The situation
A multi-national company was employing South Asian migrant workers in Singapore, principally nationals of India, Bangladesh and Nepal. The client had used various recruitment agencies to source workers in the past and, for its Singapore operations, had a set procedure for recruitment including the use of approved recruitment agencies to source employees. In addition to using these approved agencies, employees were permitted to refer in new workers.
After implementing a whistle-blower channel, the client received allegations that a manager based in Singapore was recruiting migrant workers through an unauthorised recruitment agency in one of the South Asian countries and charging an “application fee”. It was also alleged that the workers’ families in the country concerned had been threatened with violence by the recruiting agency should they report to the authorities. This initial finding was supported by written statements and interviews between migrant workers and the client. The workers raised that they paid placement fees to work in the client’s project site in Singapore. Having this issue at hand, the client engaged Control Risks to investigate the Singapore manager and the unauthorised employment agency.
Control Risks' approach
Our investigation followed three different work streams:
- Intelligence gathering on the unauthorised employment agencies implicated
- Forensic collection and examination of the manager’s company-assigned devices
- An interview with the manager
The intelligence gathering exercise and forensic examination were done in parallel to collate evidence simultaneously in preparation for a potentially confrontational interview with the Singapore manager.
Our intelligence gathering exercise in a remote village in India identified the unauthorised recruiter involved and gathered information about his recruitment operations. Public records research showed that the recruiter did not have legal permits or licenses and thus, was recruiting workers illegally. Discreet human intelligence-gathering revealed that the agent was well known for recruiting workers overseas by charging an “application fee”.
Meanwhile, a forensic examination of the manager’s devices revealed email communications between him and the agent in India relating to the recruitment of migrant workers. The communication contained information such as biographical data, passport details and certificates of workers recruited by the manager. Our findings indicated that the manager communicated with the agent using his personal email account, downloaded the documents on his laptop and forwarded the workers’ details to the client’s human resources department using his work email account. Control Risks cross-referenced these findings with internet history records and timeline reconstruction of the manager’s user activity to pinpoint that the manager was the one using the device and not someone who is acting on his behalf.
The timestamps of the communications illustrated that the scheme was conducted during normal business hours.
We identified details of almost 6,000 potential migrant workers from the manager’s personal email account; more than 1,000 of those were employed by the client through the manager. Review of the manager’s other web based communications identified more unauthorised recruitment agencies being used by the manager that had not initially been identified by the client. The forensic evidence gathered helped the client prepare for the interviews with newly identified illegally recruited migrant workers and the manager; the interviews were subsequently conducted onsite by our consultant.
The outcome
We presented the findings to the client’s executive board. We suggested several options that the client could undertake to handle the issue with the findings on hand and with the least disruption to the business.
We also highlighted several gaps in their policies and business processes and proposed solutions or internal controls to mitigate this risk of a repeat scenario. One of the next steps we recommend was to conduct a risk management workshop to guide the client on best practices and the implementation of a robust Governance, Risk and Compliance (GRC) framework. This was with the aim of improving the overall business risk posture of the client not only in their Singapore office but in all their branches worldwide. The workshop was well attended by executives and key members of internal audit, compliance and the IT security department. After the engagement, the client was thus well-placed to make an informed decision and action plan that would least disrupt the business.