By Walt Manning, CFE, EnCE
Organizations are increasingly storing data and applications on virtual servers around the world via "cloud computing" providers. The implications for fraud examinations could be enormous.
John had just begun his new position as an internal investigator with ABC Company in Los Angeles. In one of his first cases, he received information indicating the possibility that a company employee in the purchasing department was receiving kickbacks in return for awarding contracts to specific vendors. John scheduled a meeting with Marsha, who was ABC's director of information technology (IT). He explained that he needed copies of all digital documents related to the employee he was investigating and also access to the employee's email account.
Marsha said that the company had outsourced all the documentation and project management data to a "cloud computing" provider, and she was not even sure where the provider's servers and data storage were located. Also, she said that ABC had outsourced its email service to a different cloud provider. She offered to contact the providers and give the relevant information to John. Several days later, Marsha explained to John that the first provider had created a "virtual server" on one of its physical network servers located in Mexico to host the purchasing applications, but it had subcontracted with yet another cloud computing provider in Shanghai, China, to store all the purchasing data. She explained that a virtual server is really software that emulates - or "pretends" - to be a physical computer and described the virtual machine as a "computer within a computer." On top of that, ABC stored its emails on another cloud provider's server in Lahore, Pakistan.
John explained that the company needed to preserve the related data for his investigation; Marsha said that this issue had never come up before, and they might need to contact the company's general counsel to determine how to proceed.
During a meeting the following week with the company's general counsel, he said that the contracts with each of the cloud-computing providers would need to be reviewed to determine the contractual obligations of the providers and the access ABC might have to their data. The general counsel also said his team would need to review the laws of each cloud provider location to make sure they addressed any privacy issues prior to preserving the data for the investigation.