Procurement Fraud: How Tech Insiders Cheat Their EmployersBy Elizabeth Bennett | Posted 2006-06-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Using "shadow companies" with puppet CEOs and inflated or bogus invoices, a number of I.T. managers stand accused of ripping off their employers—in some instances, for tens of millions of dollars or more. The scam? It's called procurement
Of all the forms of white-collar crime relevant to corporate chief information officers, so-called procurement, or contract, fraud is probably the least visible and most costly. That's largely because it's frequently a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate information-technology vendors. What's more, the organizations victimized by this kind of fraud often don't report it and choose to settle privately with the alleged culprits involved.
"The bitter truth is that most companies are too embarrassed to prosecute employee fraud," says Ronald Semaria, a former Internal Revenue Service agent and president of Semaria Fraud Consultants in Brooklyn, N.Y. "They figure the bad publicity isn't worth the damage the news might do to the company's image or its relationships with customers."
Typically, procurement fraud involves an employee working with an outside vendor to defraud his employer through bogus or inflated invoices, services and products that are not delivered, work that is never done or contract manipulation. Often, in exchange for letting the vendor shortchange his own company or organization, the employee gets kickbacks. Often, too, fraudsters establish shell or shadow vendors—dummy companies with puppet or fictional CEOs—and use these to bilk the home team.
A typical organization loses a staggering 6% of its annual revenue to occupational fraud, according to the Association of Certified Fraud Examiners (ACFE) in its most recent study on fraud, the 2004 Report to the Nation on Occupational Fraud and Abuse. Taken as a whole, corporate America is losing a stunning $660 billion due to fraud.
And most fraud—67.8%, by ACFE's calculations—is carried out by managers and executives, who typically abscond with far larger sums than the minions in their cubicles. In fact, the median loss involving non-managerial employees was $62,000, according to the ACFE survey, compared to $140,000 for managers and $900,000 for business owners and executives.
To date, there's been no breakdown of how pervasive occupational fraud—and, specifically, procurement fraud—is among information-technology officers. Of late, however, a dozen or so cases of possible rogue CIOs and lower-level technology managers ripping off their employers with shell vendors have come to light. At the low end, instances of procurement malfeasance involved hundreds of thousands of dollars. That's chump change, however, compared to some information-technology-related procurement cases; one in particular, involving the Canadian Department of National Defence, amounted to more than $100 million, according to charges filed by the Royal Canadian Mounted Police (RCMP) at the Ontario Provincial Court in Ottawa.
An information-technology manager with a larcenous bent is uniquely qualified to carry out clandestine procurement activities. Not only do some corporate I.T. budgets top $1 billion, but the head of information technology oftentimes has the most complete access to the company's inner workings and understands better than anyone else what alarms not to trip when absconding with funds from the corporate coffers.
"The I.T. chief controls the information architecture of the firm and can conceal a fraudulent transaction by circumventing controls and safeguards," says Joseph Anastasi, a managing director with LECG, which provides independent expert testimony and strategic advisory services to clients on legal, business and regulatory matters. Anastasi is also the author of The New Forensics: Investigating Corporate Fraud and the Theft of Intellectual Property.
Anastasi says that in highly sophisticated cases of fraud, information-technology officers create a parallel and completely hidden I.T. infrastructure that they use to tunnel into the company vault electronically. "In the old days, if criminal elements were trying to steal from a company, they'd hijack the truck leaving the warehouse or steal stuff from the loading docks," Anastasi says. "Now, they can do it electronically."
The good news? According to Anastasi, there are new tools available—including forensic software such as eTrust Network Forensics (a.k.a. SilentRunner) from CA and EnCase Forensic from Guidance Software—that use forensic analysis to check for fraud and exploitation, and allow users to visualize and uncover network traffic. These tools, plus controls and procedures—some of them an outgrowth of Sarbanes-Oxley initiatives such as a requirement for companies to establish hot lines for whistle-blowers—make it easier to spot and prevent procurement fraud.
Still, to understand what is often a shadowy, all-but-invisible form of criminal enterprise, much of it carried out external to the organization, you have to grasp how it works.
"This kind of fraud is not uncommon, but it's often difficult to spot," says Jim Tiller, chief security officer of INS, a Mountain View, Calif.-based information-technology consulting and software solutions provider. "A lot of times, organizations don't even know they have been victimized."
To that end, Baseline has analyzed four recent cases, all of which were allegedly carried out by information-technology employees under the noses of their superiors and colleagues, according to public court documents.