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.

Recovery measures

After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.

Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.

7. Conduct a root cause analysis

Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.

In general, an audit may include:

  • Reviewing the organization’s cybersecurity systems
  • Analyzing causes of the data breach
  • Creating a plan to prevent similar incidents in the future
  • Reviewing policies and procedures to reflect lessons learned from the data breach
  • Improve cybersecurity awareness among employees

The 5 Whys and 5 Hows technique may help you achieve continuous improvement at any organization. The 5 Why method is simply asking the question “Why” enough times until you get past all the symptoms of a problem and down to the root cause. The 5 Hows are then used to determine a root or permanent solution to the “root cause (s)” of the problem.

How to Perform 5 Why & 5 How

1. Form the Team

The 5 Why & 5 How exercise should be performed by a team, not an individual. The team should include diverse members. Each team member will bring their own unique viewpoint of the problem and ask important questions that may not otherwise have been asked.

2. Define the Problem

Develop a clear and concise problem statement. The team should keep their focus on the process and not on the personnel. The team should also determine the scope of the problem to be addressed. If the scope is too narrow the problem solving exercise could result in small improvements when larger, broader improvements are needed. Adversely, defining the problem with too broad of a scope could extend the time required to resolve a problem and generate solutions that might not fit the corporate culture or align with corporate strategy, and never be carried out. When you take the time to clearly define the problem up front, it often saves time and makes solving the problem easier.

3. Ask Why

Next the team leader or facilitator should ask “Why” the problem or failure occurred. The responses should be backed by facts or data and not based on an emotional response. The responses should also focus on process or system errors.

The facilitator should then ask the team “if the identified causes were corrected, could the failure or problem still occur?” If the answer is yes, then move on to the second “Why” and then the third, fourth, fifth and so on until the answer is no.

Note: It is not always necessary to ask “Why” five times. The root cause could be identified during the third or fourth “Why”. It may also take more than five times to get through the symptoms of the problem and down to the root cause. In addition, by the 3rd, 4th, or 5th “Why”, you may likely discover a systemic or management practice as the cause.

4. Determine and Implement Corrective Actions

Upon determination of the root cause(s), a list of appropriate corrective actions should be developed to address each root cause. 5 How is a useful method of brainstorming resolutions to the root causes and developing action items to resolve the problem. The facilitator should ask the 5 Hows related to the issue at hand. How can this cause be prevented or detected? Keep asking “How” until you get to the root solution that resolves the root cause. The actions should have an owner and a due date. Regular meetings should be held to update the team on the status of the actions until all are completed. Upon completion of the recommended actions, the effectiveness of the actions should be determined. 

Basic 5 Why Example

There are various formats used to document the 5 Why exercise, some more detailed than others. The following is an example of the basic 5 why process.

Problem statement – the file ‘evilcode.php’ was injected into our web service, allowing an attacker to gain configuration information, though they were stopped without further attacks.

  1. Why? There was a remote code execution vulnerability in our web application
  2. Why? No-one updated the web framework.
  3. Why? Web applications and frameworks aren’t part of our patching process.
  4. Why? It’s too hard and takes too much time to apply updates to web applications.
  5. Why? We haven’t built processes, procedures, and pipelines to allow for easy updating of web applications.

Caution must be observed to assure that the “Whys” follow a logical path. One method to check if the progression follows a logical path is to read the causes in reverse order. When you read the causes or “Whys” in reverse order, they should follow a logical progression to the problem statement or failure mode. Referencing the example above, the progression would be like this:

  • There is no documented, easily understandable, efficient process for updating web applications
  • Therefore – employees need to figure it out for themselves each time, which is hard and time consuming
  • Therefore – web applications were not included in our regular patching process
  • Therefore – no-one updated the web framework
  • Therefore – there was a remote code execution vulnerability in our web application
  • Therefore – someone was able to inject malicious code into our web service and gain configuration information 

By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.

Best Prevention and Response Plan

 

After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment. During this process, ask yourself these questions:

  • Have you properly implemented all of the recommended changes?
  • Have all systems been patched, hardened,
    and tested?
  • What tools/reparations will ensure you’re secure from a similar attack?
  • How will you prevent this from happening again? (Who will respond to security notifications and be responsible to monitor security, Intrusion Detection System, and firewall logs?)

There are many elements of a good prevention plan. According to the Data Breach Guideline created by the Information and Privacy Commission, here are some suggestions:

 

People/Culture

  • Make sure you’re aware of your organisation’s privacy principles as well as the types of breaches that might affect your organisation.
  • Identify the individuals in your organisation responsible for privacy and data protection. These are the staff members who will provide support for understanding and implementing data breach prevention practices, as well being the contact points in the event that you identify as suspected breach.
  • Establish honest and consistent privacy and data breach communication channels with employees.

Processes

  • Ensure that you are aware of proper processes and that they are followed.
  • If you identify where privacy and data protection improvements to processes can be made, communicate this with management.
  • Minimise the transporting and copying of data in common processes, especially if this is done using portable devices, email, or syncing files to local devices.

Policy

  • Be aware of privacy and data protection policies and abide by them. Provide feedback on policy that is difficult to implement so that it may be improved.
  • Relevant policies include those that cover computer and email use, BYOD, information access restrictions and conditions, and personal information collection and use.

Technology

  • Abide by the data protection policies and practices of your Agency with regard to the use of computers, emails and other electronic devices.
  • Ensure that security protections, such as passwords and two-factor authentication are compliant with your organisation’s rules.
  • Avoid transferring data through insecure methods, such as USB-sticks, paper copies, unencrypted attachments to emails.
  • Keep applications on your devices updated to the latest version, as vulnerabilities are frequently patched.
  • Be aware of the data you hold on your computer and your devices. Avoid replicating data across multiple devices, especially if they are portable and may be lost, stolen or misplaced.

How Polonious can Help

Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.

It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach. Polonious Systems offers a rich set of features for data breach investigation and mitigation.

Additionally, Polonious maintains ISO27001 certification to ensure its own processes and software are kept to the highest international standards for security. This includes regular penetration testing, code reviews, disaster recovery and business continuity drills, as well as frequent internal audits and twice yearly external audits of our processes.

Workplace bullying can cause significant psychological distress and put your organisation at risk of litigation as well as absenteeism and staff turnover.

Data, Privacy and Security Breach are one of the top risks facing companies today. There are 7 steps for Investigating Data Breaches.

A robust root cause analysis is an integral part of a data breach investigation.

A robust root cause analysis is an integral part of a data breach investigation.

Book a Demo Now

Learn more about how Polonious can protect your organization from data, privacy and security breaches

Tips for Legal and Ethical Workplace Monitoring

Tips for Legal and Ethical Workplace Monitoring

Employers are increasingly becoming concerned about lost productivity, malware infections, distribution of company information, as well as their liability for sexual and other forms of harassment when explicit documents are exchanged via e-mail or the web. As such, many companies implement employee monitoring.

According to ABC News, nearly 80 percent of major companies monitor the internet usage, phone and email of their employees. There are many benefits to this practice including:

  • Ensuring workplace safety
  • Increasing Productivity
  • Detecting Illegal/Unethical behaviors
  • Enhancing data security

Ensuring employees are not engaging in illegal/unethical activities is increasingly important as these acts may result in financial and/or reputational risk to the entire organization. No organization is immune from these risks. Our 4-part series can help you learn about the different types of employee fraud:

While protecting against risks, employers must ensure they are practicing legal and ethical workplace monitoring. In the current conditions dominated by the coronavirus pandemic, many businesses have opted to use automated means to monitor staff productivity. However, from an employee’s perspective, the use of monitoring software may be intrusive if not distressing. Furthermore, without regard to data protection laws, the practices may potentially be illegal.

