Procurement Fraud: How Tech Insiders Cheat Their Employers

 
 
By Elizabeth Bennett  |  Posted 2006-06-07
 
 
 

Of all the forms of white-collar crime relevant to corporate chief information officers, so-called procurement, or contract, fraud is probably the least visible and most costly. That's largely because it's frequently a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate information-technology vendors. What's more, the organizations victimized by this kind of fraud often don't report it and choose to settle privately with the alleged culprits involved.

"The bitter truth is that most companies are too embarrassed to prosecute employee fraud," says Ronald Semaria, a former Internal Revenue Service agent and president of Semaria Fraud Consultants in Brooklyn, N.Y. "They figure the bad publicity isn't worth the damage the news might do to the company's image or its relationships with customers."

Typically, procurement fraud involves an employee working with an outside vendor to defraud his employer through bogus or inflated invoices, services and products that are not delivered, work that is never done or contract manipulation. Often, in exchange for letting the vendor shortchange his own company or organization, the employee gets kickbacks. Often, too, fraudsters establish shell or shadow vendors—dummy companies with puppet or fictional CEOs—and use these to bilk the home team.

A typical organization loses a staggering 6% of its annual revenue to occupational fraud, according to the Association of Certified Fraud Examiners (ACFE) in its most recent study on fraud, the 2004 Report to the Nation on Occupational Fraud and Abuse. Taken as a whole, corporate America is losing a stunning $660 billion due to fraud.

And most fraud—67.8%, by ACFE's calculations—is carried out by managers and executives, who typically abscond with far larger sums than the minions in their cubicles. In fact, the median loss involving non-managerial employees was $62,000, according to the ACFE survey, compared to $140,000 for managers and $900,000 for business owners and executives.

To date, there's been no breakdown of how pervasive occupational fraud—and, specifically, procurement fraud—is among information-technology officers. Of late, however, a dozen or so cases of possible rogue CIOs and lower-level technology managers ripping off their employers with shell vendors have come to light. At the low end, instances of procurement malfeasance involved hundreds of thousands of dollars. That's chump change, however, compared to some information-technology-related procurement cases; one in particular, involving the Canadian Department of National Defence, amounted to more than $100 million, according to charges filed by the Royal Canadian Mounted Police (RCMP) at the Ontario Provincial Court in Ottawa.

An information-technology manager with a larcenous bent is uniquely qualified to carry out clandestine procurement activities. Not only do some corporate I.T. budgets top $1 billion, but the head of information technology oftentimes has the most complete access to the company's inner workings and understands better than anyone else what alarms not to trip when absconding with funds from the corporate coffers.

"The I.T. chief controls the information architecture of the firm and can conceal a fraudulent transaction by circumventing controls and safeguards," says Joseph Anastasi, a managing director with LECG, which provides independent expert testimony and strategic advisory services to clients on legal, business and regulatory matters. Anastasi is also the author of The New Forensics: Investigating Corporate Fraud and the Theft of Intellectual Property.

Anastasi says that in highly sophisticated cases of fraud, information-technology officers create a parallel and completely hidden I.T. infrastructure that they use to tunnel into the company vault electronically. "In the old days, if criminal elements were trying to steal from a company, they'd hijack the truck leaving the warehouse or steal stuff from the loading docks," Anastasi says. "Now, they can do it electronically."

The good news? According to Anastasi, there are new tools available—including forensic software such as eTrust Network Forensics (a.k.a. SilentRunner) from CA and EnCase Forensic from Guidance Software—that use forensic analysis to check for fraud and exploitation, and allow users to visualize and uncover network traffic. These tools, plus controls and procedures—some of them an outgrowth of Sarbanes-Oxley initiatives such as a requirement for companies to establish hot lines for whistle-blowers—make it easier to spot and prevent procurement fraud.

Still, to understand what is often a shadowy, all-but-invisible form of criminal enterprise, much of it carried out external to the organization, you have to grasp how it works.

"This kind of fraud is not uncommon, but it's often difficult to spot," says Jim Tiller, chief security officer of INS, a Mountain View, Calif.-based information-technology consulting and software solutions provider. "A lot of times, organizations don't even know they have been victimized."

To that end, Baseline has analyzed four recent cases, all of which were allegedly carried out by information-technology employees under the noses of their superiors and colleagues, according to public court documents.

Case #1: Buca

The Target: Buca, Inc., is a fast-growing Minneapolis-based chain that operates family-style southern Italian restaurants under the names Buca di Beppo and Vinnie T's of Boston. Founded in 1993 and publicly traded, the company, which had revenue of $239 million in 2005, has 104 restaurants in 28 states and the District of Columbia.

The Subjects: John J. Motschenbacher, former Buca CIO; Greg Gadel, former Buca CFO.

In 2001, when High Wire Networks was seeking a customer to extol the merits of a voice-over-Internet Protocol (VOIP) system it was selling, the Minneapolis computer services company enlisted John J. Motschenbacher, who at the time was Buca's vice president of information technology and finance.

