Pipara & Co LLP

Evidence collection, chain of custody as per Indian Evidence Act for supporting documents used in Forensic Audits

1. Brief about Evidence Act, 1872:
Indian Evidence Act was passed in the year 1872 by Imperial Legislative Council, during the British Raj. This act contains set of rules and allied matters governing admissibility of proof/ evidence in the Indian Courts of Law. The adoption and enactment of the Indian Evidence Act, 1872 was a path-breaking judicial measure announced in India, which changed the whole system of concepts pertaining to admissibility of evidences in the Indian courts. Prior to that, the rules of evidences were based on the traditional legal systems of different social groups and communities of India and were different for different people depending on caste, community, faith and social position. This act introduced a standard set of law applicable to all Indians. The act extends to whole of India except the state, Jammu and Kashmir.
2. Important Definitions:
2.1 Evidence:
a) – Prohibition of employment of Managing Agents and restrictions on certain forms of employment, no banking company shall be managed by any person for more than 3 months if the person is a director of any other company. However Section 10B, clearly depicts that banking company to be managed by Whole Time Chairman.all statements which the Court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry; such statements are called oral evidence;
b) – all documents including electronic records produced for the inspection of the Court such documents are called documentary evidence.
The legal usage of the term evidence is so ambiguous. Evidence are categorized into 3 parts-
a) oral evidence (the testimony given in court by witnesses),
b) documentary evidence (documents produced for inspection by the court),
c) Real evidence
The first two are self-explanatory and the third captures things other than documents such as a knife allegedly used in committing a crime
2.2 Documents:
Any matter expressed or described upon any substance by means of letters, figures or marks, or by more than one of those means, intended to be used, or which may be used, for the purpose of recording that matter.
2.3 Relevant:
One fact is relevant to another when the one is connected with the other in any of the ways referred to in the provisions of this Act relating to the relevancy of facts.
3. Question of Law and Question of Fact:
Question of law is also known as point of law. This question can be answered by applying legal principles by interpretation of the law. Question of law does not depend upon the facts and circumstantial evidence. Answers to questions of law are generally expressed in terms of broad legal principles and can be applied to many situations rather than be dependent on particular circumstances or factual situations. An answer to a question of law as applied to the particular facts of a case is often referred to as a “conclusion of law.”
In India, in many cases apex court only considers the question of law and then directs the case to the lower court for question of fact, to be adjudged in accordance with the decision of apex court on question of law.
Question of fact is also known as point of fact. This question can be answered on the available facts and circumstantial evidences as well as from the inferences arising from those facts. Question of fact was evaluated on certain proof or disproof by reference to a certain standard of proof.
4. Few Rules of Evidence:
4.1) Evidence word is not too complicated. But when it comes to solemn court proceedings, the coin flips and debate starts that what is evidence and what can be considered as evidence to prove a fact. For evidence to have any value in the court of law, following rules should be noted:
  • Relevancy
  • Admissibility
  • Weight
4.2) Relevancy – As per Sir Stephen, ‘relevant’ means that any two facts to which it is applied are so related to each other that according to the common course of events, one either taken by itself or in connection with other facts proves or renders probable the past, present or future existence or non-existence of the other.
It can be construed that for an evidence to be admissible, the same has to be relevant. Now the second question arises, how you can distinguish between relevant evidence and irrelevant evidence. There are two types of test to check the relevancy:
a. Legal Relevancy: The fact will only be construed as evidence, if the fact is relevant under the rules laid down by laws and enactments. As per Indian Evidence Act, only evidences falling under Section 5 to 55 are considered as admissible facts while recording evidences. Any other fact, howsoever material, not falling under Section 5 to 55 of India Evidence Act will not be considered as evidence, and therefore not admissible in the court of law.
b. Logical Relevancy: Deriving relevance of evidence on the basis of logic is called logical relevancy. Forensic auditor can do various test like checking normal behavior check, laws of nature or general course of conduct to check logical relevancy of evidence.
4.3 Admissibility and Weight of evidence: After considering the fact to be relevant, court decides whether the evidence can be admissible in the legal proceeding or not. A highly relevant fact can be inadmissible in the court of law on various grounds like if the evidence prejudices the trial of the case, then it will be inadmissible evidence.