This article will help you practice legal and ethical workplace monitoring by breaking down the topic into the following parts:

  • What is Workplace Monitoring
  • Benefits and Consequences of Inadequate Workplace Monitoring
  • Legal Requirements by Country and Jurisdiction
  • Recommended Limitations to implement for Employers
  • Best Practices for Legal and Ethical Workplace Monitoring

What is Workplace Monitoring

Workplace monitoring is used by employers for a variety of reasons including safeguarding their employees, for security reasons, or due to a legal or regulatory need to monitor. It is important to have a clearly defined purpose for any workplace monitoring, such as the discovery of health and safety breaches, as this can be communicated to staff to alleviate feelings of intrusion as well as ensuring any information or evidence is only used for the defined purpose. There is a range of ways that an employer can monitor the workplace, which include:

  • CCTV
  • Checking websites visited.
  • Automated software checking employee’s emails.
  • Opening mail or emails received by an employee.
  • Listening in on telephone conversations.
  • Searches of employees, their work area or their bags.

Benefits and Consequences of Workplace Monitoring

There are many benefits to workplace monitoring practices. However, employers face multiple consequences when workplace monitoring practices are inappropriate, i.e. excessive, intrusive, or otherwise poorly managed.

Benefits of Workplace Monitoring

Employers who practice workplace monitoring measures know how important it is to keep their employees’ personal information private. They have clear policies that set out what information the business can collect and keep, and when it can be passed on to others. 

If employers take a best practice approach to workplace privacy, they can enjoy a number of benefits. These may include:

  • complying with legal obligations
  • improved productivity
  • certainty and security for both you and your employees.

Legal Compliance

Through workplace monitoring, you can catch employees who are either breaking company policies or laws. This is critical as organizations may face legal and financial liability for these actions.

Improved Productivity

The way an employee uses their time has a significant impact on the productivity of the organization. By monitoring employees, you can understand work patterns and trends which can help detect ways to enhance productivity.

Moreover, when employees know that their performance and behavior is being monitored, this may encourage them to become more focused and less distracted in their work.  This pushes employees to walk extra miles towards efficiency.

Certainty and Security

Having a well defined monitoring program will help employees to feel more comfortable with the systems put in place and to know the boundaries of that monitoring system. Further, if the system is targeted as safety and security this can help employees to feel like any threats to their safety will be identified and dealt with early.

Consequences of Inappropriate Workplace Monitoring

Although employee monitoring can be an extremely useful tool when used appropriately, inappropriate workplace monitoring may lead to several consequences including:

  • Reduced employee trust  
  • Increased turnover
  • Lost supervisor time, since someone needs to review the data and surveillance material

This could be due to many reasons. For instance, employees may perceive surveillance as a sign that the management does not trust them to complete their jobs properly. Employees may also feel a decreased sense of job satisfaction due to perceived mistrust, which may lead to increased turnover.

Furthermore, workplace surveillance typically serves to stop or reduce employees from wasting time, but the process also takes time away from supervisors who must perform the monitoring. This means the person in charge of surveillance may have less time for other responsibilities. 

Breaches in Privacy and Personal Information

When monitoring employees, employers will likely stumble upon personal information, such as bank account information, health records, or profoundly private emails. The risk of a cyber-attack adds an additional layer of risk for companies to consider. If a monitoring system were to be hacked, revealing employees’ personal data, this could potentially constitute a personal data breach.

Therefore, employers should consider the reasons for collecting personal information and whether there is a collection method that avoids collecting unnecessary personal information, and implement secure measures to protect employees’ data.

Invasion of Privacy

Some common examples of invasions of privacy include:

  • If an employer conducts surveillance without notifying employees (except in cases of covert surveillance which may involve cases such as sexual harassment and workplace bullying)
  • When an employer conducts surveillance in places like toilets, parent rooms, and showers
  • Installing software onto an employee’s computer or phone without their permission to track their activity
  • Installing a keylogger onto an employee’s computer to track keystrokes without an employees knowledge and/or for unjustified reasons
  • Publicly disclosing private facts, in this case, facts that were obtained through workplace monitoring

In some jurisdictions, employers are allowed to install monitoring software on any company provided device without informing the employee, while in other jurisdictions permission is required. Regardless, there are 2 important considerations regarding the above. Firstly, this only applies to company provided devices. Installing any such software on an employee’s personal device without their consent is a serious invasion of privacy. Secondly, just because something is legal in your jurisdiction does not mean it will sit well with employees, or even be ethical, and may result in a damaged employment relationship.

Legalities and Ethics

Data privacy is about the access, use and collection of data, and the data subject’s legal right to the data which often refers to the:

  • Freedom from unauthorized access to private data
  • Inappropriate use of data
  • Accuracy and completeness when collecting data about a person or persons (corporations included) by technology
  • Availability of data content, and the data subject’s legal right to access; ownership
  • The rights to inspect, update or correct these data

However, different individuals place different values on privacy. This means some actions may be permissible to one, while others may not agree. Therefore, it is important to set clear, up front expectations and maintain transparency. Employees should communicate information such as:

  • what personal information they collect 
  • why they are doing so 
  • who they might pass that information on to 
  • how they can access their own personal information 
  • how to verify or correct their personal information if it is incorrect, out of date or incomplete, even when not required to by law.

This will decrease mistrust or any confusion regarding the workplace monitoring practices.

Mistrust

Inappropriate workplace monitoring may hurt employees morale. Employees may feel doubted or as if their employers do not trust them, and this may lead to increased turnover. Employers can resolve this issue by informing their team upfront about their workplace monitoring practices. This way employees will understand it’s a company wide protocol and that they are not being singled out or targeted. Where possible, give employees a justification and an opportunity for input so that they feel the implementation was handled fairly.

Legal Requirements by Country

Organizations must ensure that if they do practice workplace monitoring, it is in accordance with applicable laws. Laws and regulations vary across nations and jurisdictions. Non-compliance can lead to serious legal, reputational and financial risk to organizations. We’ve outlined the legal requirements in a few key jurisdictions.

United States

The Electronic Communications Privacy Act (ECPA) permits an employer to monitor all activities on a computer that is company property. Activities may include:

  • Internet use
  • Software download
  • Documents or files stored on a company’s computer
  • Anything that is displayed on an employees computer screen
  • How long an employees computer has been idle
  • Keystrokes per hour
  • Emails(both incoming and outgoing)

Employers can legally monitor employees who are not on-premise including those who are working from home on a company laptop. They may also monitor social media usage if under company-time.

However, employers must abide by relevant state laws. For instance, in Connecticut, employers that use electronic monitoring are required to give employees prior notice. 

United Kingdom

Organizations in Europe are subject to the General Data Protection Regulation (GDPR), which requires that they process information about individuals, including their employees, in accordance with a number of standards such as that processing is fair, lawful, and transparent. If an employer uses monitoring software to collect information such as how long they have sat in front of their screen, or spent on the internet, they must comply with the GDPR.

The GDPR emphasizes:

  • Informing employees about data collection methods
  • Getting consent for personal data collection
  • Security of collected data

According to the GDPR, computer monitoring is allowed provided:

  • Employees are given advance notice of the monitoring through a clear internal policy
  • It is done for a legitimate business purpose and doesn’t restrict an employee’s fundamental right to privacy

The GDPR also requires that where high risk processing activities are carried out, organisations must carry out a data protection impact assessment, or DPIA. The purpose of the DPIA is to ensure that the principles of data protection by design and by default are incorporated into any new initiatives. 

Australia

The Privacy Act (1988) does not specifically cover surveillance in the workplace. However, organizations are required to follow relevant state laws. The NSW and the ACT have specific surveillance laws that apply specifically to workplace surveillance. And Victoria limits the use by employers of surveillance devices in certain parts of the workplace (e.g. washrooms). 

The laws in the ACT and NSW require employers to:  

  • Give the employees 14 days’ notice before commencing surveillance, unless they agree to waive the notice period (which can be done in the employment agreement).  
  • Notify the employee of the type of surveillance, as well as how the surveillance will occur, when it will start and for how long it will continue and whether it is continuous or not. The ACT legislation also requires employers to outline the purpose for which the employer may use and disclose surveillance records.  
  • Have a policy in place relating to surveillance.  
  • Post clearly visible signage about camera surveillance (if any). The cameras must be clearly visible too.  
  • Notify employees that they are under tracking surveillance (if any). 