Buca, a national chain of full-service, dinner-only restaurants also based in Minneapolis, had been receiving complaints from customers unable to make reservations when they called during the daytime, when the restaurants were closed. After High Wire installed an intelligently routed call center to handle calls re-routed from individual restaurants before 3 p.m., when the restaurants opened, operators in the company's central office were able to ascertain where the call was from and make a reservation or log take-out orders.

As a result, Buca was taking as many as 15 additional reservations in each of its then 62 locations each day and saw a big jump in its take-out orders as well, Motschenbacher told a reporter from Communications Convergence Magazine (now incorporated into Call Center Magazine).

What neither the reporter nor Motschenbacher's employer knew at the time was that the technology manager had a vested interest in High Wire's success, Buca has alleged. In fact, according to a civil complaint filed by Buca in July 2005 in the Fourth Judicial District Court, State of Minnesota, Motschenbacher and Buca's then-CFO, Greg Gadel, had helped form High Wire and were company shareholders and directors. Motschenbacher was, in fact, High Wire's CFO, receiving $3,125 a month in consulting fees, according to Buca's complaint. And to help High Wire navigate its critical startup phase, Motschenbacher and Gadel headquartered the company in the same building as Buca, and had Buca pay $98,000 to build out this office space, Buca claims in court documents.

And, through an intermediary company in which Buca charges they had an undisclosed financial interest, EDP Computer Systems, Motschenbacher and Gadel allegedly billed Buca for the salaries of approximately 10 High Wire employees who were doing little or no work for the restaurant company, Buca claims in court documents.

"They used a separate entrance but otherwise were based in Buca's building," says Rich Erstad, Buca's general counsel. And this was only part of what Buca alleges was a comprehensive scheme involving kickbacks and inflated and bogus invoices that continued for almost five years without being detected.

No criminal charges have been filed against Motschenbacher and Gadel. Buca's civil suit charges both men with breach of fiduciary duty and unjust enrichment.

Motschenbacher's attorney, Brooks F. Poley, and Gadel's lawyer, Todd A. Noteboom, did not respond to calls and

e-mails regarding this story. Motschenbacher has an unlisted telephone number and could not be reached. Gadel did not respond, though Baseline left messages for him at his office at Parasole Restaurant Holdings in Minneapolis.

To his superiors, Motschenbacher seemed an exemplary information-technology manager. He started his career with the company as the corporate controller in 1998 and was clearly on a fast track. In 1999, he was promoted to vice president of finance and purchasing.

By August 2003, Buca had almost tripled its number of restaurants, to 102 from 40 in 2000. That month, company CEO, chairman and president Joseph P. Micatrotto appointed Motschenbacher senior vice president of information technology, stressing his contribution to Buca's growth. "A distinguished leader, I'm proud to announce John's promotion …" Micatrotto said in a Buca press release at the time. "John's role is critical to our success in managing over 100 restaurants nationwide … Since arriving at Buca, Inc., he has developed a strong team that supplies the entire company with information needed to operate our business."

According to Buca's allegations, however, Motschenbacher and Gadel, who joined the company in 1997 as its CFO, were fleecing Buca from the get-go. In 1998, Buca contracted with EDP Computer Systems, a now-defunct St. Paul-based reseller, to supply the company with computer hardware and services. Both Motschenbacher and Gadel, Buca alleges, had a material interest in EDP, which was providing them several times a year with "under-the-table" cash payments that ranged from $5,000 to $25,000. Motschenbacher and Gadel would share these proceeds, Buca claims. The CIO also allegedly received gifts from EDP, including two four-wheel-drive all-terrain vehicles. After one of Motschenbacher's vehicles was damaged in an accident, he demanded and received a replacement vehicle from EDP, Buca alleges.

In return, Motschenbacher and Gadel approved Buca's very unfavorable contracts and transactions with EDP, allowing the vendor to charge far higher margins than it could have obtained from other customers, Buca claims. "Markup costs ranged up to several hundred percent," Buca's lawyers charged in their complaint.

Motschenbacher also allegedly failed to obtain competitive bids for the computer equipment and would accept whatever price EDP asked. Motschenbacher approved transactions with EDP, while Gadel had responsibility for approving all of the EDP invoices, according to Buca's court documents.

Meanwhile, the VOIP system EDP and Motschenbacher had developed for Buca was so effective that Gadel and Motschenbacher believed other companies, including those in the restaurant industry—potentially Buca's competitors—would want to adapt it, Buca charges. To peddle the system, they formed High Wire in conjunction with EDP as a corporation on Oct. 18, 2000, according to court documents. Although Buca knew nothing about the involvement of its CFO and CIO in the new company, Gadel and Motschenbacher held High Wire's first organizational meeting in the executive conference room at Buca's headquarters, Buca charges in court documents.

Once High Wire was ready to launch, Motschenbacher and Gadel moved it into the same building where Buca had its headquarters. Buca says that EDP billed Buca for the High Wire office space and employees, labeling the invoices, at Motschenbacher's direction, as "HW Services" or "Guest Services/Network Support." These invoices were often hand-delivered to Motschenbacher who, in turn, would hand-deliver the Buca payment to EDP, according to Buca's allegations.

