Planning and Conducting the Fraud Examination

We open the Investigation section, which is the craft at the heart of being a CFE. A fraud examination is a structured, methodical inquiry into a specific allegation or indication of fraud, conducted to resolve it — to prove or disprove that fraud occurred and, if so, determine who, how, and how much. Notice the goal is resolution, not conviction; you follow the evidence wherever it leads, including toward exoneration.

That word matters: an examination that clears an innocent person is a success, not a failure. And an examination should begin only with predication: a reasonable basis, grounded in articulable facts and circumstances, to believe fraud may have occurred. You don't launch a full examination on a hunch, an office rumor, or a personal grudge — that's both unprofessional and legally dangerous, because acting without predication can expose you and your employer to claims like defamation or wrongful termination.

Here's the exam framing to hold onto: an allegation, an anonymous tip, an audit anomaly, or a control breakdown can supply predication; a manager's gut feeling that 'something's off' about an employee they dislike cannot. When the exam asks what an examination requires before it begins, the answer is predication, every time.

The ACFE teaches a four-step method called the fraud theory approach, and it's a near-certain exam topic, so commit it to memory in order. Step one: analyze the available data — gather and examine what you already have, the documents, records, and known facts. Step two: create a hypothesis — a reasoned theory of what might have happened, who could have done it, and how, usually framed around a worst-case scenario you can then test down.

Step three: test the hypothesis — gather more evidence to confirm or refute it, asking the key question, what would I expect to find if this theory were true? Then go look for those things. Step four: refine and amend the hypothesis as the evidence comes in.

It's the scientific method applied to fraud. You start with a working theory and let evidence reshape it, rather than forcing the facts to fit a conclusion you've already reached. Reason it through with a quick example: data shows a vendor whose address matches an employee's.

Your hypothesis: a fictitious-vendor scheme. What would you expect to find if true? Invoices with no purchase order, round-number amounts, payments just under the approval limit.

You test for exactly those. If they're absent, you amend the theory — maybe it's a coincidence or a legitimate side arrangement. The exam loves the order, so memorize it: analyze, hypothesize, test, refine.

A guiding principle of sequencing: work from the general to the specific, and from the periphery inward. Begin with documents, data, and neutral third-party records, where you can build evidence quietly without tipping off the subject. Develop the circumstantial picture — the money trail, the anomalies, the timeline — before you ever sit down with the person you suspect.

By the time you reach the subject, you want to know more than they think you do, because that informational advantage is what makes an interview productive. This sequencing does three things at once: it protects the investigation from being compromised by a subject who could destroy records or coordinate stories, it protects the innocent from premature accusation, and it puts you in the strongest possible position if and when you confront the target. A common exam trap reverses this order — it describes an examiner who confronts the suspect early, before the circumstantial case is built, and asks what went wrong.

The answer is the broken sequence. Build outward-in, suspect last, every time. We'll return to this principle in depth when we cover interviews.

Good examinations are planned, not improvised. Up front, define the objective — what specific allegation are you resolving — and the scope, so the work stays focused and proportionate to the matter rather than ballooning into a fishing expedition. Identify the resources and skills you'll need: a serious examination may require an accountant to read the books, a data analyst to run the population, an I-T forensic specialist to image devices and recover deleted files, and legal guidance throughout.

Decide early whether to run the matter under counsel so the work product can be protected by attorney-client privilege — that's a decision you can't easily make after the fact. And build in confidentiality from the very start: limit who knows about the inquiry on a strict need-to-know basis, secure the evidence physically and digitally, and avoid any action that would alert the subject and let them destroy records, move money, or align their story with co-conspirators. A leaked investigation is often a failed one.

The exam rewards candidates who treat planning, scoping, and confidentiality as deliberate first steps, not afterthoughts.

Two professional guardrails. First, objectivity: the fraud theory approach works only if you genuinely test your hypothesis rather than hunt for confirmation. Stay alert to confirmation bias, and treat a theory that survives honest testing as far stronger than one you simply assumed.

Second, fairness: an examination can ruin a reputation, so you presume nothing and let the evidence decide. For the exam, two anchors will earn you points repeatedly — an examination requires predication before it begins, and the fraud theory approach proceeds analyze, hypothesize, test, refine, in that order. Next, we get concrete about collecting and protecting evidence.