In Victoria, the Surveillance Devices Act 1999 provides an offence for the use of an optical device or listening device to carry out surveillance of the conversations or activities of workers in workplace toilets, washrooms, change rooms or lactation rooms.

The ACT Act also prohibits surveillance of employees in places such as toilets, change rooms, nursing rooms, first-aid rooms and prayer rooms, and surveillance of employees outside the workplace.

In NSW, the Workplace Surveillance Act regulates the use of computer surveillance, camera surveillance, and audio surveillance technology, as well as geo-tracking technology. It outlines when it’s appropriate or legal to use these devices and when it’s illegal to do so as well. For instance, overt surveillance happens when employers surveil employees when the employees have been notified of this action. Under the Workplace Surveillance Act 2005, overt surveillance is unlawful unless a minimum of 14 days’ notice has been given in advance. The notice must contain details of:

  • The equipment undertaking the surveillance (video, audio, tracking);
  • When the surveillance will commence;
  • Whether the surveillance will be intermittent or continuous; and
  • Whether the surveillance will be for a specific time or ongoing.

Covert surveillance refers to surveillance that is undertaken without the knowledge of the employee(s). The Act strictly prohibits covert surveillance unless the employer obtains a ‘covert surveillance authority’ which has been issued by a Magistrate authorising the surveillance to determine whether the employee(s) are involved in unlawful activity at work.

When issuing a covert surveillance authority, the Magistrate will consider the following:

  • The seriousness of the unlawful activity;
  • Whether it will affect the right to privacy of other employees in the area; and
  • Whether reasonable grounds exist to justify the surveillance authority.

The Act restricts computer surveillance by employers including monitoring or recording of information accessed and sent. It also regulates the surveillance of internet access by employees and prohibits the blocking of emails.

Under the Act, surveillance of an employee’s computer use can only be carried out where:

  • There is an existing policy on computer surveillance in the workplace; and
  • Notice has been given to the employee in advance; and
  • The employee is aware of and understands the policy.

The Act restricts computer surveillance by employers including monitoring or recording of information accessed and sent. It also regulates the surveillance of internet access by employees and prohibits the blocking of emails.

Under the Act, surveillance of an employee’s computer use can only be carried out where:

  • There is an existing policy on computer surveillance in the workplace; and
  • You have provided notice to the employee in advance; and
  • The employee is aware of and understands the policy.

The Act also prohibits the blocking of emails sent to or by an employee except under certain conditions. Emails can be blocked if:

  • It is in accordance with the computer policy of the workplace;
  • The content of the email contained a virus;
  • The email was spam;
  • The email can be reasonably regarded as being menacing, harassing or offensive.

Aside from the above regulations, the Act specifically prohibits surveillance in certain areas. These include change rooms, toilets, showers or bathing facilities at a workplace. Employers should be careful to ensure that surveillance methods do not impinge on their employees’ rights to privacy.

It is recommended that employers in other states adopt the same level of transparency as employers in NSW and the ACT to align with employee sentiment and good practice. 

In addition, the Australian Law Reform Commission (ALRC) recommends that surveillance laws, including workplace surveillance laws, be made uniform.

Recommended Limitations for Employers

Even if your country or jurisdiction does not specifically address employee monitoring practices, should the evolving data privacy landscape lead to the adoption of laws there is a possibility that they will be heavily influenced by current legislations. Here are recommended limitations for employers based on the GDPR framework.

  • Stealth monitoring: As a part of informed consent and transparency, employers are not permitted to use monitoring technologies that attempt to obfuscate their presence. Monitoring technologies must be used transparently and employees should be informed of their use.
  • Blocking vs monitoring: In the case of managing internet access, employers should block access to undesirable websites rather than relying on continuous monitoring.
  • Use data as stated: As per the purpose limitation principle of GDPR, monitoring data should only be used for the exact purpose that it was intended for unless the data will be used for a substantially similar purpose or you get consent to reappropriate the data.
  • Automated decision making: While employee monitoring data can be used to identify unproductive or inappropriate browsing behavior, the decision to discipline an employee must not be made automatically by the software. Human intervention is required to analyze the data and make an informed decision.
  • Avoid targeted monitoring: The monitoring of targeted individuals without a legitimate need is strongly advised against. The best practice is to use aggregated data for general monitoring and only increase in specificity if undesirable behavior persists.
  • Personal communications: Employers should not knowingly intercept personal communications (emails, telephones, etc.), even if they are taking place on work devices. The existence of a policy against personal use may help prevent personal use of assets, however once a given communication is known to be personal the employer should cease monitoring.

Best Practice Guide for Legal and Ethical Workplace Monitoring

Employers have legal and ethical requirements to consider when monitoring employees. The following principles will serve to guide an implementation of an employee monitoring strategy that meets critical business goals without unnecessarily compromising the privacy of your employees.

Clearly state your workplace monitoring purposes

Clearly defined monitoring goals are more than simply a proactive measure for ensuring a successful adoption of monitoring, the explicit statement of monitoring objectives is often mandatory under workplace monitoring regulations. Without clearly defined goals, a business will not have the means of establishing that their implementation of employee monitoring serves their legitimate interest while respecting the principle of proportionality.

Respect the principle of proportionality

One of the core principles of leading data privacy mandates is proportionality. In the context of employee monitoring, this means any monitoring activity must have a legitimate business interest which outweighs any potential harm to the privacy rights of employees.

GDPR in particular heavily emphasizes that the privacy rights of the data subject are paramount, strongly indicating that monitoring must be limited to the minimum extent required to achieve the objectives of your company. As part of implementing new workplace monitoring technologies, you will be expected to conduct a Privacy Impact Assessment that clearly documents the potential privacy impacts the proposed technology may have on employees.

Ensure transparency

While the degree of transparency will differ by jurisdiction, here are key transparency principles that will greatly inform monitoring strategies. 

  • Policy development: Detailed policies are effective for informing employees to the extent of the monitoring practices that will be implemented within the organization. These policies should clearly outline the measures taken, the goals of the implemented measures, and the expectations the organization has of its employees. It is recommended that a representative sample of employees are involved in assessing the legitimacy of the proposed solutions.
  • Explicit consent: The inherent unbalanced power dynamic present in the employer/employee relationship means that employers should not rely on implicit consent as the legal basis for justifying their monitoring practices. Explicit written consent is the recommended measure for communicating and enforcing monitoring-related policies.
  • DSARs: CCPA and GDPR both have provisions that relate to the right for data subjects to request access to the data that is held by data controllers. Under these legislations, employers must be prepared to answer Data Subject Access Requests (DSARs) from employees in a timely manner. This may include information such as the purpose of data processing, how long the data will be kept, source of data, etc.

Here are a few ways to monitor employees fairly:

  • Make sure your policies explain in detail what aspects of your employees’ devices and the office are monitored.
  • Have your workers sign an agreement that states they are aware of your policies. 
  • Clearly state your expectations in terms of work ethic and behavior. For example, let employees know that sharing company information with outside sources is against protocol.
  • Follow the guidelines according to your state.
  • Make sure you’re monitoring employee activity for your company’s sake. Selfish or personal reasons beyond are unethical forms of tracking.
  • Monitor all of your employees to the same degree so no one on your team can claim they’re being treated unfairly.

Polonious is Here to Help

Many businesses can benefit from employee monitoring. This is especially true for businesses with remote employees, as it gives them a better handle on what team members who aren’t seen in the office every day are working on.

While workplace monitoring can prevent fraud, theft, and other employee misconduct, Polonious case management software can help you investigate such incidents when they do occur. Polonious’ enhanced, secure evidence management capabilities ensure that you can retain any evidence gathered from your monitoring activities for as long as required for the case, while keeping it safe from potential leaks.

There are many legal and ethical considerations to be made when monitoring employees.

There are many legal and ethical considerations to be made when monitoring employees.

Legal and ethical workplace monitoring practices can lead to improved productivity, trust and legal compliance.

Legal and ethical workplace monitoring practices can lead to improved productivity, trust and legal compliance.