High Wire was folded into EDP in October 2001, at which point Motschenbacher, still High Wire's acting CFO, wrote himself a $25,000 check from the High Wire account, Buca alleges. He continued to receive kickbacks from EDP, Buca alleges.

Separately, in 2004, an investigation by Buca's audit committee, the company said in an SEC 10-K filing, revealed that Buca CEO Micatrotto had purchased a villa in Italy, using almost $1 million of Buca's money, as a training facility for Buca employees. In violation of SEC regulations, Micatrotto had put the place in his and his wife's names, according to Buca.

The company asked Micatrotto to resign in May 2004, Buca's SEC filings indicate. Micatrotto subsequently agreed, among other things, to make certain cash payments to Buca, its 10-K filing indicates, and to waive all rights to receive any payments under Buca's Key Employee Share Option Plan, including both vested and unvested benefits. These agreements resulted in a total recoupment to Buca of approximately $900,000, says Buca in a 10-K filing with the SEC. Baseline could not reach Micatrotto for comment.

Soon after, a financial audit by Buca began uncovering some of the financial irregularities attributed to Motschenbacher and Gadel, Buca said in SEC filings.

Gadel resigned from the company in February 2005, joining Parasole Restaurant Holdings, which owns and operates Italian restaurants and which originally founded and spun off Buca. The following month Buca, its SEC filings indicate, terminated the employment of Motschenbacher. Buca later claimed in its civil suit that Motschenbacher refused to speak to company investigators and took steps to impede Buca's investigation. In one of his last acts as CIO, he damaged four Buca computers in his possession so no information could be retrieved from them, Buca asserts.

Resolution: Unlike many companies that are subject to procurement fraud, Buca refused to sweep the matter under the rug. "We have an entirely new management team in place, and we want to be good corporate citizens about this," general counsel Erstad says.

In the civil suit, Buca is asking for damages in excess of $50,000, all compensation Motschenbacher and Gadel received during the period they were allegedly defrauding the company, and all costs plus interest incurred by the Buca investigation plus attorneys' fees.

The case is scheduled to go to trial in August.

Buca Base Case

Headquarters: 1300 Nicollet Mall, Suite 5003, Minneapolis, MN 55403

Phone: (612) 225-3400

Business: Owns and operates Italian restaurants under the names Buca di Beppo and Vinnie T's of Boston.

Chief Executive Officer: Wallace B. Doolin

Financials: Publicly traded; annual revenue $239 million.

Incident: Buca's former CIO and CFO allegedly defrauded the company through ownership in outside vendors.

Case #2: Canadian Department of National Defence

The Target: The Department of National Defence (DND) is one of the few Canadian national institutions that come solely under the federal government; it is the only authority in matters of defense and protection of Canadian sovereignty. In 2004, DND's budget was $14 billion (Canadian), and it had 22,000 civilian employees and 85,000 military personnel, according to the DND Web site. It is headquartered in Ottawa.

The Subjects: Paul Champagne, former DND contracts manager; Ottawa businessmen Peter Mellon and Ignatius (Cholo) Manso.

For a mid-level government bureaucrat who worked as a contracting officer for the Canadian Department of National Defence (DND), Paul Champagne lived well. Champagne owned a two-acre estate on "Billionaire's Row" in Dunrobin, Ontario, a fashionable Ottawa suburb, complete with tennis courts, indoor swimming pool, a separate gym building and a four-car garage. And when he wanted to escape the frigid Canadian winter for a week or so, he had a house on a golf course in Florida as well as a seven-bedroom mansion with pool, gym and 200 feet of beachfront on Providenciales Island in the Turks and Caicos, according to published reports in the Ottawa Citizen and CBC News in Canada. When he was finally asked about his opulent lifestyle and the $20 million (Canadian) or so worth of real estate he'd amassed, Champagne told a reporter for Canadian television network CTV that he'd been lucky in the stock market.

Based on allegations contained in a civil suit filed against Champagne and two associates in the Ontario Superior Court of Justice in December 2005 by one of DND's principal vendors, Hewlett-Packard Canada, and criminal charges filed against him and his cohorts in late January by the Royal Canadian Mounted Police (RCMP), Baseline has been able to glimpse the inner workings of a scheme that the RCMP claims bilked Canadian taxpayers out of a sizable fortune. "It was a complex billing scheme that defrauded the Canadian government out of $105 million," RCMP spokeswoman Sgt. Monique Beauchamp says.

Neither the civil nor criminal case has gone to trial yet. In the former, Champagne and HP have reached an out-of-court settlement, while the other defendants in the HP civil case maintain their innocence, their lawyers told the Ottawa Citizen. In the criminal case, all of the defendants claim to be innocent, according to statements Champagne's lawyer, Michael Edelson, made to the Ottawa Citizen, and statements made to Baseline by lawyers of the other defendants in the case.

