Preventing Fraud from Trusted SourcesBy Larry Dignan | Posted 2006-01-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
A New York technology manager is charged with embezzling more than $11 million from FEMA. Think it can't happen to you? Here are three ways to make sure it doesn't.
Natarjan Venkataram funneled $11.4 million in funds from FEMA (Federal Emergency Management Agency)money earmarked to help New York City build computer systems to identify the remains of victims of the Sept. 11, 2001 terrorist attacksto companies closely associated with him, according to a criminal complaint in U.S. District Court for the Southern District of New York.
Venkataram, 41, was the director of management information systems at New York's OCME (Office of Chief Medical Examiner), which provides forensic services to support criminal investigations and DNA testing, and manages the city's mortuary.
Venkataram, who served as OCME's director of MIS from 1992 to 2005, was responsible for the day-to-day operations of computer systems and the procurement of hardware, software and consultants.
Since 2001, the office has bulked up its information systems to identify 9/11 victims. According to the complaint, OCME received $46 million in 2002 and 2003 from FEMA partially to purchase hardware, software and services. Venkataram and an associate, Rosa Abreu, are charged with "theft from a program receiving federal funds."
According to the U.S. Attorney's office for the Southern District, Venkataram "used his position to steer OCME contracts and payments to entities that performed little or no work for OCME. These entities, in turn, funneled the funds fraudulently obtained from OCME into shell companies set up and controlled by Venkataram and Abreu."
Attorneys for Venkataram and Abreu did not return phone calls. The U.S. Attorney's office wouldn't comment beyond the complaint. At press time, Venkataram and Abreu had not entered a plea. Venkataram and Abreu face up to 10 years in prison if convicted.
Statistics tallying the ranks of wayward technology managers aren't available, but the case raises key questions. Could you prevent an embezzlement scheme? Are your controls effective enough? How about your processes and procurement procedures?
"We've seen fraud in IT before, but not to this magnitude," said Mark Moore, director of consulting firm Protiviti's technology risk practice. "But [fraud] is commonplace, and many have skimmed from the IT department."
Moore said that the risk of fraud increases when technology managers are given too much control over how they spend money without oversight from auditors.
So, how do you prevent a similar incident? Here are a few scenarios.
SCENARIO 1: According to the court complaint, Venkataram's responsibilities "included the procurement and support of OCME's computer hardware and software applications. He was also responsible for procuring and supervising outside consultants."
Your Defense: Do not allow one individual to award contracts without approval from the business side, preferably a group responsible for financial auditing, says Ken Yormark, a managing director at Protiviti with experience investigating financial fraud.
How To Do It: Yormark says managers need to do a risk assessment for processes such as procurement, receivables and purchasing to find gaps where a miscreant could take advantage. Comb through purchasing and procurement steps to find gaps such as one person selecting vendors and approving payments. Once found, fill them with new processes, such as an audit, that will check this power.
SCENARIO 2: Several of the companies Venkataram did business with were "shell companies" owned by relatives and associates of Venkataram and Abreu, said the U.S. Attorney.
Your Defense:Your information systems should be the first line of defense in ferreting out misdeeds, according to Yormark. For instance, one of the companies mentioned in the suit was listed under Venkataram's home address.
How To Do It:While there are specific applications to investigate fraud, Yormark says business intelligence software can turn up anomalies. The trick is paying attention to the reports. Many applications can highlight patterns, say, 20 different toilet paper vendors with common addresses, and disclose inefficiencies that may be fraud.
SCENARIO 3: A vendor works with the offending party to skim technology funds, often delivering subpar performance. According to the complaint, New York's technology and telecommunications department evaluated the work the vendors were contracted for and found that one vendor didn't do any work and another's work could have been "performed for a fraction" of the money that it was paid.
Your Defense: Monitor vendor performance, audit the work being done and identify potential relationships between parties.
How To Do It: Set a process that regularly evaluates vendors and the work they produce. Yormark recommends comparing vendors, their products and their position in the marketplace. Also keep contact with suppliers that lost out on bids; they will be the first to complain if they see something fishy.
"You have to look at the information in detail and be willing to dig deeper," Yormark says. "In most cases, fraud will be more difficult to find."
With reporting by Elizabeth Bennett.