Human nature being what it is, incidents of serious employee theft or fraud will occur at some point in any large organization. Like other crises and problems, internal theft or fraud is as unexpected as it is unwelcome. Investigation and follow-up actions are oftentimes poorly handled, compounding the harm suffered by the company.

Although any theft or fraud presents its own unique fact pattern and concerns, proper planning can help ensure that the matter is properly addressed, minimizing the disruption to the business and maximizing the chances of a full recovery. To help ensure sound decision-making, management should establish a protocol¹ or otherwise consider the following guidelines for addressing serious cases of employee theft or fraud:

1. Form a Task Group to Address the Situation. A task group should be convened with the specific responsibility of addressing the contingency. The task group should focus on the following business objectives:
   
   • Determining what took place (who, what , where, when, how, and why)
   • Ensuring that the fraud has been stopped
   • Ascertaining and pursuing sources of recovery, including insurance
   • Recommending appropriate remedial measures to prevent a reoccurrence
   
   In a large organization, the task group ideally should include individuals from the legal, security, risk management, internal audit, and human resources departments. Other potential members could include the business unit head, a corporate communications professional, or other appropriate persons. The group should designate a leader in advance to facilitate the formation and activities of the group. The group should exclude any managers or other persons who might have a personal or professional stake in the outcome. For example, if a fraud occurred in a purchasing department, it might be better to exclude the manager of that department from the decision making process.
   
   Focusing on the business objectives from the start will expedite necessary actions and will ensure that the affected business unit gets through the process with minimal disruption.
   
   
2. Obtain Appropriate Professional Assistance. The purpose of forming a task group with many different professional backgrounds is first and foremost to ensure that all contingencies are discussed and the company's planned actions are properly considered. In weighing the issues, the task group must initially decide if outside expertise is needed. Such experts could include specialized legal counsel, investigators, forensic technology specialists, and insurance claims specialists. The task group's actions will be expedited if they have identified outside experts in advance of the contingency.
   
   The need to seek good advice cannot be overstated. If management acts too hastily, important evidence could be lost or destroyed, innocent people could be falsely accused, careers could be ruined, witnesses could be threatened, or the organization could be sued for libel, invasion of privacy, or wrongful discharge. Conversely, obtaining good advice and using experienced professionals maximizes the company's chances of getting an accurate portrayal of the facts. The company can then make the best decisions, avoid unnecessary disruptions to the workplace, and increase the possibility of a full insurance recovery.
   
   
3. Review Your Fidelity Insurance Policy and Timely Notify Your Carrier. The task group should review the company's Financial Institution Bond or Commercial Crime Policy in light of the allegations received. Generally, the Financial Institution Bond requires the insured to give notice of loss to the insurer not more than 30 days after discovery of loss and to furnish proof of loss within six months after discovery. The recent commercial crime policy forms typically require the insured to give notice as soon as possible and provide proof of loss within 120 days after the insured discovers a loss.
   
   What constitutes "discovery" is not always clear cut and the form of notice is dictated by the policy. Answers to coverage and notice questions and proof-of-loss requirements should be sought at the earliest opportunity. In this regard, the task group should seek the assistance of their insurance broker's claims advisory professionals and/or counsel. Because late notice may be ground for denial of an otherwise valid claim, early understanding of the notice requirements of your policy is crucial.
   
   The risk manager or other appropriate official must timely notify the company's insurance carrier of the potential loss in accordance with the Notice of Loss Reporting provisions of the insurance policy. Notice should be made to the carrier in consultation with the company's insurance broker. If necessary, requirements of the policy for establishing proof of loss should also be clarified with the carrier at this time. Additional actions needed to be taken to avoid prejudicing the carriers rights should also be considered and discussed with the carrier.
   
   
4. Develop an Action Plan. Before taking any actions, the task group should take time to develop a plan. What investigative steps should be taken? Who will perform what tasks? Who should be interviewed? In what order? What documents need to be reviewed? How will they be secured? Do e-mails and other digital evidence need to be seized? When will the target become aware of the investigation? What actions will be taken with respect to the target during the investigation? Does the audit committee need to be informed? Do regulators need to be informed? When? Have appropriate security precautions been taken? These and other questions should be considered prior to commencing the investigation.
   
   The level of proof needed for full insurance recovery should be reviewed as part of the action plan. It is important to keep in mind that the carrier will require proof that wrongdoing occurred, a causal link to a corresponding loss, and quantification of the loss. The carrier will also likely request the personnel file of the employee and will be interested to know whether the company had prior knowledge of dishonesty of the employee. Such prior knowledge could be ground for denial of the claim.
   
   A good plan of action should always include provisions for contingencies. It should also be noted that the plan would likely need to be modified as events move forward.
   