But according to HP's charges, from 1994 to 2003, Champagne was the point man in dealing with Hewlett-Packard Canada, one of DND's major hardware, software and information-technology services and maintenance vendors. Actually, Champagne started managing procurement relations with Digital Equipment Corp. (DEC), which was acquired by Compaq in 1998, continued his relationship with Compaq and then took over dealings with HP after it purchased Compaq in 2002. Throughout this period, Champagne was allegedly conducting invoicing fraud through a number of outside companies. According to HP's court documents, they include:

• The Baxter Group, a now-defunct company that specialized in selling secure information equipment such as Tempest computer systems (computers equipped with extra shielding to keep data signals from escaping and being picked up by eavesdroppers). Its principal owner, Peter Mellon, has known Champagne since the two were in high school together, HP claims.

• Vellis Solutions, a now-defunct shell company that HP alleges was established only to process invoices.

• E-Lite Canada (a.k.a. The Carnegie-Mellon Financial Group), another third-party I.T. company, also defunct.

• Avemore International Inc. (formerly Quarterdeck Consulting Inc.), which originally specialized in sales of security software, hardware and consulting, and then, as Avemore, provided funding for technology startups. Like Mellon, the company's CEO, Ignatius (Cholo) Manso, a former DND logistics officer, also had known Champagne, the RCMP claims.

In its suit, HP charges that Champagne would allegedly tell HP that DND needed, say, new communications security equipment and instruct HP to purchase it from one of the third-party vendors with whom Champagne was associated. The vendors in turn would mark up the invoice for "administrative costs," then send it on to HP, saying the equipment had been delivered, HP claims. Then, HP, which claims it was not aware of the connections between Champagne and the vendor, would send the bill on to the DND. In turn, DND, on Champagne's say-so, reimbursed the third-party vendor, which would kick back funds to Champagne.

The best part of this ongoing alleged scam—from a fraudster's viewpoint, at least—was that for the most part the services and equipment that Champagne ordered, HP alleges, were never delivered. And should anyone such as the HP account rep question Champage too closely about his dealings, he would tell them "that the work was confidential and in the interest of national security," HP claims.

According to public records from the Canadian Public Works Department, in January 2000 supply officers from the department, which is similar to the Government Accountability Office in the U.S., expressed concerns to Champagne and two other members of the procurement team about "high expenditure rates on the Tempest and non-Tempest hardware maintenance contracts, and requested official explanations from DND for these rates." For nearly three years, Public Works continued to investigate these concerns, according to public documents, frequently discussing them with Champagne. In the meantime, Champagne and his associates are said to have continued to rake in funds.

Resolution: The fallout from the DND affair has been significant. In its April 2, 2004, edition, the Canadian publication Computer Dealer News reported that the deputy minister of Public Works had sent HP a letter demanding it repay $160 million for which DND was fraudulently invoiced. The following month, HP Canada agreed to reimburse the Canadian government for $146 million, according to an HP 10-K filing with the SEC. Payment was made even though, HP spokesman Mahboob Jaffer stresses, no HP employees derived any improper benefits from the scheme and much of the fraud had occurred prior to HP's 2002 purchase of Compaq. "HP determined that it was important for HP to honor its contractual obligations, rather than engage in protracted litigation with the Government of Canada," the company explained in its 10-K statement.

Subsequently, the DND announced in a brief statement that HP "remains a valued I.T. supplier to the Canadian government" and helped the vendor prepare a civil lawsuit against Paul Champagne, Peter Mellon, Chulo Manso and several other vendors, Jaffer says. HP filed civil suit to recover the money it paid to the Canadian government.

Champagne settled the civil suit filed in the Ontario Superior Court of Justice in December 2005, according to Jaffer, with Champagne turning over "stocks and real estate," Jaffer says.

Both Manso and Mellon, however, are "fully defending" themselves against the suit and have filed defenses, their lawyers said in interviews with Canadian papers at the time.

Meanwhile, after a 2 _-year investigation, the RCMP charged Champagne with fraud, obtaining more than $105 million from the DND under false pretenses and money laundering, among other things, according to a Jan. 30, 2006, RCMP news release. Mellon was charged with two counts of fraud, Manson with one count.

Champagne no longer is residing in Ottawa and his lawyer, Michael Edelson, has not returned Baseline's calls.

Manso's lawyer, Robert Meagher, says, "It's still very early in the process, but at this point we intend to enter a not-guilty plea." Mellon has also relocated. His attorney, Leonard Shore, says his client intends to plead not guilty.

Canadian Department of National Defence (DND) Base Case

Headquarters: Major-General George R. Pearkes Building,101 Colonel By Drive, Ottawa, Ontario, Canada K1A 0K2

Phone: (613) 995-2534

Business: The mission of the Department of National Defence and the Canadian Forces is to defend Canada.

Chief Executive Officer: Gordon O'Connor, Minister of National Defence

Financials: DND had a $14 billion (Canadian) budget in 2004.

Incident: Working with third-party "shadow" vendors, a DND procurement officer allegedly defrauded the department of more than $100 million.

Case #3: New York City Office of Chief Medical Examiner

The Target: New York City Office of Chief Medical Examiner (OCME) provides forensic services to support criminal investigations and DNA testing, and manages the city's mortuary. OCME's budget is $50 million; it has 510 employees.