If admission of evidence misleads the jury of the case, or causes undue delay in the proceedings of the court, then such evidence can be disallowed.
5. Procedure to be performed while doing forensic audit:
5.1 Plan the investigation-
When the forensic auditor was appointed by any client (including statutory authority), the auditor needs to understand the scope and focus first, before starting the assignment. By planning the audit in advance, the forensic auditor can achieve below objectives:
  1. Identify what type of fraud or wrong doing, if any, is being carried out
  2. Discover how the fraud was concealed or planned
  3. Conclude the time period during which the fraud has occurred
  4. Recognize the individuals involved in the fraud
  5. Quantify the loss suffered or gain due to the fraud
  6. Gather relevant evidence and documents that are admissible in the court
  7. Suggest measures and methods to prevent such frauds in future
5.2 Collecting evidence-
Refer point 6 for detailed note on the collection of evidence.
5.3 Reporting
A report is required so that it can be presented to a client about the fraud identified. The report should include the findings of the investigation, a summary of the evidence, an explanation of how the fraud was perpetrated, and suggestions on how internal controls can be improved to prevent such frauds in the future. The report needs to be presented to a client so that they can proceed to file a legal case, if they so desire.
5.4 Court Proceedings
The forensic auditor might have to be present in person during court trial to explain the evidence collected and how the suspect was identified. Forensic auditor should simplify the complex accounting issues, structured transaction and explain in layman’s and simple language so that people who have no understanding of the accounting terms can still comprehend the fraud that was carried out.
6. Collection of evidence:
Before concluding the forensic audit report, the forensic auditor is required to understand and identify the possible type of fraud that has been carried out in the organization and how the fraud has been committed. The evidence collection should be reliable and adequate enough to prove the identity and charges against the fraudster in court of law. Forensic auditor should reveal the details of fraud scheme through the evidence collected during the course of assignment and document the evidence to prove the amount of financial loss suffered and the parties affected or indirectly affected by the fraud.
A logical flow of evidence will help the court in understanding the fraud and the evidence presented. Forensic auditors are required to take precautions to ensure that documents and other evidence collected are not damaged or altered by anyone, to prove the reliability of the evidence in the court room.
Techniques used by the forensic auditor for collecting the evidences:
6.1 Substantive technique-
Substantive procedures are intended to create evidence that an auditor assembles to support the assertion that there are no material misstatements in regard to the completeness, validity, and accuracy of the financial records of an entity. Thus, substantive procedures are performed by an auditor to detect whether there are any material misstatements in accounting transactions. Some common sources of collecting substantive audit evidence are:
a) Original source documents-
Forensic auditor, during the course of assignment should check the documentation available for entering into any particular transaction. Only on the basis of invoice and supporting documents, the transaction cannot be declared as genuine. Forensic audit is a special detailed investigation of the books of accounts of the entity. Forensic auditor should check the intention of the management for entering into any transaction or agreement. Loss occurred on the transaction cannot be termed as mala fide transaction, as the loss can be due to wrong business decision too. To prove the transaction not in the ordinary course of business, auditor should evaluate the transaction from different angles, like, necessity for the transaction at the time when the borrower was having cash crunch. For an instance, while reviewing the term loan facility, forensic auditor apart from the end utilization of the proceeds from disbursement, should also check sanction letter, facility agreement, board and shareholder approvals for availing the borrowing, person authorized to sign the loan documents as per MOA/ AOA/ ROP/ SOP, etc. Forensic auditor has identified that in many cases, borrowings availed with mala fide intention of diverting or siphoning the sum out of the books of account are not with proper authorization or lapses with many anomalies in the documentation.
b) Physical observations-
Forensic auditors other than relying on the available documents; should also sometimes verify the existence of assets through physical observations and inspections. For example, if the auditor has suspect over the huge inventory presented in the financial statement or stock statements, then the auditor should ask the management to allow them to do independent stock verification, auditor should also check the process of manufacturing to check abnormal burning loss.
