Industry and financial regulations driving the demand for forensic IT specialists

Five years ago, businesses were turning to forensic IT specialists to investigate whether their employees were viewing inappropriate websites at work.

Five years ago, businesses were turning to forensic IT specialists to investigate whether their employees were viewing inappropriate websites at work.

Today the driving force is a growing army of industry and financial regulators who, in the wake of Enron and similar financial scandals, are placing pressure on companies to show that their financial dealings are above board.

In the UK, organisations such as the Financial Services Agency and the Serious Fraud Office, and in the US, the Department of Justice, banking regulators, and the Securities and Exchange Commission, are demanding that companies show they have clean hands.

In the past, responding to such requests would have meant a trawl through paper-based records. Today it means recovering e-mails, and attachments from corporate hard drives, servers and backup tapes that may date back several years.

In some cases this can mean companies have to trawl through hundreds of thousands, or even millions of e-mails, attachments and electronic documents for evidence, said Andrew Clark, the forensic accountant in charge of the PricewaterhouseCoopers Investigations practice in the UK.

"People are being pressed by regulators in relation to inappropriate revenue recognition," he said. "Companies need to be able to demonstrate what the facts are so they can know how to respond."

One typical case, which was being processed by PricewaterhouseCoopers' 20-strong team of investigators in London last week, involves only 12 employees of a firm. But it has required analysis of 3,000 e-mail folders and two million e-mails.

Analysing this volume of information does not come cheap, but it is less expensive than the lawyers' fees if cases go to litigation, said Clark.

"If that is going to save you from being closed by the regulator, then it is money well spent," he said.

PricewaterhouseCoopers has forensic tools, some developed in-house, that can speed up the complex process of retrieving electronic data from hard disc drives and company networks.

"One of the tools we have allows us to image a PC hard drive through the network," said Clark. "We can take the image without having to touch the computer."

The tool was used to good effect when PricewaterhouseCoopers was refused entry to a country where one of its client's subsidiaries was located. Investigators were able to recover the hard disc contents remotely from the firm's London headquarters.

PricewaterhouseCoopers works closely with IT departments to ensure that any data capture does not affect the smooth running of the business, often working at weekends or through the night.

Once the data is captured, forensic specialists use software to identify and remove duplicate copies of files, and to construct an index of every word in the recovered e-mails and attachments.

This can be done in a matter of hours depending on the volume of data. The difficult part is working out which key words to search to produce the information a business needs to satisfy the regulator. It can take four or five days to refine the search.

All too often, companies fail to recognise just how many electronic documents and e-mails they have on their systems, said Darren Pauling, head of the UK document management team at PricewaterhouseCoopers. This can lead to firms leaving it very late in the day before they ask for help when faced with compliance demands.

Last week, PricewaterhouseCoopers was given only a week to analyse two million e-mails for an organisation facing a regulatory review. Investigators worked through the night on the company's premises, and were back at work the following morning to analyse the data.

"It is not a regular occurrence," said one of the analysts. "Clients are normally better organised and we can manage their expectations, but we have not yet missed a deadline."

Read more on IT risk management