The Subjects: Natarajan "Raju" Venkataram, former director of the medical examiner's management information systems department, and Rosa Abreu, former director of records.

In the aftermath of the 2001 World Trade Center attacks, more than 20,000 human remains were ferried to the chief medical examiner's office in New York City.

The Midtown Manhattan building, a fading 60's-era structure with a turquoise tile facade, was transformed into an armed camp after the towers collapsed; city police, state troopers, and FBI and Secret Service agents conducted investigations and ringed the building's perimeter, admitting only those involved with managing the disaster.

Despite the abundance of law enforcement personnel, crimes went undetected at the medical examiner's office while the incinerated and crushed bodies of 2,749 men, women and children pulled from the wreckage were tagged, analyzed and, in the best-case scenario, identified, according to a criminal complaint filed against Natarajan Venkataram and Rosa Abreu in December 2005 in the U.S. District Court, Southern District of New York.

The criminal complaint accuses them of running a scheme of shadow companies and fake contract bids to embezzle funds sent by the Federal Emergency Management Agency (FEMA) soon after the Sept. 11 attacks, when the medical examiner was overwhelmed by the huge and delicate task of identifying nearly 3,000 victims. The two defendants have been charged with theft from a program receiving federal funds, according to court documents. If convicted, the two face up to 10 years in prison, according to a December 2005 press release issued by the New York City Department of Investigation, a city agency that investigates cases of fraud, corruption and unethical conduct by New York City employees, contractors and others who receive city money.

Venkataram's and Abreu's lawyers, Gerald Shargel and Lee Ginsberg, respectively, say their clients are not guilty. Both defendants have pleaded not guilty in court.

From 2000 to 2005, according to the complaint, Venkataram, director of the medical examiner's management information systems department, and Abreu, director of records (and Venkataram's primary assistant), took at least $8 million of municipal and federal dollars via phony companies and improper relationships with vendors.

That Venkataram and Abreu might have bilked the city and federal governments when so many around them were suffering was particularly galling to Tom Brondolo, the former deputy of the medical examiner's office, and Venkataram and Abreu's manager. "When Raju and Rosa created this scheme to defraud the city, they violated more than the public trust," says Brondolo, who now runs Brondolo Associates, a New York-based disaster management consultancy. "They violated a truly sacred trust and commitment that everyone in the office made to do what was needed during 9/11." OCME declined to comment on the case.

Stephan Zander, deputy inspector general with the New York City Department of Investigation, said in the complaint that OCME, at the direction of Venkataram, awarded technology contracts to a number of companies—some that provided services to the department, some that did not. These companies then colluded with "shell" entities created and controlled by Venkataram and Abreu, the complaint alleges.

Three companies that had contracts with the medical examiner's office—Comprehensive Computer Resources (CCR), HS Group and Infotech—issued checks totaling more than $575,000 to a company called A&D Marketing, according to the complaint. Venkataram's home address, according to the complaint, is listed as the headquarters for A&D.

Venkataram, who worked at the medical examiner's office for 13 years before his December 2005 arrest, was responsible for procuring hardware and software and supervising outside consultants at the medical examiner's office, according to the complaint. He is alleged to have been a close associate of the head of CCR, an Internet consulting, Web development and training firm. The CCR employee was not named in the complaint and is said in the court document to be serving as a confidential informant in the case. The two met at a training course led by CCR prior to 2001, the complaint alleges. CCR was alleged to have been awarded contracts by OCME in the aftermath of the Sept. 11 attacks, including an $11.4 million project funded with federal emergency dollars. Approximately $5.5 million of the contract payment was allegedly transferred from CCR to bank accounts in India at Venkataram's direction by way of blank CCR checks signed by the unnamed CCR employee, the complaint states. The complaint also says that Venkataram transferred $400,000 from CCR to A&D and another $86,000 to another shell company.

The medical examiner's office is normally responsible for the forensic investigation of homicides, suicides and unusual deaths in New York City. After the World Trade Center attacks, the agency, which operates under the city's Department of Health and Mental Hygiene, was responsible for tracking, identifying and releasing the human remains recovered at ground zero. Immediately after 9/11, the agency had to quickly create a tracking system—with the help of technology vendors—to ensure that all remains were properly cataloged, analyzed, X-rayed and stored where they could be found, according to Brondolo. It also had to find a way to make available to investigators all of the data it had collected.

Shortly following Sept. 11, the medical examiner's office awarded CCR an initial $1.3 million contract on an emergency basis to provide hardware and software support for OCME's World Trade Center-related activities and the laboratory systems used to keep track of DNA samples of victims, Brondolo says.

In January, February and August 2002 and April 2003, CCR's contract was increased for unanticipated work requirements and ongoing maintenance, according to a contract and contract addendums that Baseline obtained through a Freedom of Information Act request. (The contract would eventually total $11.4 million.)

