The landscape of compliance investigations: fraud investigations today
What do we mean by forensic fraud investigations?
When we talk about fraud investigations, we often refer to forensic investigations. In the private sector, forensic investigations focus on the independent and in-depth analysis of financial, administrative, and digital data. The aim is to identify potential fraud, misconduct, or irregularities within organizations. This type of investigation combines accounting and financial expertise with investigative skills. In this way, investigators can reconstruct facts, recognize patterns, and gain insight into causes and consequences. The outcomes are not only used to prove or rule out fraud, but also to support organizations in decision-making, internal control, and potential civil proceedings.
A new reality and growing risks for organizations
Fraud remains a real and growing risk for organizations in the private sector. Digitalization, hybrid working, and international corporate structures create opportunities for efficiency, but at the same time increase vulnerability to financial and other forms of fraud. Where fraud was once often limited to simple embezzlement or false expense claims, we now see more complex constructions. These increasingly involve a combination of digital traces, internal processes, and human factors (online).
Studies show that online fraud and scams have increased significantly since 2014, particularly in the areas of purchase fraud, misuse of online payment methods, and identity fraud. At the same time, trend reports indicate that more than three-quarters of companies in the Benelux have faced fraud attempts in the past two years. The financial impact of these incidents continues to grow.
Fraud remains one of the most persistent risks within organizations. Remarkably, the way fraud is detected has hardly changed over the years. Various international studies, including the annual ACFE Report to the Nations, show that approximately 40% of fraud cases are still uncovered through tips and whistleblower reports. Employees, customers, and suppliers therefore play a crucial role in identifying misconduct, often earlier than internal controls or audits.
Although the way fraud is detected has barely changed, the execution of forensic investigations has evolved significantly. The work has become almost entirely digital. eDiscovery (the legal review of digital data) and AI play a central role in this process. At the same time, requirements relating to privacy and evidentiary standards have become stricter than ever. Below, we first outline these trends. We then provide a detailed description of what a forensic investigation looks like in today’s practice, from engagement letter to reporting.
New trends in forensic investigations
Fraud can increasingly no longer be captured in simple accounting errors or isolated transactions. Due to digital traces, complex organizational structures, and rapidly growing volumes of data, forensic investigations in the private sector are also changing. Investigators must work faster, smarter, and with greater technological expertise to identify hidden patterns and subtle signals. These developments are driving significant changes in how organizations detect, investigate, and attempt to prevent fraud.
Three clear trends stand out:
- Online and hybrid forms of fraud are increasing. Examples include phishing and fake payment requests, misuse of online trading platforms, concealing fraud through corporate structures, and improper declarations within healthcare and subsidy schemes. These forms of fraud increase complexity and require an integrated approach. Investigators therefore combine financial investigation with digital analysis and open-source intelligence (OSINT) to make relationships, money flows, and involved parties visible.
- eDiscovery is developing into a key discipline for reducing and analyzing enormous volumes of electronic data. AI and language models help investigators quickly identify relevant documents, conversations, and patterns.
- Forensic readiness is gaining a more prominent place on the agenda. Studies and practical cases show that organizations without proper logging, appropriate retention periods, clear access rights, and solid agreements with external IT service providers struggle to reconstruct a complete and reliable picture after an incident.
Against this background, it is relevant to examine step by step how a forensic fraud investigation unfolds in practice. At the same time, we provide insight into how we approach such investigations.
From engagement to investigation plan
An investigation usually starts with a signal. This may be an internal finding from controls, a report via a whistleblower channel, a remarkable transaction, or a request from an external party, such as a regulator or subsidy provider. The first (or second) contact with the forensic investigator takes place during an intake meeting. In this meeting, the facts, context, and legal framework are clarified. This includes what exactly has been identified, which period and systems may be affected, and whether there is a risk of criminal implications or regulatory enforcement.
Based on this intake, the parties prepare an engagement letter and an investigation plan. These documents define the objective, scope, roles, planning, and deliverables. They also address conditions related to data processing and privacy. This includes the categories of personal data likely to be processed, the applicable legal basis under the GDPR, any restrictions on access to mailboxes and private devices, and whether a DPIA is required. In practice, this aspect often proves to be a weak point. Organizations want investigations to be carried out, but do not always have a clear process in place to act quickly and lawfully when an incident occurs, especially when IT is partly outsourced.
Financial forensic investigation
Financial forensic investigation often forms the backbone of the factual analysis. Investigators analyze, among other things, general ledger entries, project administration, payment flows, procurement and sales files, expense claims, and contracts. The aim is to identify unusual patterns. In cases involving misuse of subsidy schemes or healthcare budgets, investigators may, for example, compare declared hours with services actually delivered. Illogical money flows through intermediary entities also receive attention.
Using data analytics, investigators identify anomalies such as unusual journal entries, round amounts just below authorization limits, fictitious or duplicate suppliers, abnormal margins, and circular transactions between related parties. Visualizations of money flows and network analyses of relationships between legal entities and natural persons help make complex constructions understandable. This is particularly relevant when companies are used as a front for money laundering or VAT carousel fraud.
It is essential that investigators properly document the analytical methods they use and ensure that these methods are reproducible. Only then can findings withstand scrutiny by auditors, regulators, or courts. When deploying new AI techniques, it is therefore crucial to understand the underlying models to meet reproducibility requirements.
