Human nature being what it is, incidents of serious employee theft or fraud will occur at some point in any large organization. Like other crises and problems, internal theft and fraud are as unexpected as they are unwelcome. Oftentimes, investigation and follow-up actions are poorly handled, compounding the harm suffered by the company.

Although any theft or fraud presents its own unique pattern and concerns, proper planning can help ensure that such matters are addressed thoroughly, minimizing the disruption to the business and maximizing the chances of full recovery. To help ensure sound decision-making, management should establish a protocol or otherwise consider the following guidelines for addressing serious cases of employee theft.

1. Form a Task Group to Address the Situation The task group should focus on the following business objectives:

oDetermining what took place (who, what, where, when, how, and why?)

oEnsuring that the fraud has been stopped

oAscertaining and pursuing sources of recovery, including insurance

oRecommending appropriate remedial measures to prevent reoccurrences

In a large organization, the task group should include individuals from the legal, security, risk management, internal audit, and human resources departments. Other potential members could include the business unit head, a corporate communication professional, or other appropriate people. The group should exclude any managers or others who might have a personal or professional stake in the outcome. For example, if fraud occurred in a purchasing department, it might be better to exclude the manager of that department from the decision-making process.

Focusing on the business objectives from the start will expedite necessary actions and will ensure that the affected business unit gets through the process with minimal disruption.

2. Obtain Appropriate Professional Assistance The purpose of forming a task group with many different professional backgrounds is to ensure that all contingencies are discussed and that the company’s planned actions are considered properly. In weighing the issues, the task group must decide whether outside expertise is needed. Such experts could include specialized legal counsel, investigators, forensic technology specialists, and insurance claim specialists. The task group’s actions will be expedited if they have identified outside experts in advance.

The need to seek good advice cannot be overstated. If management acts too hastily, important evidence could be lost or destroyed, innocent people could be falsely accused, careers could be ruined, witnesses could be threatened, or the organization could be sued for libel, invasion of privacy, or wrongful discharge. Conversely, obtaining good advice and using experienced professionals maximizes the company’s chances of getting an accurate picture of the facts. The company then can make the best decisions, avoid unnecessary disruptions to the workplace, and increase the possibility of a full insurance recovery.

3. Review Fidelity Insurance Policy and Notify Carrier The task group should review the company’s financial institution bond or commercial crime policy in light of the allegations received. Generally, the financial institution bond requires that the insured give notice of loss to the insurer not more than 30 days after discovery of loss and furnish proof of loss within six months after discovery. The recent commercial crime policy forms typically require that the insured give notice as soon as possible and provide proof of loss within 120 days after the insured discovers a loss.

What constitutes “discovery” is not always defined exactly, and the form of notice is dictated by the policy. Answers to coverage and notice questions and proof-of-loss requirements should be sought at the earliest opportunity. In this regard, the task group should ask the assistance of their insurance broker’s claim advisory professionals or counsel. Because late notice may be grounds for denial of an otherwise valid claim, early understanding of the notice requirements of your policy is crucial.

The risk manager or other appropriate official must notify the company’s insurance carrier of the potential loss in accordance with the Notice of Loss Reporting provisions of the insurance policy. Notice should be made to the carrier in consultation with the company’s insurance broker. If necessary, requirements of the policy for establishing proof of loss also should be clarified with the carrier at this time. Additional actions necessary to avoid prejudicing the carrier’s rights should be considered and discussed with the carrier.

4. Develop an Action Plan Before taking any actions, the task group should develop a plan. What investigative steps should be taken? Who will perform what tasks? Who should be interviewed? In what order? What documents need to be reviewed? How will they be secured? Should e-mail and other digital evidence be seized? When will the target become aware of the investigation? What actions will be taken with respect to the target during the investigation? Does the audit committee need to be informed? Do regulators need to be informed? When? Have appropriate security precautions been taken? These and other questions should be considered prior to commencing the investigation.

The level of proof needed for full insurance recovery should be reviewed as part of the action plan. It is important to keep in mind that the carrier will require proof that wrongdoing occurred, a causal link to a corresponding loss, and quantification of the loss. Likely, the carrier also will request the personnel file of the employee and will be interested to know whether the company had prior knowledge of dishonesty on his part. Such prior knowledge could be grounds for denial of the claim.

A good plan of action always should include provisions for contingencies. It also should be noted that the plan may require modifications as events move forward.

