Case management software

The key to optimal investigative teamwork, Part 1 of 2

By Robert Tie, CFE, CFP



Review of CMS systems that perform reactive, investigation-related functions

This is the first article in a two-part series that provides an overview of case management software, which helps fraud examiners manage their workloads and digital information. The series includes basic information on 15 products in this genre. Part 1 introduces three members of the ACFE faculty, who offer strategic and tactical tips on selecting and using a CMS. Separately, the first article presents brief descriptions of products that seven software vendors offer. Part 2 will include further commentary from these CFEs and separate descriptions of CMSs that eight additional vendors produce.

In the fraud examination profession, case management consists of two complementary but different types of activity:  

  • Reactive tasks pertain to the investigation of alleged or confirmed fraud.
  • Proactive activities relate to the identification of trends in fraud, its perpetrators and victims.

Numerous case management systems are available to help fraud examiners perform these functions better and more easily. Some specialize in reactive functions, while others focus on proactive tasks; several do both. However, because of space limitations, this series will discuss only case management systems that perform reactive, investigation-related functions. For the same reason, the series won’t provide pricing information for any of the systems it covers.

Disclaimer — This two-part series is a product of the author’s good-faith efforts to provide an unbiased overview of case management systems for fraud examiners. Neither the coverage nor any gaps in its scope and depth necessarily reflect the author’s views or those of the Association of Certified Fraud Examiners. (And the ACFE, its executives, Board of Regents and employees don’t necessarily endorse these products.) The software program descriptions in this series are based on material the vendors provided. Because neither the author nor the ACFE tested these products, neither he nor it provides any explicit or implied warranty of the accuracy and completeness of the product descriptions in either article in this series.

Think back over your career. You might have had the good fortune to serve on an exceptional investigative team during your fraud examinations. You and your colleagues’ skills and dedication surely were major factors in its successes. But management and collaboration likely were just as important. The best teams excel at deploying and coordinating their often scarce human and technological resources. That’s why case management software (CMS) can be the key to a team’s effectiveness.

Given the critical role of CMS, it’s wise to be on the lookout for ways to improve it whether your present software is digital, paper-driven or — most likely — a hybrid. Here’s an overview of what many CMS developers offer to help you and your team produce optimal investigative results. But first, three members of the ACFE faculty with extensive experience in this area offer their insights on the most important factors to consider when evaluating a CMS.



Jim Butterworth, CFE,
Chief Security Officer,
HBGary Inc.
Leah Lane, CFE,
Global Investigations Manager,
Texas Instruments
Ryan Hubbs,
Forensic Audit Manager,

“In today’s digitized global business environment, fraud examinations routinely span several countries and involve many fraud examiners and multiple languages,” says Jim Butterworth, CFE, chief security officer at HBGary Inc., a cyber-security consultancy in Sacramento, Calif., and a member of the ACFE faculty.

What’s the case mix?

“Take your pick,” says Leah Lane, CFE, global investigations manager at Texas Instruments in Dallas. “We’re ready to investigate intellectual property theft, accounting irregularities, embezzlements, kickbacks, Foreign Corrupt Practices Act [bribery] violations, insider trading, counterfeiting and countless other types of fraud. And we can do it in more dialects than ever before.”

Do you need a special tool to manage a complex, international fraud investigation?

“You need something with the power and connectivity to do globally the same things you can do in local investigations,” says Ryan Hubbs, CFE, CCSA, CIA, forensic audit manager at Halliburton in Houston, Texas, and a member of the ACFE faculty. “That is, track your case from the initial allegation; properly assign and manage case officers, sub-officers and supervisors; document interviews and research; gather evidence, perform analysis and upload it to the CMS; and summarize it all to help generate and document the final report. Investigating internationally presents a lot more hurdles; make sure your CMS can overcome them.”

Over the last few years, CMSs for fraud examiners have matured, building in necessary communication and analysis capabilities to collaborate quickly and effectively with colleagues across the office, the country or the world. Given all the power under the hoods of these systems, it’s easy to lose sight of their fundamental purposes and strengths.


“A CMS is a repository that brings together and organizes dissimilar information,” says Butterworth. “Examples include written reports from security guards, camera footage, recorded witness statements … any information that normally is in, or can be converted to, digital format. Fraud examiners can enter such disparate pieces of electronic data into a CMS, which then will arrange and present them in a way that facilitates an investigation.”