Book a Demo Now

Learn more about how Polonious can help you practice legal and ethical workplace monitoring 

Documenting a Workplace Investigation: 3 Things to Know

Documenting a Workplace Investigation: 3 Things to Know

Proper documentation of workplace incidents and investigations is critical in order to avoid judicial scrutiny and protect the organization from wrongful allegations. Employers may be required to provide them to the EEOC in the U.S., or the Fair Work Commission in Australia in order to avoid legal liabilities. The same applies to companies in the U.K., as well as many companies around the world.

There may be a number of reasons employers may feel hesitant to keep workplace investigation documents, especially if a past investigation raises a critical issue that the company should have been given more attention. It may also show dysfunctional processes.

However, documentation of incidents, whether positive or negative, is required to protect the organization. In fact, not properly documenting records can put the company in risk of losing lawsuits, even if the investigation was procedurally fair and the decision justified. Your documentation is your evidence that you followed the right process and made a justified decision, and you will need that evidence if the decision or process is disputed.

HR teams and investigation teams should be aware that proper documentation and record keeping of incidents and investigations can make a significant difference in preventing risk and liabilities of the organization. 

This article will provide:

  • Key Documents to Record
  • Relevant Laws for Investigation Documentation
  • Benefits of proper documentation and record keeping

This will bring understanding and clarity around the idea of documenting workplace investigations.

Key Documents to Record

Although every investigation is different, here are key records that apply to most cases:

  • Factual written summaries of incidents noting date, time, location, and persons involved.
  • Memos and letters
  • Relevant work documents
  • Meeting or interview notes
  • Performance evaluations
  • Investigation Interviews
  • Witness Statements
  • Any other relevant paperwork to document your workplace problem – payslips, employment contracts/conditions, any any relevant workplace policies

When in doubt, keep a record. It is also important to record every incident, complaint and disciplinary action taken. 

Investigation Specific Documents to Keep

Different investigations require the handling of different types of documents, evidence, etc. Although every investigation is unique, here is a general guide of key documents to keep for different investigation types based on some earlier resources:

Stay tuned for further materials on specific investigation types.

Relevant Laws for Incident & Investigation Documenting

Australia

In Australia, the Fair Work Commission assists employees and employers in maintaining fair and productive workplaces. The Commission provides administrative review of workplace decisions such as unfair dismissal and bullying complaints.

According to the FWC, employees may come to the Commission if they believe they have been:

  • unfairly dismissed
  • discriminated against, victimised or unfairly treated under the provisions of the Fair Work Act, or
  • bullied at work and want an order to prevent that from happening.

Employers are required to provide evidence to defend their case in order to avoid any liabilities. For instance, if an employee believes that they have been unfairly dismissed, documents such as history of an employee’s bad conduct and/or warnings that an employee is at risk of dismissal if there is no improvement, can justify the reasons for dismissal.

United States

While the U.S. has fewer legislated protections for employees against employer actions such as termination, there are certain protections against ‘retaliatory termination’ – terminating an employee for making a complaint against the company. Additionally, the U.S. Department of Labor prohibit specific types of job discrimination in certain workplaces. The Equal Employment Opportunity (EEO) protects individuals from discrimination based on factors such as:

  • Age
  • Disability status
  • Ethnic/National origin

Thus, it is important to maintain documentation of any complaints to show that they were properly handled, and that any later termination was unrelated. Detailed documentation will also demonstrate procedural fairness (if you have the appropriate procedures in place) in any investigation or termination decision, to show that the termination was not due to discrimination.

United Kingdom

According to the U.K. Government, a workplace dismissal could be classified as unfair dismissal if the employer does not:

  • have a good reason for dismissing an employee
  • follow the company’s formal disciplinary or dismissal process (or the statutory minimum dismissal procedure in Northern Ireland)

In this case, employees have the right to take legal action by making a claim to the employment tribunal. Employees can make claims for reasons such as unfair dismissals, discrimination, and/or unfair deductions from the employees pay.

In this case, documents must be provided upon request to assist with tribunal procedures. Documents may include:

  • a contract of employment
  • pay slips
  • details of your pension scheme
  • notes from relevant meetings you attended at work

It is important to practice good documentation practices in order to avoid the risk of losing cases and to adequately protect the organization from wrongful allegations. 

Procedural fairness is one of the central aspects of natural justice. Companies can face multiple risks on the basis that procedural fairness has not been observed. Read: Better Workplace Investigations: 10 Steps to Ensure Procedural Fairness to ensure your investigation adheres is legally sound. 12 Things to Include in an Investigation Report can help you understand specific components of an incident report.

Benefits of Proper Documentation and Record Keeping

There are major benefits for practicing proper documentation and record keeping. This can be broken down into two categories:

  • Legal Defense
  • Workplace Improvement

Documentation as a Legal Defense Tool

Good documentation can mean the difference between a company winning and losing an employment-related lawsuit. For example, documentation of an employee’s pattern of poor performance and discipline can establish that an employee’s firing wasn’t based on discrimination against race, sex, age, religion, etc. Most jurisdictions have some form of administrative or judicial review available for employment decisions, where the matter under review is your decision and investigation process, as much as it is the employee’s conduct. Thus, evidence of this process is as important as the evidence you have gathered regarding the employee.

Proper documentation can be used as a defense tool against vicarious liability. Employers can defend vicarious liability by showing they took ‘reasonable steps’ to prevent their workers or agents from treating others unfairly or badly. ‘Reasonable steps’ may include having a procedurally fair investigative process when dealing with workplace complaints.

It is critical to practice good documentation especially when handling employee complaints after they have left the company. The longer it takes for an incident to be reported, the worse will be your recall of the events which may lead to inconsistent or false claims. Whether intentional or not, this can put you and your organization at risk of legal scrutiny. 

Workplace Improvement

Good documentation of workplace incidents and investigations often brings awareness to underlying issues or problems in the workplace, for example, you may notice an increase in sexual harassment complaints associated with a team that goes beyond one individual. This provides valuable, real-life data which can guide future training, cultural change, and/or new strategies for the organization. Strategies may include:

  • Employee Training
  • Review of Organizational Policies
  • Health, Wellbeing Initiatives

Employee training may involve training programs about:

  • How to be an active bystander
  • How to confidently handle workplace disputes
  • The impacts of bullying/discrimination on individuals, teams and organizations

This can ultimately protect employees, employers and organizations from risk and promote better workplace conditions.

How Polonious helps manage Workplace Investigation Documents

Polonious Case Management Software provides a consistent process that is procedurally fair for all parties, while recording all actions and decisions to ensure all evidence of the process is documented and auditable alongside any evidence gathered regarding the incident or investigation. Everything recorded in Polonious is then available in detailed reporting for identifying trends and problem areas. 

Documents of workplace incidents and investigations often contain sensitive materials. Investigators and HR teams have a duty to preserve documents and/or electronically stored information (ESI) while also protecting security and anonymity.

Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely, while our detailed security configuration ensures you can keep employees fully anonymous, or known only to specific individuals, depending on the level of anonymity requested.

Proper documentation of workplace incidents and investigations makes a significant difference in preventing risk and liabilities of the organization.

Proper documentation of workplace incidents and investigations makes a significant difference in preventing risk and liabilities of the organization. 

Documents of workplace incidents and investigations often contain sensitive materials. Investigators and HR teams have a duty to preserve documents and/or electronically stored information (ESI) while also protecting security and anonymity.

Documents of workplace incidents and investigations often contain sensitive materials. Investigators and HR teams have a duty to preserve documents and/or electronically stored information (ESI) while also protecting security and anonymity.

Book a Demo Now

Learn more about how Polonious can help you keep better records of investigations and securely store evidence

Workplace Fraud: 3 Common Data Theft Schemes

Workplace Fraud: 3 Common Data Theft Schemes

One of the biggest challenges of detecting, investigating and preventing workplace fraud, is the fact that there are so many types of fraud. Each type of workplace fraud requires different methods of discovery and subsequent investigation procedures.

Our Types of Workplace Fraud series is designed to help you recognize various types of Workplace Fraud, and the best practices to minimize the risk of fraud on behalf of yourself and your clients.