Those requirements included integrating 20 disparate systems that contained information ranging from DNA samples and analyses, to victims' personal profiles, to photographs of personal effects, according to a copy of the original CCR contract from January 2002. CCR created a Web-based portal so that workers at the medical examiner's office, the New York Police Department and other investigative groups could gain access to the disparate systems from a single Web page, according to a contract addendum filed with the Comptroller's office in May 2003.

In addition, CCR was asked to implement a laboratory information management system to help identify the remains and a document management system for DNA case files, the addendums state. Brondolo says he recalls that CCR completed the information systems it was contracted to build.

FEMA, a division of the U.S. Department of Homeland Security, reimbursed the entire $11.4 million contract to OCME, according to the criminal complaint. But New York City's Department of Information Technology and Telecommunications alleges in the complaint that the work CCR did "could have been performed for a fraction of the $11.4 million and would have been performed substantially better by other companies operating in the marketplace." Baseline attempted to contact CCR, but the company's Web site had been taken down and a call to the number listed for CCR in the phone directory found the number to be disconnected.

Because of the unusually strained circumstances in the months and years after Sept. 11, Venkataram and Abreu were able to bypass some procurement controls by awarding contracts under emergency conditions. That meant the usual procedures and approvals were not required, according to Marla Simpson, director of the Mayor's Office of Contracts, which oversees the city's procurement policy and process.

"Many city agencies required the purchase of goods and services on an emergency basis after Sept. 11," says Steve Stein Cushman, chief of the contracts and real estate division at the city's Law Department, also called the Corporation Counsel, which ensures that the terms of contracts valued at more than $100,000 are legal and appropriate. For roughly three months following the disaster, Cushman says city agencies were given "blanket approval" for the emergency procurement of goods, services and construction necessary to respond to the emergency. "That meant they could select a vendor and procure such goods, services or construction without individual approval for each purchase from the Law Department or the City Comptroller's office. In addition, the Mayor's Office of Contract Services does not approve emergency contracts," Cushman explains.

But Venkataram allegedly managed to circumvent procedures even when it wasn't an emergency, according to the complaint. In order to create the appearance of competitive bidding in awarding some contracts, Venkataram allegedly asked the head of CCR to use other companies the informant controlled to bid on work at the medical examiner's office. For example, the agency paid $166,000 to HS Group and Infotech, which bid on and won contracts with the medical examiner. Baseline could not track down contact information for either company, both of which are alleged to have been operated by the informant and performed no services, according to the complaint. However, at Venkataram's direction, the companies issued checks to A&D Marketing and Trade A2Z, another alleged shell company operated by Venkataram and Abreu. The complaint states that Rosa Abreu admitted to Zander in an August 2005 interview that A&D, Trade A2Z and a third company, Infodata, were shell companies.

Venkataram and Abreu were eventually apprehended by New York City police after an unnamed employee in the medical examiner's office alerted the Department of Investigation's Zander to possible procurement irregularities involving the two, according to the complaint.

Resolution: In December 2005, Venkataram and Abreu were arrested on fraud charges and have pleaded not guilty. Venkataram is incarcerated at the Metropolitan Detention Center in Brooklyn. Abreu was released on $500,000 bail in December; her lawyer declined to say where she is living. A trial date has not yet been scheduled.

New York City Office of Chief Medical Examiner Base Case

Headquarters: 520 First Ave., New York, NY 10016

Phone: (212) 447-2030

Business: Investigates deaths of those who die as a result of violence, suicide or under suspicious circumstances.

Chief Executive Officer: Charles S. Hirsch, M.D.

Financials: Annual budget of $50 million.

Incident: The medical examiner's former management information systems director and director of records allegedly absconded with federal dollars through phony companies.

Case #4: The Electric Reliability Council of Texas (ERCOT)

The Target: The Electric Reliability Council of Texas (ERCOT) is the organization entrusted to keep electric power flowing to approximately 20 million Texas customers—representing 85% of the state's electric load and about 75% of Texas' land area.

The Subjects: Kenneth Shoquist, ERCOT's former chief information officer; Stephen Wallace, former program development director; Chris Uranga, ERCOT's ex-director of I.T. operations and corporate security; Chris Douglas, former senior manager, data warehouse; Carlos Luquis, former physical security manager; and John Benito Cavazos, a non-employee contractor.

For an organization such as the Electric Reliability Council of Texas (ERCOT) that puts a premium on security, the November 2002 hiring of Kenneth Shoquist as chief information officer seemed like a well-considered move. As it turned out, however, the company could have made a better choice, given the outcome of his tenure.

Founded in 1970, ERCOT, based in Taylor, Texas, is an independent, third-party, not-for-profit organization responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid. ERCOT's staff grew from 50 employees in January 2000 to more than 400 employees in September 2004.

As such in a post- Sept. 11 world, its job is to safeguard the state's electric grid from everything from hurricanes to cyberthreats and terrorists. To this end, the company frequently conducts security reviews and drills with a number of outside organizations, including the U.S. Department of Homeland Security and the Public Utility Commission of Texas.