CMSs come in two flavors: those that perform several different functions and those that specialize in just one, such as visualizing. (One form of visualization includes dynamic diagrams of relationships among persons of interest or of their actions and movements during a certain time period.) Practically all the CMSs this series examines are multifunctional and can support most of the activities in complex processes. Perhaps, for example, upon completion of an investigation, a supervisor determines it’s appropriate to refer the case to law enforcement.

“A good CMS that has been properly supplied with relevant data should be able to help create the physical ‘binder’ of information you typically present when referring a case for prosecution,” Lane says. “The binder should contain all the evidence you need to meet with detectives and file a complaint.”

If you haven’t finished an investigation or plan to keep it in-house, the CMS is still your best tool for sharing information with colleagues and planning the right approach to a case.

“Query the CMS when you begin an investigation,” Lane says. “It might contain history that sheds light on some aspect of your current case.”

The CMS also is invaluable to managers for coordinating a fraud examination team’s activities and workload and for keeping senior executives apprised of what they need to know. Of course, varied audiences have varied information needs, so reporting flexibility is a must-have.

“ ‘Canned’ reports might not cut it when the board of directors or the audit committee wants the latest word on a high-profile case,” Hubbs says. “So the CMS should make it easy to create reports for special circumstances and audiences. The worst thing is to have plenty of good data that you can’t get out of a rigid CMS in the format you need for a special audience or situation.”


Say your fraud examination team is considering buying its first CMS or replacing an outmoded one. Once you and your colleagues have completed a needs assessment and developed clear, reasonable expectations of how the CMS can improve performance and results, stop! Your next conversation should be with your organization’s IT staff, not with a vendor.

“Share your needs and goals with IT, and give them a chance to ask questions both you and they need answered,” says Hubbs. “While having a CMS on your company’s network could help your unit, it also might interfere with other systems. That complex issue requires expert analysis, so bring IT into the loop at the get-go.”

JulyAug-vendor-product-smallADEQUATE HORSEPOWER?

“Can the CMS you’re considering hold and manage all your digital investigative data?” asks Hubbs. “Your conversations with IT and with the vendor will give you some insight on that score. But your business needs might suddenly change. As investigations get bigger and you do more of them, you need to be confident the CMS can handle that. So plan for the future; it might arrive ahead of schedule.”

Some challenges don’t require predictions; you’ve probably already encountered them. Several are sure signs of an inferior or outmoded CMS.

“A vendor’s brochure might say its CMS enables you to upload all the data you want,” Hubbs notes. “But if you’re investigating a hundred employees and have tens of thousands of their email messages to put in the CMS, you’d better be sure it accepts batch uploads. And ask if you can do other things on the CMS while it’s processing a batch. You don’t want to be locked out until the upload is done. The same thing goes for users as well as processes. Make sure the CMS can support as many concurrent users as you need.”


“Your CMS should have an interface so intuitive that you won’t need much training,” Lane says.

“A good CMS stays out of your way,” Butterworth adds. “It lets you look at evidence and other data as you naturally would, instead of having to adjust your thinking to whatever a poorly designed CMS might present to you. You should be able to easily customize screens and reports, instead of having to ask the vendor for virtually every modification.”

Other key capabilities include linking to human resources and other internal and external systems as needed and feasible (a complex topic discussed at length in Part 2 in this series), accepting data in a variety of formats (for example, video and audio files) and in every major language spoken wherever your organization does business.

“Investigators in global organizations need a CMS that enables them to create and modify, not just view, documents in foreign languages,” Lane says. “Say you’re an investigator in headquarters in the U.S., and you see an anonymous email that was sent to the ethics hotline address. The problem is that it’s written in some form of Chinese, which you can’t read. You should be able to upload that message into the CMS and share it with your counterpart in Shanghai, who can review and translate it for you. [Part 2 will discuss CMS security in detail.] The CMS should permit your colleague to attach a translation in English and perhaps provide comments in the original version’s language, if others who speak it will conduct the on-site follow-up.”


“The more things a CMS can do for you, the more data you put into it,” Butterworth says. “So, unless you’re prepared, administering all that information could become quite a headache.”

Routine but important tasks that someone must perform regularly include creating back-up copies of your data, archiving it for long-term storage and cleaning up unnecessary records that slow down the system.

“Easy-to-use tools for performing these functions should be included in the CMS, so that a trained and authorized ‘power user’ can perform them,” Butterworth says.


Part 2 of this series will discuss overall system security, data security, managing user rights, complying with records management regulations, system configuration, the finer points of data imports, support and training, service level agreements, performing due diligence on vendors and meeting with vendors.

Robert Tie, CFE, CFP, is a contributing editor at Fraud Magazine and a New York business writer. 



Actionable Intelligence Technologies, Inc.

