Case management software

The key to optimal investigative teamwork, part 2 of 2

By Robert Tie, CFE, CFP



Review of CMS systems that perform reactive, investigation-related functions   

This is the second article in a two-part series that provides an overview of case management software, which helps fraud examiners manage their workloads and digital information. The series includes basic information on 15 products in this genre. Part 1 introduced three members of the ACFE faculty, who offered strategic and tactical tips on selecting and using a CMS. Separately, the first article presented brief descriptions of products that seven software vendors offer. Part 2 presents further commentary by these CFEs and separate descriptions of CMSs that eight additional vendors produce.

In the fraud examination profession, case management consists of two complementary but different types of activity:
Reactive tasks pertain to the investigation of alleged or confirmed fraud.
Proactive activities relate to the identification of trends in fraud, its perpetrators and victims.

Numerous case management systems are available to help fraud examiners perform these functions better and more easily. Some specialize in reactive functions, while others focus on proactive tasks; several do both. However, because of space limitations, this series discusses only case management systems that perform reactive, investigation-related functions. For the same reason, the series doesn’t provide pricing information for any of the systems it covers.

Disclaimer — This two-part series is a product of the author’s good-faith efforts to provide an unbiased overview of case management systems for fraud examiners. Neither the coverage nor any gaps in its scope and depth necessarily reflect the author’s views or those of the Association of Certified Fraud Examiners. (Also, the ACFE, its executives, Board of Regents and employees don’t necessarily endorse these products.) The software program descriptions in this series are based on material the vendors provided. Because neither the author nor the ACFE tested these products, neither he nor it provides any explicit or implied warranty of the accuracy and completeness of the product descriptions in either article in this series.

In part 1, three CMS-savvy CFEs explained what functionality to seek — and deficiencies to notice and avoid — when selecting a CMS for your team. Those practitioners, in this concluding article, present additional criteria for choosing the CMS that best meets your team’s needs. They also clarify how to configure your CMS for maximum efficiency, safeguard its sensitive information and satisfy important legal and regulatory requirements.


“Inside your CMS is the organization’s most confidential information,” says Ryan Hubbs, CFE, forensic audit manager at Halliburton in Houston, Texas, and a member of the ACFE faculty.

So it goes without saying that a CMS must be secure. But how do you know whether yours is?

Jim Butterworth, CFE
Chief Security Officer,
HBGary Inc.
Ryan Hubbs, 

Forensic Audit Manager,

Leah Lane, CFE
Global Investigations 
Texas Instruments
“Some investigators mistakenly assume their CMS and its data are safe simply because they reside on the company network,” Hubbs says. “But that’s a risky assumption to make. If overall system security isn’t up to snuff, an intruder or disgruntled employee could break into your CMS and steal, change or delete important information. The employees and managers entrusted with conducting sensitive investigations have to take primary responsibility for safeguarding the CMS instead of assuming IT will take care of that.”

Investigators needn’t become systems security experts, Hubbs says. But they should familiarize themselves with CMS characteristics, functionality and installation options well enough to make informed choices when choosing a CMS and deciding how they want the vendor and/or IT to set up and configure it.

“You’ll live with the consequences of those choices, so don’t rush through them,” says Jim Butterworth, CFE, chief security officer at HBGary, Inc., a cyber-security consultancy in Sacramento, Calif., and a member of the ACFE faculty.

It’s likely that choosing sometimes won’t be easy. You might, for example, come across an application that has all the features you want but runs only in stand-alone mode on individual computers. Such a CMS might seem to meet your requirements — until you want to collaborate with a colleague.

“Say you’re investigating a series of inventory thefts and have infrared camera footage you want a video analyst to eyeball,” Butterworth says. “If that evidence is stored in a stand-alone CMS, you’ll have to install that app and load the video on the specialist’s PC before he can perform the analysis you need. Imagine doing that with every additional colleague you might want to bring into this or any other case.”

You’ll be better off, Butterworth says, if you can find a CMS that has the analytical, reporting and other features you want and makes it easy to share them securely with other investigators and analysts.

“With a Web-centric CMS, nothing is installed on your PC,” he notes. “Instead, you log onto a Web portal that supports multiple simultaneous CMS log-ins to accommodate the entire investigative team and anyone its members collaborate with. You also could install a CMS on your intranet or corporate network. But if you have a global workforce, putting it on your Web server would increase its potential availability to colleagues, no matter where they are. Either way, a CMS in a central location — on the Web or on a company network — is easier to maintain, to secure and to share.”

For example, if you had a Web-based CMS instead of a stand-alone, you could simply have your CMS administrator create a secure, temporary account for the video analyst. You’d then email the analyst a Web link to the CMS along with log-in credentials that — for a given period — enable him or her to view the video and provide interpretive commentary but not do anything else. 

“It’s safe, precise and easy to manage,” Butterworth says. “Getting those issues under control lets you focus more on your primary objective — nailing that inventory thief.”


