Engagement Triggers and Referral Pathways

Whistleblower reports account for the largest share of initial fraud detection globally. The ACFE's Report to the Nations has consistently found that tips are the single most common detection method, responsible for roughly 40 to 45 percent of detected occupational fraud cases across multiple survey cycles. Tips arrive through employee hotlines, direct reports to the audit committee or board, external reporting to regulators, or, less formally, as anonymous letters or emails.

Jurisdictions have enacted formal whistleblower protection frameworks to encourage reporting. In the United States, the Dodd-Frank Wall Street Reform and Consumer Protection Act (2010) created a financial reward programme administered by the SEC for whistleblowers whose tips lead to enforcement actions, and provides strong anti-retaliation protections. The EU Whistleblower Protection Directive (2019/1937), transposed into member state law by 2021, requires companies above a threshold size to establish internal reporting channels and prohibits retaliation. In India, the Whistle Blowers Protection Act 2014 covers public servants, though corporate sector coverage remains more limited. The UK's Public Interest Disclosure Act 1998 protects qualifying disclosures, with enforcement through employment tribunals.

The forensic auditor receiving a whistleblower-triggered referral faces two immediate tasks: assess the credibility and specificity of the tip, and take steps to preserve evidence before the subject learns of the investigation. An anonymous tip that names specific transactions, dates, and individuals has higher predication value than a vague claim that "something is wrong in accounts." The auditor should document the tip's content verbatim, note the channel through which it arrived, and flag any details that can be corroborated from existing records before a wider investigation begins.

When a regulator initiates an investigation, or directs a company to conduct one, the engagement operates in a legally constrained environment. In the United States, an SEC formal order of investigation authorises the staff to issue subpoenas and compels document production. In the United Kingdom, the FCA has investigatory powers under the Financial Services and Markets Act 2000, including the power to require the production of documents and to conduct compelled interviews. In India, the Serious Fraud Investigation Office (SFIO) under the Companies Act 2013 has powers to investigate corporate fraud, arrest suspected persons, and file prosecution complaints. At the EU level, the European Anti-Fraud Office (OLAF) investigates fraud against the EU budget.

A regulatory referral transforms the forensic auditor's role. The company is no longer the unconstrained client: its counsel must manage privilege, disclosure obligations, and the risk that forensic findings shared with the regulator may be used against the company or its officers in enforcement action. The forensic auditor must understand whether the regulator's inquiry is civil or criminal in nature, because this affects the standard of evidence and the protections available to individuals under investigation.

Law enforcement referrals arise when police, a serious fraud office, or a prosecution authority asks a forensic auditor to assist with a criminal investigation. In these engagements, the forensic auditor is typically appointed by law enforcement or the prosecution authority rather than by the company. Evidence gathered must meet criminal evidentiary standards, meaning chain of custody documentation, proper seizure procedures, and admissibility under the applicable evidence statute. In India, the applicable framework is the Bharatiya Sakshya Adhiniyam 2023. In England and Wales, it is the Police and Criminal Evidence Act 1984 (PACE) and associated codes of practice. In the United States, Federal Rules of Evidence govern admissibility.

Routine statutory audits are not designed to detect fraud. External auditors plan their work around materiality thresholds and risk assessments aimed at giving an opinion on financial statement truth and fairness, not at finding concealed misconduct. Nevertheless, audit procedures do generate observations, and some of those observations are anomalies that carry fraud risk signals: journal entries posted at unusual times, round-sum transactions with no supporting documentation, related-party transactions not disclosed in the prior year, or reconciling items that recur without resolution.

When an external auditor encounters such an anomaly, professional standards require them to elevate it. Under ISA 240 (The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements), auditors must respond to identified or suspected fraud by considering its implications for the rest of the audit, communicating the matter to management and, where management is involved or the fraud is of sufficient scale, to those charged with governance (typically the audit committee). The auditor does not conduct a forensic investigation but may recommend that one be commissioned. The referral pathway then moves to the audit committee, which decides whether to engage an independent forensic team.