In part 4 of our series on the types of Workplace Fraud, we help you understand detection and prevention measures for:

    • Asset Misappropriation
    • Corruption
    • Financial Statement Fraud
    • Data, Intellectual Property and Identity Theft

Data theft has emerged as a major concern as cybercriminals are going after critical data for greater leverage over companies. Internal threats are particularly harmful because they often:

  • Understand the weaknesses in an organization’s cybersecurity
  • Know the location and nature of sensitive data they can abuse

Data theft occurs in the workplace when an employee steals a company’s data for any nefarious or malicious purpose and to the detriment of the company.

 Common schemes include:

  • Theft of Customer or Contact Lists
  • Trade Secret Theft
  • Theft of Personally Identifiable Information (PII)

 Trade Secret Theft

According to the Economic Espionage Act of 1996, a trade secret is any confidential plan, formula, pattern, program device, technique, code, or collection of information that, once released, could potentially benefit a business. It may be written down, memorized, stored electronically, or be in the form of a graphic.

This occurs when an employee sells the company’s data to outsiders for financial or personal gain. Data is typically sold to close competitors or highest bidders, who may want to either improve their product by adopting previously confidential designs or processes into their build, or prepare and adapt strategically to plans and decisions leaked early. The type of data stolen may include blueprints, data codes, recipes, or release plans for products.

Risks may involve:

  • Economic loss (time, effort, resources expended)
  • Losing competitive advantage

Theft of Customer or Contact Lists

This occurs when a departing employee copies or downloads lists of the company’s contacts to either sell or use. An ex-worker may use this information to solicit customers for another organization.

If it is just a basic contact list of customer contacts using e.g. work emails that are otherwise publicly available, the risk of reputational damage or legal action is moderate unless there were contractual obligations to keep your relationship private. The greatest risk is from the loss of customers if the other company begins to use that data to churn them away from you.

However, customer lists may include personally identifiable information, in which case this reputational and legal damage is much greater.

Theft of customer or contact lists may result in:

  • Reputational damage
  • Legal action
  • Financial loss

Theft of Personally Identifiable Information (PII)

Personally identifiable information is any personal information that could be used, on its own or in combination with other pieces of PII, to identify a specific individual. For example, a first name alone would not identify an individual, but a driver’s licence number, or a first name in combination with a postal address, would identify an individual.

Theft of PII involves an employee stealing or sharing sensitive information such as credit card numbers, client lists or other valuable PII to sell to other parties. This may be done to target them for marketing, or for more sinister purposes such as phishing scams or identity theft.

Regardless of why the data was stolen, keeping PII secure is generally considered part of an organisation’s obligations to ensure the privacy of customers, and thus PII security is the subject of an increasing amount of regulation.

Failure to secure PII could lead to:

  • Reputational damage
  • Legal action from customers
  • Regulatory action

Relevant Laws

In addition to company policies, organizations should adhere to relevant laws under their system to avoid costly risks. For example, in the UK, the General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens. 

While companies may think the GDPR does not apply to them because they do not have a location in the EU, the GDPR applies to any multinational companies that have any employees in the EU. Therefore, businesses even in countries such as Australia or the US are required to comply if they have an establishment in the EU or if they offer goods and/or services in the EU.

Similarly, the Privacy Act 1988 sets similar standards for data protection in Australia. This requires organizations to protect their customers’ personal information from risks such as :

  • theft
  • misuse
  • interference
  • loss
  • unauthorised access
  • modification
  • disclosure

The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices

However, there are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.

All organizations in Australia with an annual turnover of more than $3 million, must comply with the Privacy Act. Organizations with an annual turnover of $3 million or less, may still be required to comply with the Privacy Act depending on their business type. For example:

  • private sector health service providers, including complementary therapists, gyms, weight loss clinics, child care centres and private education providers
  • businesses that sell or purchases personal information
  • contractors providing services under a contract with the Australian Government
  • credit providers/credit reporting bodies
  • residential tenancy database operators

Similarly, in the United States, the Federal Trade Commission requires companies to protect customer data under the Safeguards Rule. This protects against unauthorized access or use of information which could lead to substantial harm or inconvenience to the customer. 

Steps Forward

Fraud by its very nature involves deception making it extremely difficult to detect. In many cases, fraudsters get away with their activities for years.

Employees at any level of the organization may be capable of fraud. And an employee may commit fraud against his or her employer without committing any other type of illegal or unethical activity outside of their work life, making it difficult to spot someone who may commit occupational fraud before hiring them—which is an important distinction for HR team members to know. Additionally, data theft may be an act of opportunity with no warning signs. Therefore it is important to ensure you have a comprehensive data security program implemented.

Top strategies to prevent data theft may include:

  • Implementing Acceptable Use Policies and/or Data Classification and retention policy
  • Security permissions (adopt a ‘minimum permissions’ approach whereby employees have the bare minimum access they need to do their job)
  • Data Loss Prevention (DLP) Software
  • Email monitoring

As an employer, you should be prepared to deal with the theft of client lists or other important information. Having a clearly drafted confidentiality clause in your employment agreement will help you to enforce the clause. If an employee takes confidential information, you may need to:

  • protecting the information;
  • discipline the employee or terminating the employment; or
  • pursue legal action.

How Polonious can Help

Virtually no organization is immune to data theft. Whether data breaches are caused by insider threats, a former employee with ongoing access, or external malicious threat actors, every business needs to take proactive measures to protect sensitive information.

All organizations should take steps within their means to proactively address prevention and detection in order to lessen the associated risks. Take a look at 8 Tips for Preventing Internal Fraud for risk management tips.

The Polonious SIU Case Management System (PCMS) brings enhanced case tracking, automation, and reporting to any investigation process, including internal fraud, security breach, or privacy complaint investigation. Using our digital expertise, we enhance investigation procedures and help you navigate the legal and organizational complexities of any investigation.

Additionally, our own data security is ISO27001 certified, meaning both that the way we handle our client data, and the way our software handles your investigation data, is certified to the strict international standards.

Data theft and cybersecurity are increasingly one of the top risks to many companies. Internal threats are particularly harmful because they often understand the weaknesses in an organization’s cybersecurity and know the location and nature of sensitive data they can abuse.

Data theft and cybersecurity are an increasing risk to many companies. Internal threats are particularly harmful because they often understand the weaknesses in an organization’s cybersecurity and know the location and nature of sensitive data they can abuse.

Data theft can result in reputational damage, financial loss and legal action for companies. In many cases, this can put their clients and their customer’s data at risk as well.


However data theft can be as simple as emailing confidential documents to an external party, requiring no significant computer or ‘hacking’ skills. 

Book a Demo Now

Learn more about how Polonious can help prevent risks associated with Data, IP and Identity Theft

Sexual Harassment Investigation Guide: Part 1

Sexual Harassment Investigation Guide: Part 1

The National Survey conducted by the Australian Government Department of Social Services revealed that in the last five years, 39% of women and 26% of men have experienced sexual harassment at work. This confirms that sexual harassment is widespread and pervasive.

According to the U.S. Equal Employment Opportunity Commission (EEOC), sexual harassment includes unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. It also can include offensive remarks about a person’s gender. While in Australia, the Sex Discrimination Act 1984 outlines the circumstances in which sexual harassment occurs.

Sexual harassment is considered illegal in many jurisdictions, and investigators must take sexual and any other form of employee harassment seriously.

Disturbingly, the reporting of workplace sexual harassment continues to be low. According to the Australian Human Rights Commission, only 17% of people who experienced sexual harassment in the workplace in the last five years made a formal complaint. This highlights the importance of employers taking steps to prevent workplace sexual harassment and to ensure that they respond appropriately when a report is made.

In a series of posts, we will help you understand how to better conduct sexual harassment investigations and protect individuals from risk.

This paper will provide:

  • Step-by-step investigation guide on Sexual Harassment cases
  • Key Documents relevant to sexual harassment investigations

Step-by-step guide for Sexual Harassment Investigations

The investigation can be broken down into the following steps

  • Planning
  • Interview
  • Making a decision
  • Writing a Report

Planning

Important questions to ask yourself may be:

  • Who will investigate?
  • What evidence needs to be collected?
  • Who will be interviewed?