Digital forensic investigation and eDiscovery
Digital traces play a role in almost every investigation. Examples include email traffic, chat messages, access logs, document versions, CRM or ERP data, cloud storage, and sometimes mobile phones. Digital forensic investigation focuses on securing, analyzing, and interpreting this data, with strict attention to chain of custody, data integrity, and privacy.
For large datasets, investigators use eDiscovery to search through vast amounts of user-generated data, particularly email traffic. This process reduces data volumes and brings the most relevant subset to the surface. eDiscovery is the process of systematically identifying, preserving, searching, and analyzing electronically stored information for use in investigations, disputes, or legal proceedings. Platforms such as Relativity and Reveal support deduplication, metadata filtering, keyword searches, concept and topic clustering, and increasingly AI-driven prioritization of documents and conversations.
In practice, a lack of proper forensic or litigation readiness often becomes apparent at this stage. When mailboxes are fully managed by an external IT service provider without clear agreements on incident access, when logging is disabled to save storage costs, or when retention periods are set too short, crucial evidence may simply be lost. At the same time, investigators must handle privacy with care. They collect only data that may be relevant, limit access to a small authorized team, apply encryption and logging, and remove or anonymize irrelevant personal data where possible.
Interviews and conversations
In addition to analyzing financial data and digital evidence, interviews remain an essential part of forensic investigations. Conversations with involved employees, managers, key process owners, and, where relevant, external parties help explain the story behind the data. In investigations into, for example, subsidy misuse or complex expense fraud, interviews may reveal that certain practices “had always been done this way,” that there was implicit pressure to meet targets, or that individuals relied on instructions from others without independently verifying them.
Beforehand, investigators determine the order in which individuals are interviewed, what information they receive about the reason and scope of the investigation, and how their rights and obligations are explained. Notes or recordings are carefully documented and stored, with clear agreements on confidentiality and use. Statements are continuously tested against the “hard” data from financial, digital, and open-source investigations. Inconsistencies between narratives and factual evidence often provide valuable leads, but they also require careful interpretation. Experience plays a major role here.
Open-source intelligence (OSINT)
Open-source intelligence is often a standard component of forensic investigations into fraud. Investigators consult trade registers, sanctions lists, case law, news archives, sector publications, and publicly available online information to identify relationships, corporate structures, and reputational indicators.
OSINT activities are always carefully documented. Investigators record which sources were consulted, which filters were used, and what limitations apply to the reliability of the information found. Tools can support this process, for example by recording visited websites and indexing collected information.
Privacy considerations also apply here. Not all personal information found online is relevant or may be processed indiscriminately in an investigation.
Analysis of all collected information
An investigation is an iterative process. Based on new information from earlier investigative steps, analysts reassess the data and determine whether it can be further enriched. It is common to take a step back during an investigation before moving forward again. For example, open-source research may reveal new individuals or entities that play a role as problematic suppliers. This can trigger further analysis of specific transactions in the financial records. These names may also serve as additional search terms in the eDiscovery process.
Reporting: bringing all lines together
At the end of the investigation, investigators present all relevant facts in a report. The report starts with a clear description of the engagement, scope, methodology, and any limitations. Investigators then present the factual findings per investigation stream in a structured way, covering financial investigation, digital investigation, interviews, and open-source research. This is followed by an analysis that connects the different lines of inquiry.
For example, financial data may show unusual money flows, while digital logs indicate that certain changes were made from specific accounts or locations. eDiscovery may reveal relevant communications between involved parties, and OSINT may confirm that certain entities or individuals have previously been linked to similar schemes. Together, this forms a coherent picture supported by data and clear source references.
A modern investigation report always includes an explicit explanation of how personal data and confidential information were handled. Investigators describe which data was collected, on what legal basis, and which limitations applied. They also explain how security measures were implemented and which forms of data minimization were applied. This is not only important for regulators and courts, but also for maintaining trust among employees and other stakeholders.
Not always forensic ready
A key theme from our recent practical experience is that many organizations are willing to cooperate substantively with investigations, but are not always technically, contractually, or practically prepared for a forensic approach.
This can lead not only to unnecessary delays and higher costs, but sometimes also to irreparable gaps in the reconstruction of events. Against this background, one lesson is already clear—even before discussing improvement programs: a solid forensic investigation starts long before the first signal, with how data, IT, contracts, and privacy are organized today.
Invitation to consult
We can imagine that after reading this article, you may have questions or wish to exchange thoughts on certain topics. You may also be dealing with a concrete case that you would like to discuss. We invite you to contact us without obligation to get acquainted with us and/or discuss your case. Our contact details can be found on our website.
Looking ahead: from fraud to broader integrity investigations
In the next article in this series, the focus shifts from strictly forensic fraud investigations to broader integrity investigations. The attention will not only be on financial damage or clear fraud indicators, but on a wider spectrum of integrity issues. These include conflicts of interest, abuse of position, secondary activities, and inappropriate behavior.
In this third part, we show what fact-finding investigations into integrity reports look like. We also discuss the central research questions and explain how organizations can find the right balance between due care, confidentiality, and transparency.
Get in touch
Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com
Boy Custers | +31649935735 | boy.custers@compliancechamps.com
Read more articles here.