c) Confirmation letters-
In the forensic auditor, independent confirmations are very conclusive proof to recheck the balances appearing in the financial statements. Auditors should send confirmation letters to third parties, such as customers, vendors, financial institutions, etc. asking them to verify amounts recorded in the company’s books. Forensic auditor should compulsorily ask the confirmation from those parties which are not into the same line of business or to whom a large amount of advances have been given by the borrower but no supplies have been received against the same.
d) Comparisons to external market data-
For assets actively traded on the open market i.e. quoted investments, auditors may confirm the amounts reflecting in the borrowers’ financial statements by researching pricing data available on public platform like BSE, NSE, etc. For example, if the company invests in marketable securities that it plans to sell within one year, an auditor could independently analyses the prevalent market price available on public platform to reconcile the figures appearing in the books. Likewise, a random sample of inventory could be compared with online pricing lists to confirm that inventory reported at the lower of cost or market value.
e) Recalculation and verification of bank book and pass book-
Forensic auditors, in recent times, have identified that transaction as per bank book and as per bank statements are not matching. This is one of the methods of misrepresentation of books of account. For an instance, transaction as per bank statement has showing that company has paid Rs. 20 Crores to Mr. A., but while recording the transaction in books of account, Mr. B account was debited, who is a regular supplier. Mr. A might be a related party of the borrower and to hide the fact that the sum was transferred to a related party, in the books of account the entry was recorded in the name of Mr. B. Forensic auditor should diligently check the bank book vis a vis pass book to identify these type of material misstatements. While verification, auditor should independently ask the bank statements with the financial institutions instead of asking from the company itself.
6.2 Analytical procedures-
Analytical techniques of gathering evidence consist of assessments of financial information through analysis of plausible relationships among both financial and non-financial data.
Analytical procedures comprehend such investigation as is necessary for identified variations or relationships that are inconsistent with other relevant evidence or that fluctuate from expected values by a substantial amount.
Examples of analytical procedures are as follows:
a) Compare the outstanding receivable metrics to the amount for prior years. The relationship between trade receivables and sales should remain constant over the time, unless there has been major change in the customer base of the organization, or the credit policy of the organization, or its collection practices. This is a form of ratio analysis.
b) Forensic auditor should review the current ratio and quick ratio over several reporting periods. This comparison of current assets to current liabilities should be about the same over time, unless there is a deviation in organization policies relating to accounts receivable, inventory, or accounts payable. This is also a form of ratio analysis.
c) Compare the ending balances in the compensation expense account and employee benefit expenses for several years. This amount should rise always with the rate of inflation. Unusual spikes in the expense may indicate that fraudulent payments are being made to fake employees through the payroll system. This is a form of trend analysis. The forensic auditor should review the payroll master with the family chart of the promoters. Many of times, it was observed that fake employees are created in the name of the relatives of the promoters or KMPs.
d) Examine a trend line of bad debt expenses. IND AS 109 beautifully covers this concept by recognizing expected credit loss that is calculated on the basis of ageing and past history of the receivables. This amount should vary in relation to sales. If the same is not in line with sales, management may not be correctly recognizing bad debts in a timely manner. This is a form of trend analysis.
e) Calculation of burning loss over the years. Forensic auditor has identified that in the manufacturing industry, borrower shows the abnormal loss in a particular period to siphon off the inventory out of the system. The manufacturing process should be reviewed in detail and working of normal and abnormal loss should be made to identify and ascertain maximum loss that can be incurred by the borrower as burning loss.
6.3 Computer assisted forensic audit tools:
a. USB Review – It is small utility software that lists all USB devices that are attached to the system till date. It also shows devices that are presently connected with the system. In simple words, through this application, during the forensic audit, you can identify how many pen drives, hard disks, et cetera were used to transmit the data out of the system.
Forensic auditor should always use V Vault pen drive which has an in- build special feature that no log can be recorded.
b. Dump It – It helps you to copy all the data stored in the Random-access memory of the pen drive or hard disk within few minutes. If the client or any agency authorizes you to access and decrypt the data from the external hard disk, you can use this software to extract the data from the RAM. This is an important tool while doing cyber forensics as the data extraction was the biggest challenge faced by the forensic auditor while performing the forensic audit assignment.
c. Event Log Explorer – This application is used in checking the internet logs. The fraudster might have searched the way to fraud or consequences of the fraud on the internet. By running this application, you can get all the details of surfing. For an instance, by this software, you can get to know the places or the prices of flight tickets for a particular place which were searched frequently by director. It might be possible that director may have parked some of the assets at that location (benami property).