Shoquist, who reported directly to ERCOT's then-CEO, Tom Noel, seemingly put a premium on security from the outset. Shoquist was a veteran technology executive; he had served as the CIO of Dell Financial Services, Dell's financial arm, and worked at major companies including MasterCard International and Texas Instruments, according to the news release ERCOT issued when it hired him on Nov. 19, 2003. Shoquist soon began beefing up ERCOT's internal security capabilities with new hires, experienced men with whom he had worked before. Two months after signing on with ERCOT, Shoquist hired Stephen Wallace—a longtime friend, according to the Texas Attorney General's office—as program development director to oversee ERCOT's multi-million-dollar annual program budget. He also brought in Chris Uranga as director of corporate security and information-technology operations, the Texas AG's office said. According to the AG's office, Shoquist also hired Chris Douglas to serve as senior manager for data warehouse and security while putting Carlos Luquis, a former FBI agent, in charge of ERCOT's physical security.

As The Dallas Morning News was the first to report, these men all had links to Shoquist and to one another. Uranga, Douglas and Wallace, for instance, had worked at both Dell and EDS under Shoquist. Uranga and Luquis had also served together as Navy cryptologists in Japan, held top-secret government security clearances and had performed work for the National Security Agency (NSA).

With his hiring out of the way, Shoquist brought in a computer services company, DSS Group, to provide I.T. services and consulting, according to the Attorney General's office. A month later, in March 2003, ERCOT signed with another consultancy called ECT Global Solutions to evaluate ERCOT's security, the AG's office states. Soon after, the company also signed security-related contracts with Tri Force Security and Cyberensics, the AG's office states. "Security, ever since 9/11, has been center stage [at ERCOT]," Shoquist told a reporter from Public Utilities Fortnightly in an October 2003 interview. He and Uranga also made regular presentations to the ERCOT board, updating them on progress in securing the state electric gird and ERCOT's computer systems.

For ERCOT, which then had a $133 million budget, the cost for these efforts was substantial—far more so than the ERCOT board or its CEO were aware. The San Antonio-based DSS Group, for example, sent ERCOT 13 invoices totaling nearly a million dollars, according to the Texas Attorney General's office, for work that for the most part was never performed. The only person who actually worked on the ERCOT account on behalf of DSS was a nephew of Wallace, says the Attorney General's office.

DSS proved to be a shell company, the Attorney General's office discovered, headed by a San Antonio stage actor and private contractor named John Benito Cavazos and allegedly run by Stephen Wallace. Cavazos would submit invoices for work that had never been done to Shoquist, who approved them in exchange for part of the fee. In the space of a little less than a year, Shoquist's take amounted to $220,000 while Wallace allegedly cleared $800,000, according to the AG's office.

Meanwhile, Uranga, Douglas and Luquis were allegedly raking in illicit funds as well through contracts with ECT, Cyberensics and Tri Force Security, which, like DSS, were allegedly shadow companies headed by what the Attorney General's office would later call "puppet presidents." Each of the companies billed ERCOT for hundreds of thousands of dollars for services for work that was never done and equipment that was never delivered, the Attorney General's office charges. In one instance, Uranga charged his employer for the services of a consultant who had died long before. In less than a year, Uranga and Douglas each allegedly misappropriated more than $300,000, while Luquis's alleged take topped $100,000.

Shoquist and Wallace allegedly signed and approved the contracts with DSS; Luquis and Douglas allegedly signed and approved contracts and payments with Cyberensics; and Uranga signed and approved invoices from ECT and Tri Force, says the AG's office.

Emboldened by their success, some of the men, who were paid between $80,000 and $120,000 at ERCOT, allegedly began living large, buying expensive cars, luxury homes on golf courses and even yachts. "Fellow employees sometimes wondered how they were able to afford expensive houses and expensive cars," Texas Attorney General Greg Abbott said in a Jan. 28, 2005, news conference.

Still, Shoquist and the others might never have been apprehended had it not been for several whistle-blowers within ERCOT.

Beginning in late 2004, these employees e-mailed members of the Texas Public Utilities Commission (PUC) and Randy Chapman, executive director of the Texas Legal Services Center, with numerous allegations concerning Shoquist and the others, Chapman says. The first reaction was shock, says one of the recipients, Paul Hudson, chairman of the Texas PUC: "The second was concern about the systems' vulnerability based on the materials that we had received." There was ample reason for concern. Most of the so-called security work that had supposedly gone into protecting ERCOT over the previous year was as shadowy as the companies that provided it.

Resolution: When the whistle-blowers initially surfaced with their anonymous e-mails, ERCOT's reaction was to attack the messengers and ignore the message. In November 2004, it sued two Internet service providers, Yahoo and Time Warner, in the Travis County District Courthouse to force them to reveal the identities of the employees who had leaked information about the fraud. The suits were filed based on ERCOT's claim that the e-mails were defamatory and "solicited ERCOT employees to turn over confidential information to outside entities."