To protect the credibility of the process, you may want to select an investigator who is not close to either party. Choosing an objective third party not only provides a stronger defense for the employer if a case ever goes to court, it can also make it easier for business leaders to make the right decision, even if it means terminating someone who is of higher position.

Organisations should also consider hiring an external investigator, depending on the nature of the allegations and those involved. Engaging an external investigator is advantageous to an organisation in:

  1.   maintaining its integrity and reliability, particularly when outcomes are unforeseen; and
  2.   obtaining an outside perspective, experience and impartiality, particularly if those responsible for investigating the matter(s) are close to those involved.

As with bullying or other general harassment investigations, it is important at this point to consider if the allegations are serious enough to warrant suspending the respondent in order to reduce the risk of further harm to the alleged victim and other workers, or to prevent interferance in the investigation. It is important to have clear provisions for suspension in your discipline policy and process.

Interview

This section will help you understand the:

  • Interview process
  • Credibility assessment

Interview Process

This can be separated into two parts:

  • Planning
  • Execution 

Planning the Interview

  • When preparing interview questions, try to write open-ended questions
  • You may also ask “Were there witnesses? Did others know you were upset by this? Did you talk to family members or friends?”
  • It is best practice to ask 1. Background questions and 2. Specific questions related to the incident

Background Questions

Questions to ask the complainant:

  • What kind of work do you do for the company?
  • What is your job title?
  • How long have you worked for the company?
  • Who is your supervisor?

Questions to ask the alleged harasser:

  • How do you communicate with your employees or co-workers (memos, meetings, one-on-one, etc.)?
  • How would you describe the workplace environment in your department?
  • Is the atmosphere pretty relaxed and easy-going?
  • How do you assign projects to your employees?
  • Does your department work much overtime
  • How well do you know the employees in your department?
  • Has anything happened lately to disrupt the department’s harmony?

Questions to ask witnesses/third-parties:

  • What is the general workplace atmosphere like in the employee’s group
  • What style of communication is used by the employee? His or her supervisor
  • Other employees?
  • What is the supervisor’s managerial style?
  • How is important information provided to employees?
  • Are there any problems within the department?
  • Have co-workers complained about inappropriate behavior in the department?
  • Have you personally noticed or been offended by inappropriate behavior?
  • Please describe any inappropriate or offensive behavior that you have experienced or witnessed.
  • Are there any calendar pictures or posters displayed which offend you or someone else?
  • Have offensive jokes or comments been made about people in the department?
  • (If the answer to the above question is yes then ask.) Who made these remarks and what was said?

 

Questions Specific to the Incident

 

Questions to ask the complainant:

  • Who, what, when, where, and how: Who committed the alleged harassment? What exactly occurred or was said? When did it occur and is it still ongoing? Where did it occur? How often did it occur? How did it affect you?
  • How did you react? What response did you make when the incident(s) occurred or afterwards?
  • How did the harassment affect you? Has your job been affected in any way?
  • Are there any other persons who have relevant information? Was anyone present when the alleged harassment occurred? Did you tell anyone about it? Did anyone see you immediately after episodes of alleged harassment?
  • Did the person who harassed you harass anyone else? Do you know whether anyone complained about harassment by that person?
  • Are there any notes, physical evidence, or other documentation regarding the incident(s)?
  • How would you like to see the situation resolved?
  • Do you know of any other relevant information?

Questions to ask the alleged harasser:

  • What is your response to the allegations?
  • What is your recollection of the situation(s) in which the alleged incident occurred?
  • If the harasser claims that the allegations are lies, ask what the complainant’s motivation might be for lying.
  • Are there any persons who have relevant information?
  • Are there any notes, physical evidence, or other documentation regarding the incident(s)?
  • Do you know of any other relevant information?

Questions to ask witnesses/third-parties:

  • What did you see or hear? When did this occur? Describe the alleged harasser’s behavior toward the complainant and toward others in the workplace.
  • What did the complainant tell you? When did s/he tell you this?
  • Do you know of any other relevant information?
  • Are there other persons who have relevant information?

 

During the Interview

  • Don’t promise confidentiality to any interviewees, but explain that you will do your best to keep the details of the investigation confidential.
  • Take statements from interviewees when appropriate. Statements can be valuable evidence that supports or refutes the complainant’s story.
  • Ask those you’ve interviewed to keep the conversations confidential.

 

Credibility Assessment

If there are conflicting versions of relevant events, the employer will have to weigh each party’s credibility. Credibility assessments can be critical in determining whether the alleged harassment in fact occurred. According to the U.S. Equal Employment Opportunity Commission, factors to consider include:

Plausibility

Is the individual’s version of the facts believable? Are there inconsistent statements? 

Things to consider:

  • Has the story changed prior to or during the investigation?
  • Is the person being consistent when telling his or her story?
  • Does the accuser’s timing of the alleged events match witnesses’ stories?
  • Is this story still logically plausible when all evidence is taken into account?

Language

The nuances of language and the words chosen when answering questions convey a lot more than the literal content of a statement.

Most people have a psychological aversion to lying, and so may shape their answers to deny an allegation without explicitly lying. For example ‘I would never do that’ is a much different answer to ‘I didn’t do that’. 

Demeanor

Does the individual appear to be telling the truth? Things to consider include non-verbal cues such as voice tone, facial expressions, body language and other cues such as manner and attitude. However, you must be extremely careful when judging demeanor as it is an unreliable indicator of credibility. Interview situations can make people uncomfortable, and they may be nervous or hostile even when telling the truth. 

Motive

Does the individual have a reason to lie?

Things to consider:

  • Has he or she ever lied or fabricated stories to cover for other behaviour?
  • Has he or she ever lied or fabricated stories for personal gain?

Corroboration

Are there documents or other witnesses that support the individual’s version of events? 

Things to consider:

  • Can anyone else verify this story?
  • Is there any evidence to support the accusations?
  • Is there any way the evidence could be falsified or fabricated?

Past records

Do any of the individuals have a prior history of inappropriate conduct or false statements? 

Other important questions to ask yourself:

  • Are both accounts internally/externally consistent?
  • Did the accused have time to do what the victim alleged?
  • Does the victim have any possible motive for falsely implicating the accused?
  • Could the harassment have happened at the time and location specified?
  • Despite the fact that there were no witnesses, could the harassment have taken place at the time and the location?

 Making a decision

There are two things to consider during this process:

  • Whether a company policy was violated or inappropriate conduct occurred
  • Recommended course of action

Whether a company policy was violated or inappropriate conduct occurred:

  • Consider all the evidence collected, including interviews, credibility assessments, documentation, etc.
  • Make sure you are assessing the situation fairly with the information you have.
  • Consult with others to avoid personal bias
  • Re-interview witnesses to fill in any gaps in information or to probe further where you think there is more to learn.

Determining the course of action:

  • Make work or assignment setting adjustments, or change a reporting assignment if necessary.
  • If the allegations are supported, the employer should take immediate and appropriate corrective action, which could range from a written reprimand to termination of employment depending on the severity and frequency of the misconduct
  • Even if no determination was made due to inconclusive evidence, the employer should still undertake preventive measures, such as training and monitoring.

Make sure high-position employees such as CEOs are given the same treatment as low-position employees for similar conduct. It’s important to maintain a consistent, procedurally fair process for all employees and all allegations.

Examples of Measures to Stop the Harassment and Ensure that it Does Not Recur:

  • Oral/written warning or reprimand;
  • transfer or reassignment;
  • demotion;
  • reduction of wages;
  • suspension;
  • discharge;
  • training or counseling of harasser to ensure that s/he understands why his or her conduct violated the employer’s anti-harassment policy; and
  • monitoring of harasser to ensure that harassment stops.

