7 Steps for Conducting a Fraud Investigation

By Tim L. Bryan, CPA, CFF; Caitlin L. Poirier, J.D., CFE; and Chelsea S. Wiese, CPA, CFE
| 11/19/2019
7 Steps for Conducting a Fraud Investigation

The healthcare industry ranks fourth among all industries for number of occupational fraud cases reported annually, with most cases occurring in the areas of corruption and billing schemes.1 Past data has shown that in the United States, healthcare fraud costs approximately $68 billion each year – approximately 3% of the nation’s healthcare spending.2

Healthcare organizations today need to be prepared to react and respond quickly to a fraud allegation to avoid costly risks such as negative financial impacts and damage to organizational reputation. The following framework outlines seven steps an organization can follow to conduct a fraud investigation. Although the framework is not comprehensive, an organization can customize and expand upon the framework to fit its situation.

Step 1: Receive and react to an allegation

Healthcare fraud investigations typically begin with formal allegations, which might come from a wide variety of sources. It’s estimated that 40% of fraud detection comes from tips, with the majority of tips coming from employees.3  External parties such as vendors or customers might also be sources of tips.

Potentially fraudulent activity might be uncovered during a routine internal or external audit. Allegations also might be reported directly to management or the compliance department. For example, departing employees might disclose fraud allegations during exit interviews. In addition, fraud allegations might come to the organization directly from law enforcement.

To account for the sensitive nature of fraud claims and mitigate any potential fears of retaliation, organizations should establish a method by which individuals can report allegations anonymously. Allegations that management or compliance teams receive directly from employees, whether written or verbal, should be documented and communicated to appropriate parties for further investigation.

Step 2: Establish an investigative team

Regardless of the source of the allegation, the organization must establish a team of individuals who have the appropriate expertise needed to conduct a successful investigation. The team most likely will comprise internal and external parties, depending on the nature of the allegations, the magnitude of the potential financial or business risk, and the organization’s size.

Team members should have clearly defined roles and responsibilities. In addition, at the onset of the investigation, the team should establish one primary point of contact. This individual will be responsible for managing the flow of communication and distributing information between internal and external stakeholders during the investigation. Therefore, the point person should have an appropriate level of authority to make decisions on behalf of the organization or in consultation with senior management. The appointed individual also should have time to devote to the investigation, which could consume his or her entire schedule.

Examples of typical external and internal parties who make up an investigation team include:

  • General counsel
  • Internal audit team members
  • Compliance officer
  • External counsel
  • External consultants such as forensic accountants, technology specialists, public relations professionals, and other subject-matter specialists
  • Members of law enforcement

Step 3: Conduct a preliminary assessment

Once the team has been established, it should conduct initial discussions to obtain background information about the fraud allegation. The purpose of these discussions should be to:
  • Understand the context of the issue
  • Reveal the identity of individuals with relevant information
  • Establish the availability of evidence
  • Define the organization’s end goal as a result of conducting the investigation

Some typical questions the team might ask at this point in the investigation include:

  • Does the organization plan to pursue civil or criminal litigation?
  • If an employee is involved, does the organization plan to terminate the employee on the basis of the findings?
  • Does the organization plan to file an insurance claim to recover any losses?

Answers to these and other questions will aid investigators in developing a preliminary scope of the investigation. The scope likely will change as the investigation moves along and as new information is uncovered. Questions will need to evolve over time, and the scope must be reassessed and updated accordingly.

Step 4: Preserve and collect evidence

Once an organization is aware of a fraud allegation, it is important to take steps to preserve any electronic and hard copy evidence that might exist. Examples of evidence include:
  • Network files
  • Documents stored on a subject or employee’s hard drive
  • Email
  • Email archives
  • Text messages or other communications stored on company-issued assets such as cellphones or tablets

Steps for preserving evidence may differ depending on whether the organization plans to terminate the subject, place the subject on administrative leave, or take no immediate action toward the subject until the investigation is completed.

  • If an employee is terminated at the start of an investigation, efforts should be made to collect all company-issued electronic devices in the individual’s possession. The devices should be locked under the custody of the investigative team’s primary point of contact. The terminated employee’s access to the organization’s network should be revoked immediately.
  • If an employee is placed on administrative leave with pay, the organization should back up the individual’s email and hard drive files.
  • If an employee is neither terminated nor placed on leave but, rather, is kept on staff and unaware of the investigation, efforts should be made to covertly access the employee’s electronic devices to the extent they are available on company premises. Conducting a search of the employee’s office or workplace also is recommended.

Step 5: Analyze financial, business, and electronic records

The investigative team should develop a comprehensive approach to analyzing financial, business, and electronic records that are applicable to the fraud investigation. The organization should use an analytic approach that combines rules-based analytics, algorithms based on machine learning, and data visualizations to identify fact patterns.

Investigative teams also should consider an effective approach to analyzing electronically stored information. This type of analysis might be conducted in-house or through a third-party e-discovery vendor using software that can extract and analyze data that is relevant to the investigation.

Step 6: Conduct interviews

Interviews of fact witnesses and the subject under investigation should be planned carefully. It is a good idea to conduct interviews after most of the financial, business, and electronic records have been analyzed, so the questions can be more focused. Considerations about conducting interviews include:
  • Should an in-house lawyer be present during employee interviews?
  • When should the interviews occur?
  • What is the appropriate order of the interviews?
  • When should interviews be scheduled concurrently?
  • Who should communicate the logistics of the interviews to interviewees?
  • When should the interviewees be notified?

Step 7: Report the findings

When the investigation has concluded, and while the investigative team is drafting the report, it’s important to consider the intended audience. In addition to internal stakeholders such as management and the board, external stakeholders such as insurance companies, law enforcement, and regulatory agencies might see the report.

For example, reports can be used to file claims to insurance companies to recover losses resulting from employee theft. Review any requirements of the organization’s insurance company at the onset of an investigation and during the reporting phase. Policy considerations to keep in mind include coverage periods and loss limits.

If the organization decides to pursue criminal action against a subject, it is common practice to use the investigative report to refer the case to law enforcement. Finally, depending on the severity or complexity of the crime, local, state, or federal agencies might take an interest in the case. In addition to the report, all original evidence should be preserved carefully.

Have a plan

Adopting a framework such as the one outlined here is vital to an organization’s ability to conduct a successful fraud investigation. In addition, the organization should consider carefully whether it has the needed expertise in-house to conduct a complex investigation or whether it should work with nonbiased third-party specialists.

The healthcare industry is experiencing unprecedented fraud. Being prepared should a fraud allegation occur will go a long way toward avoiding potential risk and even preventing fraud in the future.



1 “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” Association of Certified Fraud Examiners Inc., 2018, p. 24, https://www.acfe.com/report-to-the-nations/2018/default.aspx

2 “The Problem of Health Care Fraud: Consumer Alert: The Impact of Health Care Fraud on You!” National Health Care Anti-Fraud Association, http://web.archive.org/web/20110209140325/http://www.nhcaa.org:80/eweb/DynamicPage.aspx?webcode=anti_fraud_resource_centr&wpscode=TheProblemOfHCFraud

3 “Report to the Nations,” p. 4.

Contact us

Learn more about how Crowe can provide industry-specific financial, regulatory, and technology expertise for your healthcare organization.
Tim Bryan - Large
Tim L. Bryan
Partner, Forensic Technology Investigation Services Leader
people
Caitlin Poirier
people
Chelsea Wiese