Forensic audits are not only the remedial audit, it can be preventive too. By knowing the intention of fraudster at early stage, you can raise the issue with the higher management or appropriate authority, as the case may be.
d. Stenography – During the course of forensic audit or at the time of finalization, at many times forensic auditor needs to share the draft report online to other partners/ managers for the purpose of review. Auditor decrypts the file by using the password. Now the question arises, password shared on WhatsApp or over the call is safe? Stenography allows you to hide your password behind any image. The recipient can only access to the password if he use the same software in his device.
Also while auditing, if auditor find any irrelevant images shared on mail between the persons of the enterprise, auditor should use Stenography tool to check the secret message hiding behind the image.
Note: The use of IT enabled tools for data access and retrieval should be used only after the proper authorization from the client in written or order from court or any statutory authority.
6.4 Interviewing the suspects:
Interviewing the borrower is the most debatable and subjective topic in the forensic audits. As per the experts, forensic auditors are not allowed to interview and interrogate the officials of the company. We have to understand the same from the legal aspect.
The basic difference between interview and interrogation is that an interview is typically a less formal and accusatory conversation whose main point is to elicit information whereas an interrogation is formal and is mainly designed to get a suspect to confess.
Since, interrogation is designed to get a suspect to confess. Interrogation can be done only under the Indian Penal Code Act and, nowhere, in the master circular issued by RBI or any authority, allow you to interview or interrogate the officials of borrower during the course of forensic audit.
The forensic auditor should interview only if the client give mandate for the same in the engagement letter.
However, forensic auditor can use informal communication technique to know or gain some information about the perpetrators of fraud like:
  1. The forensic auditor during the interaction with the client should observe the facial expression, way of talking, body postures, gestures, etc.
  2. Establish a conversation tone for making witness comfortable with you, by asking general information about the witness.
  3. Do not interrupt the witness between the conversations, listen carefully to the answers and then ask follow up questions on the answers.
  4. Leave open the possibility to contact with clarification on the follow up questions.
6.5 Gathering the evidences by identifying red flags:
a) Employee red flag- Ascertain the lifestyle of employee, attrition rate, employees reluctant to transfer/ leave from a particular position.
b) Professional red flag- Identify if there are any changes in the auditor, consultants, lawyer, banker or KMP in the organization.
c) Structural red flag- Identify the change in delegation or authority matrix. O frequent changes in the Sop or ROP of the company.
d) Accounting red flag- Entries made on unusual timing like Diwali, Sunday or any public holiday, frequency of the entries in a particular Vendor or customer account, etc.
7. Use of Voice Recorders, Camera and Video Shooting:
It is a preferable that any audio or video recording of events be informed to the subject to ensure that these do not infringe privacy laws before engaging in such activities where these are private conversation. Recording of telephone conversation should be with permission from subject and must be informed to him.
The responsibility on the investigator in camera investigation is extremely difficult and requires extra caution in terms of addressing the subject. Any careless recording could lead to negation of evidence and care should be taken not to infringe on the privacy of the individuals. As regards video/ voice recording is concerned, it cannot be construed as substantial evidence and the same can be refused in the court. At the best, it can only be corroborative evidence.
Forensic auditor should not do recording of telephone conversation or video, as it will not be admissible in court and the client can sue the forensic auditor for infringing the privacy.
8. Chain of custody in Indian Evidence Act for supporting documents used in forensic audit:

Also forensic auditor should examine the fact that any enhancement of the existing credit facilities was sanctioned by the financial institutions on the basis of fraudulent stock statement, and then the auditor may classify the account as fraud.

Inventory – It is another major line item eligible for availing drawing power. Forensic auditor should diligently check the value of inventory shown in the annual financial statements and drawing power submitted to the bank. Variation in the value of inventory on account of obsolescence and degradation of quality cannot be more than +/- 5%. Further, it was noted that quantity of stock disclosed in the DP statement is in many cases are more than the available capacity of storage in the warehouse or factory.