"The lawsuits had a chilling effect at a time when we required absolute openness and accuracy," says Texas PUC chairman Hudson. Within a few days, the Public Utilities Commission and various state politicians convinced ERCOT to drop the lawsuits. At the same time, the PUC held an emergency open meeting to review ERCOT's audit procedures and controls. "It was a sad state of affairs," says Chapman, who met with the ERCOT board. "There were no checks and balances in place. At the time, ERCOT wouldn't even allow a state auditor to come in because they claimed that an outsider would be too intrusive."

As the result of the emergency meeting, a number of reforms were put in effect, including strengthening contracting procedures and putting strong internal controls in place, according to ERCOT chief executive officer Thomas F. Schrader's statements in a company press release. Schrader recently resigned from the company. Law enforcement was notified during the same time frame and began an investigation. On Jan. 29, 2005, a grand jury in Williamson County issued 23 indictments against the former ERCOT managers and one outside contractor, Cavazos.

On Aug. 17, 2005, Chris Uranga pleaded guilty to misapplication of funds and admitted he owes ERCOT $500,000 for illegal profits he obtained. He awaits sentencing and could receive up to 15 years in prison, the Texas Attorney General's office says.

On Dec. 20, 2005, John Benito Cavazos of San Antonio pleaded guilty to misapplication of fiduciary property enhanced to organized criminal activity, a third-degree felony. He returned $8,700 to ERCOT, which is the amount he was illegally paid as a security contractor. He will receive four years of probation or deferred adjudication, according to the Texas Attorney General's office, and will also testify at Luquis's trial.

On April 12, 2006, Chris Douglas pleaded guilty to two charges, one for engaging in organized criminal activity for misapplication of fiduciary property, and one for theft. They are first-degree felonies, and he has also agreed to repay ERCOT more than $500,000 in illegal profits he obtained. Prosecutors have agreed to recommend no more than nine years in prison upon sentencing.

Former chief information officer Kenneth Shoquist pleaded guilty on March 24, 2006, to engaging in organized criminal activity for commercial bribery, and said he received $120,000 in bribes from Wallace. He will be repaying the money prior to his Aug. 1 sentencing. He accepted a plea deal for a nine-year sentence and could be eligible for parole in 2 1/2 years if the judge abides by the plea.

Meanwhile, Wallace and Luquis have opted to go to trial and are contesting their cases. Wallace has a pre-trial hearing scheduled this month. His lawyer, Daniel Castro, did not return Baseline's phone calls. His trial date has not yet been set. Luquis is scheduled to go to trial July 24. His lawyer, Patricia Cummings, has asked to have the indictments against her client dismissed, according to a published newspaper report. She did not return Baseline's phone calls.

Shoquist and the others could not be located, and their lawyers failed to return phone calls in regard to this story.

Of CIO Shoquist, Attorney General Abbott said, "This defendant was the gatekeeper who made the scope of this white-collar crime possible by hiring and enabling the other criminals in the first place. It is safe to say that none of the fraud that occurred at ERCOT would have been possible except for the insider dealing he encouraged."

Cyber-Sleuths

As procurement fraud becomes increasingly sophisticated, it becomes all the more difficult to ferret out, says LECG's Anastasi. As a result, companies that believe they are being victimized but are not sure—or don't know whom might be responsible—sometimes turn to cyber-sleuths, private detectives for the digital age who rely on computer forensics to catch the bad guys.

Recently, Anastasi, who served as the global leader of Deloitte's forensics investigation practice before joining LECG, was called in by a client on such a case. "They suspected their I.T. chief was running some kind of a procurement scam, but they couldn't figure out how he was doing it," he says.

The first thing Anastasi and his investigative team did was deploy SilentRunner as a network forensics tool. "SilentRunner produces this three-dimensional map of your entire system," Anastasi says. "You can see every node on your network."

Using this map of the client's I.T. infrastructure, Anastasi was able to track all of the digital traffic going in and out of the client's system. As it developed, considerable traffic—and client funds—were being transmitted out to several Web sites. These proved to be shell Internet companies that were supposedly providing services to the client, but in actuality were the fictitious creations of someone with the client company. "We knew someone within the company was communicating with these sites by wireless, so we had an investigator go through the client headquarters to see where the transmitter was hidden," he says.

He didn't have to look far. "The transmitter was hidden under the CIO's desk," Anastasi says. "We had him dead to rights."

Unfortunately, however, that is the exception, not the rule. Shane Shook, a colleague of Anastasi's and managing director in LECG's electronic discovery practice, says that at most 40% of procurement fraudsters are nabbed. As Shook explains, "They're getting more sophisticated in the ways they access the systems and cover their tracks."

Electric Reliability Council of Texas (ERCOT) Base Case

Headquarters: 2705 W. Lake Drive, Taylor, TX 76574

Phone: (512) 248-6800

Business: Responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid.

Chief Executive Officer: None. Thomas F. Schrader had been CEO, but resigned on May 16. The company is seeking to replace him.

Financials: ERCOT is an independent, third-party, not-for-profit organization. Its $126.9 million annual budget is funded by mandatory fees paid by electricity customers or their power providers.

Incident: The company's CIO and four other senior I.T. and security managers, plus one outside contractor, allegedly defrauded ERCOT through shell vendors.