5.1 Fraud examination methodology & engagement planning

Key Takeaways

  • Predication — a reasonable basis to believe fraud has occurred, is occurring, or will occur — is required before an examination begins; a hunch, grudge, or curiosity is not predication.
  • The fraud theory approach is iterative: analyze available data, create a hypothesis (worst-case), test it with if-then evidence, then refine or discard it and repeat.
  • A fraud examination is non-recurring and specific and presumes possible litigation, unlike an audit, which is recurring, general, and opinion-focused.
  • Cases are built from the outside in and from circumstantial toward direct evidence, so the prime suspect is normally interviewed last.
  • The examiner stays objective and never decides guilt or innocence — that is the role of the trier of fact — and gathers both incriminating and exculpatory evidence.
Last updated: July 2026

Fraud Examination vs. Auditing

A fraud examination is a methodology for resolving allegations or suspicions of fraud from inception to disposition — gathering evidence, taking statements, writing reports, and testifying to findings. It must be distinguished from an audit. An audit is recurring, general in scope, and designed to express an opinion on whether financial statements are fairly presented; the auditor applies professional skepticism but does not presume wrongdoing. A fraud examination is non-recurring and specific: it is launched only when there is a reason to believe a fraud may have occurred, and its objectives are to determine whether fraud is occurring, how it is being committed, who is responsible, and the amount of the loss. Auditing is a process of verification; fraud examination is a process of proof. Because any fraud matter may end in litigation, the Certified Fraud Examiner treats every engagement as though it will be tested in court.

Predication: The Threshold You Cannot Skip

Predication is the totality of circumstances that would lead a reasonable, professionally trained, and prudent person to believe that a fraud has occurred, is occurring, or will occur. It is the foundation on which every fraud examination rests, and an examination should never be commenced without proper predication. Legitimate predication can come from tips and complaints (the single most common way fraud is detected), audit exceptions, analytical anomalies, unexplained inventory shortages, or observed red flags. What does not qualify as predication is a hunch, a personal grudge, gossip, or idle curiosity. Beginning an examination without predication risks claims of harassment, defamation, false imprisonment, or invasion of privacy, and it can undermine the credibility of any evidence later gathered. Predication is a moving threshold: if the evidence developed no longer supports continuing, the examiner should be prepared to halt the engagement.

The Fraud Theory Approach

Because an examiner rarely has all the facts at the outset, the ACFE teaches the fraud theory approach, a disciplined, hypothesis-driven method modeled on the scientific method. It has four iterative steps:

  1. Analyze available data — review the tips, documents, and records already in hand.
  2. Create a hypothesis — build a theory of what may have happened, based on a worst-case scenario. The hypothesis identifies a possible scheme, perpetrator, and method and addresses who, what, when, where, why, and how.
  3. Test the hypothesis — gather evidence to confirm or refute the theory using if-then reasoning (for example, if the warehouse clerk is diverting goods, then the shipping logs and perpetual inventory records should show a specific, traceable discrepancy).
  4. Refine and amend the hypothesis — as evidence accumulates, revise, expand, or discard the theory, then repeat the cycle.

This loop keeps the examination focused, controls cost, and enforces intellectual honesty: the examiner must be willing to abandon a theory the evidence does not support rather than bend the facts to fit a preconceived conclusion.

Building the Case: Outside In, Circumstantial to Direct

Fraud examinations are typically built from the outside in — the examiner starts with information and witnesses furthest from the suspect and works inward toward the target. Interviews follow the same sequence: neutral third-party witnesses first, then corroborative witnesses, then co-conspirators, and the prime suspect last, once the maximum amount of evidence has been assembled. Cases are also frequently built from circumstantial evidence toward direct evidence. Because fraud is a crime of concealment and a signed confession is rare at the start, the examiner accumulates indirect proof — altered documents, unusual transaction patterns, lifestyle changes, unexplained wealth — that collectively supports an inference of guilt, saving the confrontational, admission-seeking interview for the end.

Engagement Planning

Careful planning frames the examination and keeps scope and cost under control. Core planning elements include:

  • Defining objectives — precisely what the examination must prove or disprove, anchored to the predicating facts.
  • Assembling the team — accountants, investigators, legal counsel, and specialists (such as computer-forensics experts), chosen for independence and expertise.
  • Establishing scope — the periods, accounts, entities, and individuals to be examined.
  • Building a plan and budget — the evidence to collect, the sequence of steps, and resource limits.
  • Coordinating with legal counsel — to preserve attorney-client privilege and work-product doctrine protection and to ensure lawful collection.
  • Protecting confidentiality — limiting knowledge of the examination to a need-to-know basis to protect reputations and the integrity of the evidence.

The plan is not static; it is revised continuously as the fraud theory is tested and refined.

Objectivity and the Examiner's Mindset

The examiner must remain objective and unbiased from start to finish. A fraud examiner does not determine guilt or innocence — that is the exclusive province of the trier of fact (a judge or jury). The examiner's role is to gather all relevant evidence, both incriminating and exculpatory, and to present the facts fairly and completely. Conclusions must rest on evidence, never on assumption or personal feeling, and the examiner should avoid expressing opinions on the guilt or innocence of any party — such statements can destroy credibility and create legal exposure. Sustained professional skepticism, meticulous documentation, and the working assumption that the matter may be litigated keep the examination fair and its results defensible.

Test Your Knowledge

An internal auditor personally dislikes a colleague and, with no supporting facts, wants to open a fraud examination of that colleague. Under the fraud examination methodology, why should the examiner refuse to begin?

A
B
C
D
Test Your Knowledge

In the fraud theory approach, what is the correct order of the four steps?

A
B
C
D
Test Your Knowledge

Consistent with building a case from the outside in and remaining objective, which practice is correct?

A
B
C
D