Examples of Measures to Correct the Effects of the Harassment:

  • restoration of leave taken because of the harassment;
  • expungement of negative evaluation(s) in employee’s personnel file that arose from the harassment;
  • reinstatement;
  • apology by the harasser;
  • monitoring treatment of employee to ensure that s/he is not subjected to retaliation by the harasser or others in the workplace because of the complaint; and
  • correction of any other harm caused by the harassment (e.g., compensation for losses).

Writing a Report

Create a written report documenting the investigation process, findings, recommendations and any disciplinary action imposed, as well as any corrective and preventive action. Take a look at our article: 12 Things to Include in an Investigation Report 

After you’ve submitted the written report to the decision-maker and determined the appropriate disciplinary action (if any), follow up with both parties. Tell the person who filed the complaint that appropriate action was taken, even if you can’t share the details for privacy reasons.

Check back with that employee regularly to ensure that no further harassment has occurred and that there has been no retaliation, which could trigger additional liability. 

Afford the respondent the same courtesy of follow-up and documentation. Adjust working situations fairly where necessary for the comfort and productivity of all.

Key Documents for Sexual Harassment Investigations

Documents are critical during any investigative process. This section will highlight:

  1. Key documents to collect
  2. Obtaining other facts and evidence
  3. Tips for Record Keeping

Key documents

Documents which may be particularly relevant for your sexual harassment investigation may include:

  • company code of conduct and related policy documents
  • employee files
  • copy of the allegation
  • past complaints
  • past performance valuations
  • any supporting documents

Consider whether the person making the allegation might be seeking retribution for a poor evaluation. Also evaluate any past complaints against the person being accused. Contact former employees, particularly the individual who previously held the accuser’s job or anyone in the same department who left suddenly without explanation, to find out if they also had problems with the accused employee. 

Other facts and evidence

This may involve interviewing witnesses, and examining evidence such as emails, internet content including social media sites, or camera footage.

Record Keeping

To demonstrate compliance, it is important to maintain records that demonstrate the reasonable steps you have taken to prevent and respond to sexual harassment or suspected sexual harassment in the workplace.

The Polonious Case Management Software ensures your evidence and case files are secure and anonymous, depending on the level of anonymity requested. This is particularly important due to the sensitive nature of sexual harassment investigations.

How Polonious can Help

It is advisable for an employer to keep records of all complaints of harassment. Without such records, the employer could be unaware of a pattern of harassment by the same individual.

The Polonious Case Management Software can provide a consistent process that is procedurally fair for both the complainant and respondent, provides secure evidence management, fully auditable records, and detailed reporting for identifying trends and reporting areas. 

Our secure portal and email integration make investigations easy for investigators, as well as ensuring the employee has a chance to respond to allegations and stay informed throughout the investigative process.

Continue to follow us on our future blogs on Tips for Sexual Harassment Investigation. We will outline interview tips, and how to handle various complaint outcomes.

Alarming statistics show that sexual harassment in the workplace is widespread, pervasive and often underreported. Read our blog to see how to run a better sexual harassment investigation.

Alarming statistics show that sexual harassment in the workplace is widespread, pervasive and often underreported.

However workplace bullying is not limited to aggressive behaviour, and includes many other forms of treatment including ostracising particular employees.

Interviews should ask both background questions and specific questions relating to the incident. It is important to practice good record keeping by protecting anonymity and security due to the sensitive nature of the topic.

Book a Demo Now

Learn more about how Polonious can help you manage a sexual harassment investigation

Workplace Fraud: 22 Types of Financial Statement Fraud

Workplace Fraud: 22 Types of Financial Statement Fraud

Welcome back to part 3 of our 4-part series on types of Workplace Fraud.

In part 3 of our 4-part series on types of Workplace Fraud, we will cover:

    • Asset Misappropriation
    • Corruption
    • Financial Statement Fraud
    • Data, Intellectual Property and Identity Theft

Financial Statement Fraud remains a neglected and unmitigated risk for many organizations as it is one of the most costly types of frauds despite being the most common. It is important to identify areas of high risk, highlight the most likely schemes, and identify the red flags that warrant further investigation in order to protect yourself and your clients.

What is Financial Statement Fraud?

According to the University of California San Francisco, financial statement fraud is the deliberate over/under statement of financial statement balances in many cases to make a company appear to be in better financial condition than it really is to deceive a financial statement user.

 

Meanwhile, the Australian Securities & Investments Commission defines financial statement fraud as deliberately misleading or omitting amounts or disclosures in financial statements in an attempt to deceive financial statement users, particularly investors or creditors. 

Misstatements in the financial statements can arise from either fraud or error. According to the International Auditing and Assurance Standards Board(IAASB), the distinguishing factor between fraud and error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. The International Standard on Auditing ISA 240 highlights the auditor’s responsibilities relating to fraud in an audit of financial statements.

Financial statement fraud takes the form of overstated assets or revenue or understated liabilities and expenses.

These schemes can be divided into two categories:

  • Net Worth/Net Income Overstatements
  • Net Worth/Net Income Understatements

Net Worth/Net Income Overstatements

Overstating assets and/or understating liabilities leads to increased net income on the income statement. This can be broken down into the following categories:

  • Fictitious Revenues
  • Manipulating Timing
  • Concealed Liabilities and Expenses
  • Improper Asset valuations
  • Improper Disclosures

Fictitious Revenues

This occurs when an employee records phony revenues for goods or services that were never delivered. This can occur through:

(a) inventing sales transactions; or

(b) classifying other incomes or gains as sales.

One example is Commission Fraud:

This occurs when an employee inflates sales numbers to receive higher commissions, falsifies sales that did not occur or colludes with customers to record and collect commissions on falsified sales. Stock may be sent on consignment, but booked as a sale. Issuing fictitious invoices for sales that never happened can create recordable sales in the current period.

Potential red flags associated with fictitious revenues include:

  • An unusual large amount of long overdue accounts receivable
  • Outstanding accounts receivable from customers that are difficult or impossible to identify and correct.
  • Significant volume of sales to entities whose substance and ownership is not known
  • An unusual surge in sales by a minority of units within the company.

Manipulating Timing

This occurs when an employee deliberately records revenues or expenses in improper periods.

This may involve:

  • Early revenue recognition
  • Postponing expenses

  Early Revenue Recognition

This involves bringing revenues from a later period into the current period, increasing revenues for the current period. By recording revenue early, a dishonest business seller or an employee under pressure to meet financial benchmarks can significantly distort profits. 

  Postponing expenses

This involves delaying booking expenses to the next period, decreasing the expenses and raising profits for the current period. The employee may only record expenses after the invoice arrives from the supplier. To postpone the expenses, the receipt of the invoice is not recognized and may be held in an Inbox until the start of the new period. 

The most common liability that is underreported in an attempt to improve a company’s balance sheet is accounts payable. Techniques that may be utilized to omit accounts payable from the balance sheet include hiding invoices for goods and services received prior to year-end from the auditor and waiting until after the audit is completed.

The more common approaches to timing manipulation schemes are:

  • recording a sale when there are still items or services to be provided;
  • recording a sale before the sale contract has been finalized and before shipment to customers:
  • recording a sale when items are sent on consignment, on approval, or with a right of return;
  • recording a sale to associated parties; or
  • recording a sale when an order is received
  • issuing invoices for non-existent sales and recording the transaction.

In order to detect signs:

  • Look for discrepancies between the quantity of goods shipped and quantity of goods billed
  • Examine sales orders, shipping documents and sales invoices; compare prices on invoices with published prices; and note any extensions on sales invoices
  • Compare the period’s shipping costs with those in earlier periods if you suspect merchandise was shipped prematurely; Significantly higher costs could indicate an early revenue recognition scheme.
  • Sample sales invoices for the end of the period and the beginning of the next period to confirm the associated revenues are recorded in the proper period. If false sales are suspected, reversed sales in subsequent periods and increased costs for off-site storage may provide evidence of fraud.

     Concealed Liabilities and Expenses

Concealed liabilities can include warranties attached to sales, underreported Incurred-but-not-Reported (IBNR) health benefits, or simple omission of liabilities. Examples include:

     Expense Reimbursement Fraud

This occurs when an employee makes purchases on a personal card and submits an expense report, overstates expenses, purposefully submits duplicate reports, or creates fictitious expenses for items never purchased. While the amounts may be small to start, they can quickly add up over time if the fraud is not uncovered.