Many times, fraudster siphoned off the stock by showing increase in the burning loss in the manufacturing process and sold the balance stock in cash (out of the books). Forensic auditor should compare the chart of normal and abnormal loss for the last 5 years to know the average loss.
8. What is intent? Definition of intent as per Criminal Law? How you prove intent?
8.1) The chain of custody in forensic audit can also be referred to as the forensic link, paper trail, or the chronological documentation of evidences gathered during the course of assignment. It indicates the collection, sequence of control, transfer, and analysis. Chain of custody also documents:
  1. Who handled the evidence i.e. the particular document used for forming an opinion was given by whom?
  2. The date and time when such document or evidence was collected.
  3. The purpose for the collection of such document in the case.
8.2) It is important to maintain the chain of custody to preserve the integrity of the evidence or documents and prevent it from contamination, which can alter the state of the evidence. If the evidences/ documents are not preserved, the evidence presented in court might be challenged and ruled inadmissible in the court of law.
8.3) It is possible to have the evidence presented in court dismissed if there was a missing link in the chain of custody. Forensic auditor, therefore, should consider every document received during the course of audit while forming an opinion, and, so far as possible, forensic auditor should mention that on the basis of these many documents made available to him, he has formed this opinion. It is therefore important to ensure that a wholesome/ complete and meaningful chain of custody is presented along with the evidence at the law court.
9. Procedure to establish the chain of custody:
In order to ensure the integrity and authenticity of chain of custody as much as possible, a sequence of steps must be followed. It is important to note that, the more information a forensic expert obtains concerning the evidence at hand, the more authentic/ reliable/ conclusive is the created chain of custody. Due to this, it is important to obtain detailed information and documents about the evidence.
Forensic auditor should ensure the following procedure to be followed according to the chain of custody for forensic audit report to be admissible in the court of law:
9.1 Save the original materials/ files provide by the management:
Forensic auditor should always work on copies of the documents as opposed to the original. This ensures that you are able to compare your work products to the original that you preserved unmodified.
9.2 Take photos of physical evidence/ documents:
Photos of physical documents are important to establish the chain of custody and make it more authentic. Forensic auditor should ask the management during the course of audit to produce the original copies of the documents for verification like signed financial statements, etc. and should with the due permission of management, take photocopies of the same to produce in the court of law, if required.
9.3 Take screenshots of digital evidence content:
In cases where the evidence is intangible like LinkedIn profile of some promoter, or some posts available on public platform, etc., forensic auditor should take screenshots, so that same can be used as chain of custody in the court of law. One should also note the timing, date, etc. of the screenshot in the reports.
9.4 Document date, time, and any other information of receipt:
Forensic auditor should record the timestamps of whoever had the evidence, allows investigators to build a steadfast timeline of where the evidence was prior to being obtained. In the occasion when there is a hole in the timeline, further investigation should be done regarding the custody of document.
9.5 Perform a hash test analysis to further authenticate the working clone:
Performing a hash test ensures that the data obtained by forensic auditor from the management was copied at bit-by-bit procedure and not corrupt and reflects the accurate nature of the original evidence. If the forensic auditor does not perform a hash function, then the forensic analysis may be flawed or questioned and may result in problems, thus rendering the copy non-authentic or non-reliable.
Forensic auditor should cover in his report as a disclaimer that all the data given by the management is believed to be correct and non-altered and should be admissible in the court of law only after checking the authenticity of information provided by the management.
10. Overall conclusion:
Forensic auditor should document each and every file received during the course of audit by the management or any external agency, whether considered or not, while forming an opinion. The recording of chain of custody of documents should include:
  1. Date of Receipt of information/ data
  2. Person from whom the data is received, if the same is received over mail, the person whose mail ID was used and all persons marked in CC.
  3. Particulars/ details of the data received, whether the files are original extracted from the software or processed.
  4. Whether the data was certified by some agency or authorized person of the entity.
  5. Path to access the data/ information in the system.
Hence, it can be construed that maintaining Chain of custody is an important aspect in the forensic audit.
-Prepared by CA. Chintan Jain
Please select any one region