Internal auditors face a similar dynamic. Their mandate typically includes evaluating the effectiveness of internal controls, but their relationship with management creates potential independence constraints when the misconduct being investigated may involve management. When an internal audit procedure surfaces a fraud indicator, the internal audit function should escalate to the audit committee rather than continue the investigation independently, particularly if the indicator implicates people above the internal audit chief in the organisational hierarchy. The audit committee then decides whether to engage external forensic specialists.

Sometimes the trigger is management itself. A CFO who suspects the accounts payable manager of diverting payments, or a CEO who notices discrepancies in divisional reporting, may commission a forensic audit directly. This pathway is efficient when management is not itself implicated, but it creates a structural independence problem when the scope of the engagement is set by the same people who may be responsible for the misconduct.

Management-referred engagements carry a risk of scope limitation. A CEO who suspects a subordinate may define the engagement narrowly enough to avoid scrutiny of their own decisions. A board that wants to contain reputational damage may press the forensic team to complete the work quickly and quietly. The forensic auditor must document the agreed scope in an engagement letter, note any pressure to limit scope, and flag to the audit committee any restriction that prevents them from following the evidence where it leads.

The preferred governance structure is to route all forensic audit mandates through the audit committee, even when the initial trigger comes from management. This gives the forensic team an independent principal above management to report to, and it insulates findings from claims of management interference. Most corporate governance codes, including the UK Corporate Governance Code, the US SEC guidance on internal investigations, and India's SEBI Listing Obligations and Disclosure Requirements Regulations 2015, expect the audit committee to oversee significant investigations.

The trigger does not just initiate the engagement; it shapes every subsequent decision about what the engagement covers and how it is structured. A narrow regulatory referral that names a specific transaction period and a specific allegation produces a tight scope with defined deliverables. A vague whistleblower tip may require a preliminary inquiry phase before the formal scope is agreed. A management suspicion that turns out to implicate multiple business units may require scope expansion mid-engagement.

Independence requirements also vary. When the forensic auditor's firm has also served as the external statutory auditor, some or all of the forensic work may require an entirely separate team or a different firm, to avoid conflicts between the forensic role and the audit opinion role. Most jurisdictions prohibit an auditor from conducting a forensic investigation of a matter that will affect the financial statements they are opining on, without specific safeguards. The IESBA Code of Ethics for Professional Accountants and PCAOB independence rules in the United States both address this.

Evidence preservation duties are immediate upon engagement, regardless of trigger source. Once a forensic engagement is authorised, the organisation's duty to preserve potentially relevant documents and data is triggered. In civil litigation contexts, this is called a legal hold. In criminal investigations, failure to preserve evidence may constitute obstruction. The forensic auditor should, at the outset, advise the client's legal counsel to issue a legal hold notice covering all relevant custodians, systems, and time periods.

In practice, multiple triggers often converge on the same engagement. A whistleblower report to an external regulator may arrive simultaneously with an internal audit anomaly and a management concern. Each channel may have produced partial information, and the forensic auditor must assess which channel carries the most reliable predication, coordinate across all of them, and manage the risk that one channel's investigation contaminates another's evidence.

When both an internal forensic investigation and a regulator inquiry are running simultaneously, the company's legal counsel typically manages the interface between them. The forensic auditor's findings may or may not be voluntarily shared with the regulator, depending on whether voluntary cooperation is part of the company's legal strategy. Compelled production under a regulatory order overrides the company's choice. The forensic auditor should not, without direction from legal counsel, share findings beyond the agreed reporting chain.

The engagement letter should identify every party with a legitimate interest in the engagement's findings, distinguish between those who will receive the full report and those who will receive only a summary, and address what happens to the report if litigation is commenced. These governance decisions are made at the outset, informed by the trigger source and referral pathway, and they cannot easily be changed once the engagement is underway. Getting the engagement structure right at the start is more important than any subsequent investigative technique.