     Workers’ Compensation Fraud

Most companies offer health insurance or workers’ compensation to their employees. Sadly, there are employees who try to profit off insurance by filing false claims or lying about injuries and illnesses, resulting in higher premiums and more out-of-pocket expenses for small business owners. 

In this type of fraud, an employee exaggerates injuries or a disability, invents injuries that did not occur or attributes injuries that occurred outside of the work environment to work to receive compensation pay. Polonious is involved in a lot of these investigations on the insurance and investigation firm side, but it is important for the affected businesses to be aware of this type of fraud as well.

     

Procurement Fraud

This type of fraud includes schemes such as over-ordering products then returning some and pocketing the refund, purchase order fraud where the employee sets up a phantom vendor account into which are paid fraudulent invoices, or initiating the purchase of goods for personal use.

This may involve the following scenarios:

  • Employee/Supplier Collision
  • Conflicts of Interest
  • Fake Companies
  • Inflated Bills / Underdelivery
  • False Statements in Obtaining Contracts

     Employee/Supplier Collusion

This occurs when an employee arranges for a good or service with a vendor at either a higher cost than needed, or with a cheaper product. That vendor then “kicks back” money or gifts to the employee for the inflated deal terms.

     Conflicts of Interest

This occurs when an employee responsible for vendor selection picks a company with some kind of relationship to them. Learn more about this scheme in part-2 of our 4-part series, Workplace Fraud: 7 Types of Corruption.

     Fake Companies

If an employee creates a fake company and issues payments to it, those false costs build up. Oftentimes employees engaging in this fraud will make small payments so as not to raise alarms, and if a company doesn’t have a process to match invoices against purchase orders then it can be easy to commit.

     Inflated Bills / Underdelivery

After the initial procurement phase, during the receipt of the contracted work, fraud can be committed either through the approval of inflated invoices or the acceptance of underdelivery. Underdelivery can be substandard work or failure to meet requirements. If an employee accepts subpar material, then that is a form of fraud — just as if they had approved of an inflated bill.

     False Statements in Obtaining Contracts

This occurs when an employee makes or accepts false statements when obtaining contracts. Examples of this include misrepresenting a minority contractor or small business status, or a vendor making false statements of compliance. 

   

Improper Asset Valuation

This scheme involves the improper valuation of inventory, accounts receivable, fixed assets, intangibles, or other assets.

   

Improper Disclosures

This involves the improper disclosure of material information, such as contingent liabilities, significant events, management fraud, related-party transactions, or accounting changes. 

 Net Worth/Net Income Understatements

Travel and expense budgets are a common target for financial statement fraud. This type of scheme is most commonly perpetrated by sales personnel who overstate or create fictitious expenses in areas such as client entertainment and business travel. 

These schemes typically fall into the following categories:

  • Manipulating Timing
  • Understated Liabilities
  • Improper Asset Valuations
  • Improper Disclosures
  • Expense Reimbursement Schemes

     Manipulating Timing

This occurs when an employee minimizes current period earnings on the income statement by deflating revenue or by inflating current period expenses. An employee may do this for reasons such as:

  • dissuade potential acquirers;
  • getting all of the bad news “out of the way” so that the company will look stronger going forward;
  • dumping the grim numbers into a period when the poor performance can be attributed to the current macroeconomic environment;
  • To postpone good financial information to a future period when it is more likely to be recognized.

     Understated Liabilities

An employee may downplay liabilities, as it represents a company’s financial obligations. For example, borrowers may forget to accrue liabilities for salary or vacation time. Some might underreport payables by holding checks for weeks (or months). This ploy preserves the checking account while giving lenders the impression that supplier invoices are being paid.

 

     Improper Asset Valuation

Improper asset valuation schemes involve the improper valuation of inventory, accounts receivable, fixed assets, intangibles, or other assets.

 

     Improper Disclosures

This involves the improper disclosure of material information, such as contingent liabilities, significant events, management fraud, related-party transactions, or accounting changes. 

 

    Expense Reimbursement Schemes

Expense Reimbursement Schemes fall into four general categories:

  • Mischaracterized expenses
  • Overstated Expenses
  • Fictitious Expenses
  • Multiple Reimbursements

Mischaracterised Expenses

This is one of the most common expense frauds which involves submitting a false claim to the employer. This typically involves submitting personal expenses as business-related expenses. They might, for example, charge your company for an expensive dinner with friends, claiming this as a “business dinner”,  or expense hotel costs for a business trip they later turn into leisure.

Red flags for mischaracterized expenses include claims for:

  • Items that don’t seem to have a business connection
  • Meals and entertainment when employees aren’t working/travelling or on weekends or holidays
  • Items or meals for children, or from
  • Establishments in the employee’s neighborhood

Overstated Expenses

This type of scheme occurs when although the item incurred is a legitimate business expense, it is over-claimed by an employee. In this case, an employee may change the amount on a receipt, or “lose” a receipt and submit a claim for a higher amount than was spent.

For example, an employee may have stayed at a lower-price hotel or used lower-cost transportation and then created receipts showing higher-priced methods of transportation or accommodation. 

Potential indicators of overstated expenses include:

  • Incomplete or inadequate expense report
  • Supporting documents such as receipts that are suspicious and/or show signs of fabrication (e.g. inconsistent font, color, visible correcting fluid/tape, pixelation, scratched out information)

Fictitious Expenses

This occurs when an employee creates a receipt for a product or service they didn’t receive and submit it for reimbursement. For instance, an employee may ask for a blank receipt and fill it in later. They may submit taxi, hotel, or other travel-related receipts despite not using them.

An employee may ask a taxi driver for a blank receipt and then fill in the information later. An employee might also create a fake receipt from scratch using an online template, or collude with a merchant to create a receipt for a non-existent purchase.

Here are a couple signs to look out for:

  • Multiple expense reports submitted close together from the same company, from the same employee
  • Taxi, hotel, flight, or other travel-related receipts for dates and times the employee was known to NOT be on company business
  • Receipt amounts that are significantly higher than similar reports submitted by other employees
  • Expenses that were not pre-approved

Multiple Reimbursements

This scheme involves an employee submitting the same expenses on multiple reports. For example, an employee can receive a reimbursement by submitting a receipt used for business travel. Later, the same employee can submit an email confirmation of reservation or credit card statement as a second proof of payment and get reimbursed twice.

In order to detect this type of fraud:

  • Compare dates, amounts, and payees claimed on one report to those on other reports from the same employee.
  • Look for evidence of the original version of a lost receipt connected to another expense report.
  • Be careful not to accuse the employee before you are sure it was done on purpose, as this type of scheme could occur due to employee error.

Further signs which may indicate Financial Statement Fraud include anomalies in:

  • Profitability
  • Cash Flows
  • Assets
  • Liabilities
  • Relations between financial statement items

Going Forward

Financial statement fraud can be an easy scheme to perpetuate, by simply doctoring a receipt or changing a date on an invoice. It can take some time for them to become apparent, at which point there can be significant issues. If you suspect there may be financial statement fraud schemes within your organization, you need to collate and compare all your statements to check for any anomalies, and particularly any patterns to these anomalies.

With such a large amount of evidence to go through, it is important to have a system to securely manage your evidence and ensure that your process is rigorous. Polonious’ case management system allows you to securely store documentary evidence including invoices, scanned or PDF receipts, and so on, and preview them within your browser, while our workflows ensure all fraud investigations follow a rigorous process.

Financial Statement Fraud remains a neglected and unmitigated risk for many organizations as it is one of the most costly types of frauds despite being the most common.

Financial statement frauds are one of the easiest schemes an employee can perpetuate.

Financial Statement Fraud can involve the manipulation of timing, assets and liabilities.

Financial Statement Fraud can involve the manipulation of timing, assets and liabilities.

Book a Demo Now

Learn more about how Polonious can help you investigate financial statement fraud 

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.