5. Conduct a Thorough Investigation Proper planning combined with good execution will minimize the chances of the investigation’s going badly. The task group should appoint experienced professionals to conduct the investigation. The investigative team, which can comprise internal or external professionals or a combination of both, should have a designated leader to ensure clear lines of authority for making decisions. The investigation should focus first on securing evidence. It then should seek to obtain as much information as quickly as possible so that the organization can begin to take appropriate action. Investigative steps may need to be synchronized with security and personnel actions.

The task group should be apprised regularly of the progress of the investigation. At the appropriate point, preliminary results should be brought to the task group for management action. A more thorough review of how the situation was allowed to happen then is possible.

6. Consider Notifying Authorities For the most part, reporting theft or fraud to the authorities is a matter of company discretion. Generally, the law does not require companies to report such activity. Fidelity insurance policies do not require reporting employee theft or fraud to law enforcement as a condition for recovery. If, however, the company is a regulated entity, such as a defense contractor, bank, or brokerage firm, it may be required by law or regulation to notify the appropriate regulatory authority. The task group should discuss the nature and timing of this notification with competent counsel.

Although not required, a company may desire to notify federal, state, or local prosecuting authorities of a theft or fraud in certain circumstances. Law enforcement could help to recover lost funds or to investigate the matter more fully. Prosecutors can issue subpoenas and obtain bank and other records that ordinarily would not be available to companies or private individuals. Prosecutors can seek court approval for wiretaps, search warrants, and other investigative techniques that might be more effective than the resources the private sector can bring to bear.

Many companies report theft and fraud to the authorities because they want to prosecute the wrongdoers and send a message to employees that such actions will not be tolerated. In these circumstances, the company should substantially complete its own investigation prior to notifying the authorities. Given the scarcity of prosecutorial resources, it often is difficult to get the authorities interested in a case that requires considerable investigation. Furthermore, the prosecutor’s investigation could delay any actions the company may wish to take, including the gathering of information needed for insurance recovery. Once the authorities become involved, the process often is prolonged and the investigation is effectively out of the company’s control.

The decision to involve law enforcement should be made only after careful deliberation and consultation with counsel. The task group should not assume that the authorities would conduct a full investigation of the matter. By virtue of their job descriptions, prosecutors will be focused on different goals than the company. Their goal is to be able to present enough evidence to gain a conviction. They may not want to spend the additional time to investigate the full extent of the loss and, as a result, may fail to uncover the information that the company needs to procure a full insurance recovery.

7. Work With Authorities If the company decides to turn an active case over to the authorities prior to completion of its investigation, it should try to establish a dialogue and alert the prosecutor to the information that it needs to make a full insurance recovery. The company also should request that any plea agreement include a full statement under oath by the defendant admitting to the crime in its entirety and to the total amount stolen. This could prove to be very useful for the company in presenting its claim to the insurance carrier.

The company should make copies of all documents provided to the authorities and, in most cases, should continue with its own internal investigation. In doing so, an organization should consult continually with competent counsel and the authorities to ensure proper coordination and cooperation.

8. Public Companies May Need to Notify Auditors Under the recent Sarbanes-Oxley legislation, public companies are required to disclose serious incidents of theft or fraud to their audit committees and outside auditors. The CEOs and CFOs of public companies are required to certify in their 10Q and 10K reports to the Securities Exchange Commission that they have disclosed to their auditors and audit committees “any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls.” The statutory language appears to include almost any theft or fraud by all but the most junior employees.

9. Review Internal Controls, Policies, and Procedures to Prevent Reoccurrence Following the initial investigation, the task group should review how the theft or fraud occurred. The task group should select appropriate professionals, including internal auditors, to conduct this broader review. Under Sarbanes-Oxley, if significant deficiencies or material weaknesses in internal controls are discovered, the CEO and CFO must report these deficiencies and the corrective action taken.

10. Take Appropriate Corrective Action Once the investigation is completed, the task group should report to management with its recommendations. Such recommendations could include employee disciplinary actions including possible termination, referral to the authorities for prosecution, initiation of new internal control procedures, or litigation. In all cases, the corrective action should send a strong message that the organization will not tolerate acts of theft or fraud.

Insurance carriers often will question a company’s response to internal theft or fraud. Carriers are likely to inquire about the corrective actions taken. Moreover, if a company has sustained a significant fidelity loss, the insurance carrier almost certainly will revisit the issue at the time the policy is up for renewal.

No two incidents of theft and fraud are alike, so they all must be addressed differently. These guidelines do not provide all the answers to dealing with such problems. However, by following this framework, your organization will make better decisions and put itself in a stronger position.

Bill Henderson and Ray Rodriguez are with the Risk Consulting Practice at Marsh, Inc.