“It’d better be good,” says Leah Lane, CFE, global investigations manager at Texas Instruments in Dallas, Texas.

She’s talking about any reason why you might grant CMS access to someone not on your investigation team. “Information on potential, pending or closed cases is highly confidential,” Lane explains. “Of course, numerous investigations make it necessary to seek assistance from other parts of the organization. So make sure you pick a CMS that lets you modify user rights in a variety of ways. Then you’ll be able to maintain security while granting non-investigators only as much access as they need to provide what you want.”

The administrator of a flexible CMS can limit access according to, for example, a user’s identity, physical location, job description or business unit, Lane says. Or the administrator instead can control access to a particular system function, data storage location or investigation. Less robust systems might fall short in this respect, perhaps forcing an administrator to grant more or less access than good security or the task at hand might require. To illustrate, Lane describes a hypothetical but typical situation when full administrative flexibility is essential.

In her example, Lane is the administrator of a versatile CMS that enables her to assign an “access level” to everyone permitted to use the system. The CMS also permits Lane to assign an access level to each case.

The access levels range from 1 (the narrowest) to 5 (the broadest) and include the ability to see what other users at or below — but not above — your level see or do in the CMS. Thus, a 1 can see only what other 1’s see and do, while a 5 can see everything. Senior investigators are 5, mid-level investigators are 4 and auditors, analysts and other professionals are 3. All other personnel with potential CMS access, such as security guards, are 2 and 1.

“Assume further that I’m a senior investigator based in the U.S. and that I get an anonymous tip that a certain employee is falsifying his travel and expense reports,” Lane says. “So I open a fraud investigation on this individual, who frequently travels from the U.S. to Korea on company business. When I import his expense reports into the CMS and examine them, I’m not surprised to see that most of the documentation consists of receipts written in Korean, which I can’t read. I therefore consult a colleague, an internal auditor in Seoul, who’s fluent in that language and can translate the receipts so I can determine whether they support the subject’s claimed expenses. At this point, I have to decide exactly how I’ll grant the internal auditor access to that information in the CMS.”

Lane has two options. She can control viewing of the receipts by changing the access level needed to view the case they relate to or by changing the internal auditor’s access level. Because the tip alleged a significant fraud, Lane had made the case a 5, to which only her senior investigators have access. Therefore, Lane must choose between lowering the receipts from 5 to 3 or raising the auditor from 3 to 5.

“The choice is easy, if you think about it,” Lane says. “Lowering the access level on the case is more precise and targeted than changing the auditor’s access level. It would be dangerous and unnecessary to raise the auditor to a 5. That would give him access to all our cases, undermine security and give the auditor more access than he needs to do what I asked of him. The safe and prudent choice would be to temporarily lower the case to 3. That would enable the auditor to see and translate them for me. And when he was done, I’d change the case back to 5, ending his access to them. Standard security levels would then resume, permitting only me and my senior investigators to see this and all our other cases. Make sure the CMS you select has this kind of flexibility; you’ll need it.”

“A good CMS will enable you to establish and maintain a balance among too many access restrictions and too few,” Hubbs says. “As part of your needs assessment for the CMS, you’ll have to determine how many people and which departments will use the system, now and in the foreseeable future. They won’t all have the same roles and needs, so you’ll want to fine-tune their access rights.” 

Hubbs therefore recommends choosing a CMS that lets you assign several levels of viewing, editing and reporting capability. Investigations routinely involve multiple participants, including subject matter experts from non-investigative units, who often work on only narrow aspects of a case. You might want to give such individuals the ability to upload information about particular cases into the CMS, he says, but not to see or modify cases that don’t pertain to them.

“Anticipate and prepare for surprises,” Hubbs says. “Suppose, for instance, that one of your senior investigators is the friend of a former employee the company terminated for cause.”

In Hubbs’ example, the investigator, to give his friend the advantage in a wrongful discharge suit, accesses CMS records containing key evidence of the former employee’s wrongdoing and either deletes it or divulges the details to his friend, who uses that information to refine and strengthen his suit against the company. 

“You can’t completely eliminate the risk of such acts,” Hubbs says. “But you can detect and deter them by permitting only an administrator or specially designated user to change or delete CMS data and by ensuring that a CMS activity log records every action by every user, even if it’s nothing more than viewing information. Be sure to choose a CMS with these capabilities and make full use of them.”

Hubbs also believes it’s wise to link the CMS to the organization’s HR system. If an investigator transfers to a non-investigative unit or leaves the company, his or her access should be automatically reduced or eliminated as appropriate when the HR system notifies the CMS of the investigator’s new employment status.

“Last, but certainly not least, schedule regularly recurring audits of the CMS administrator position,” Hubbs advises. “Find out who conducts the audit and pay close attention to its findings. They can provide a valuable alternative perspective on how well your CMS is managed and performs.”  

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.