Financial Investigative System (FIS)

FIS is an analysis system designed specifically for investigators of financial crimes. It can run on a single PC or on your organization’s local area network or Web server. Its strength is applying advanced analytical techniques to large bodies of potential evidence, such as that contained in bank records and other subpoenaed documents you can scan into FIS. Together with other members of your investigative team, you can quickly evaluate the collective evidence, test the validity of your case theory and assess its potential for success in court. This helps identify probably futile efforts in advance and promotes more efficient use of the investigative team’s precious time.




D3 Security Management Systems

D3 Investigation/Case Management

You can install D3 on your organization’s server with D3’s guidance, or D3 can host the system for you on its server. When your unit receives an incident report, D3 automatically assigns investigative tasks, deadlines and reminders to team members according to the incident’s type, time of day, priority and other criteria you specify. D3 stores all associated items for that incident in a virtual folder, fostering collaborative case
management among facilities and departments, thereby increasing efficiency and data integrity, as well as linking incidents and their related tasks. D3 also tracks the time your team spends on investigative tasks, recording all activity for each case. And D3’s link analysis tool depicts relationships among people, incidents, organizations and objects of interest.




Devesys Technologies

TrakEnterprise; TrakWeb

Devesys offers two versions of its case management system. TrakEnterprise is installed on user workstations or on your organization’s server for sharing by any number of users on the network. The Internet-based TrakWeb can support hundreds of concurrent users. Both versions typically reside on your organization’s server with installation help from Devesys, which also offers to host the software on its servers. Both versions help investigators manage their cases and move them to timely resolution. Features include task assignment, monitoring and reminders, dashboard lists that alert you to critical cases, user access controls you can tailor to a staff member’s needs and responsibilities, and chronological documentation of each case’s history.




Fiserv, Inc.

AML Manager

You can install AML Manager on your organization’s server with help from Fiserv, which alternatively can host the system for you. It helps financial institutions comply with anti-money laundering and counter-terrorist financing regulations. Alerts to potential violations can be automatically assigned to investigators, who can prioritize their workload based on criteria such as priority, alert type and monetary value. Configurable workflows with specific stages help you complete cases and maintain a full audit trail of changes made. AML Manager supports multiple authorization levels corresponding to the size and organizational structure of individual departments and enables investigators to link cases to the subjects involved in them so future investigations can immediately gain access to that history.




FMS, Inc.

Sentinel Visualizer

Sentinel Visualizer’s executable (i.e. “exe” program) file runs on your organization’s individual workstation(s). The system’s database(s) reside on your network server, not the Internet. You’d install it like most “off-the-shelf” commercial software. The system makes it easy for your entire team to organize, store and report on numerous types of data and detect relationships among individuals, groups and events mentioned in the data. If the information you’ve collected includes metadata specifying the geographic location of entities, you can view them three-dimensionally on Google Earth with the help of inexpensive anaglyph (i.e., “3D,” stereoscopic) glasses. And if your data includes dates, you can use Google Earth’s timeline feature to chronologically trace a suspect’s travels from location to location.




IBM Corp.

Fraud Intelligence Analysis with Analyst’s Notebook; Intelligent Investigation Manager

i2 Fraud Intelligence Analysis with Analyst’s Notebook and Intelligent Investigation Manager most often run on your organization’s network. IBM will install either or both of these programs on your system or, if you prefer, will host them. Analyst’s Notebook is a key component in the Fraud Intelligence Analysis module. It helps investigators turn vast, disparate data sets into actionable intelligence. It plots people, relationships, events and objects relevant to the investigation on timelines, activity heat maps and geographic maps or relationship charts. Investigators using Intelligent Investigation Manager can gain insight into relationships among perpetrators or fraud rings and produce easy-to-interpret visualizations of complex cross-channel fraud. Intelligent Investigation Manager also includes investigative tools, content analytics and advanced case management capabilities.






Most organizations that use i-Sight access it on i-Sight’s servers. For those who want it on their server, i-Sight performs the installation. The system consists of three integrated modules that help you manage your team’s investigations. The first module captures information on cases as they arrive. The second contains tools to manage and track the status of investigations, including automatic acknowledgements, notifications, escalations, reminders, task managers and follow-ups. The third module provides user-defined reporting capability. Its aggregate reporting tool gives team leaders overall insight into how well investigations are progressing. And because i-Sight is optimized for mobile devices, traveling investigators with Web access can log in anytime, anywhere, to update their files for supervisors and wrap up cases faster.




Read more insight and discuss this article in the ACFE's LinkedIn group 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to