   
5. Conduct a Thorough Investigation. Proper planning combined with good execution will minimize the chances of the investigation going badly. The task group should appoint experienced professionals to conduct the investigation. The investigative team, which can comprise internal or external professionals or a combination of both, should have a designated leader to ensure clear lines of authority for decision-making. The investigation should first focus on securing evidence. It should then seek to obtain as much information as quickly as possible so the organization can begin to take appropriate action. Investigative steps may need to be synchronized with security and personnel actions.
   
   The task group should be regularly apprised of the progress of the investigation as it proceeds. At the appropriate point, preliminary results should be brought to the task group for management action. A more thorough review of how the situation was allowed to happen and which controls were impacted can then proceed.
   
   
6. Consider Notifying Authorities. Reporting theft or fraud to the authorities is, for the most part, a matter of company discretion. Generally, the law does not require companies to report such activity. Fidelity insurance policies do not require reporting employee theft or fraud to law enforcement as a condition for recovery. If the company is a regulated entity such as a defense contractor, bank, or brokerage firm, however, it may be required by law or regulation to notify the appropriate regulatory authority. The task group should discuss the nature and timing of this notification with competent counsel.
   
   Although not required, a company may desire to notify federal, state, or local prosecuting authorities of a theft or fraud in certain circumstances. Law enforcement could help to recover lost funds or to more fully investigate the matter. Prosecutors can issue subpoenas and obtain bank and other records that would not ordinarily be available to companies or private individuals. Prosecutors can seek court approval for wiretaps, search warrants, and other investigative techniques that might be more effective than the resources the private sector can bring to bear.
   
   Many companies report theft and fraud to the authorities not because they need the government's assistance, but because they want to prosecute the wrongdoers and send a message to employees that such actions will not be tolerated. In these circumstances, the company should substantially complete its own investigation prior to notifying the authorities. Given the scarcity of prosecutorial resources, it is often difficult to get the authorities interested in a case that requires substantial investigation. Further, the company may not want the prosecutor's investigation to delay any actions it may wish to take, including the information gathering needed for insurance recovery. Once the authorities become involved, the process is often prolonged and the investigation is effectively out of the company's control.
   
   The decision to involve law enforcement should be made only after careful deliberation and consultation with knowledgeable counsel. The task group should not assume that the authorities would conduct a full investigation of the matter. By virtue of their job description, prosecutors will be focused on different goals than the company. Their goal is to be able to present enough evidence to gain a conviction. They may not want to spend the additional time to investigate the full extent of the loss and, as a result, may fail to uncover the information that the company needs to gain a full insurance recovery.
   
   
7. Work With the Authorities. If the company decides to turn an active case over to the authorities prior to completion of its investigation, it should try to establish a dialogue and alert the prosecutor to the information it needs to make a full insurance recovery. The company should also request that any plea agreement include a full statement under oath by the defendant admitting to the crime in its entirety and the total amount stolen. This could prove to be very useful for the company in presenting its claim to the insurance carrier. The company should also request that the plea deal include a full debriefing of the facts from the defendant, including the disposition of the stolen funds or assets and an order of restitution to make the organization whole.
   
   The company should make copies of all documents provided to the authorities and, in most cases, should continue with their own internal investigation. In doing so, an organization should continually consult with competent counsel and the authorities to ensure proper coordination and cooperation.
   
   
8. Public Companies May Need to Notify Their Audit Committees and Auditors. Under the recent Sarbanes-Oxley legislation, public companies are required to disclose serious incidents of theft or fraud to their audit committee and outside auditors. The CEOs and CFOs of public companies are required to certify in their 10Q and 10K reports to the Securities Exchange Commission that they have disclosed to their auditors and the audit committee "any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls." The statutory language appears to include almost any theft or fraud by all but the most junior employees.
   
   
9. Review Internal Controls, Policies, and Procedures to Prevent a Reoccurrence. Following the initial investigation, the task group should review more thoroughly how the theft or fraud occurred and the control weaknesses that took place. The task group should select appropriate professionals, including internal auditors, to conduct this broader review. Corrective action can then follow. Under Sarbanes-Oxley, if significant deficiencies or material weaknesses in internal controls are discovered, the CEO and CFO must report these deficiencies and the corrective action taken.
   
   
10. Take Appropriate Corrective Action. Once the investigation is completed, the task group should report to management with its recommendations. Such recommendations could include employee disciplinary actions including possible termination, referral to the authorities for prosecution, initiation of new internal control procedures, litigation, etc. In all cases, the corrective action should send a strong message that the organization will not tolerate acts of theft or fraud.
    
    After an investigation is complete, insurance carriers often will question a company's response to internal theft or fraud. Carriers are likely to inquire about the corrective actions taken when adjusting a loss. Moreover, if a company has sustained a significant fidelity loss, the insurance carrier will almost certainly revisit the issue at the time the policy is up for renewal.