While the vast majority of senior executives are ethical, we constantly hear of corrupt chief executive officers, chief financial officers and politicians "raping" their stakeholders and spending lavishly for personal perks or using their positions to garner kickbacks that fatten their wallets.

Yet there is another group of people who can take advantage of their positions to fund condominiums on the beach, fancy sports cars and trips to Europe. That's the geeky information technology managers who have access to all of a company's systems.

We know from the somewhat famous "fraud triangle" that three things typically must occur before a person decides to engage in embezzlement of funds: perceived need or "pressure," rationalization, and opportunity.

IT personnel, by the very nature of their job, already have the "opportunity" leg of the triangle. So all that needs to happen is that they have a "need" - e.g., going through a divorce, medical bills, addiction, etc. They subsequently come up with a "rationalization," e.g., they didn't get a promotion, their boss is abusive, nobody will really be hurt, etc.

Imagine the following scenario: Joe has been in IT for over 10 years, is the chief information officer's right-hand man, and is the "go-to" guy for any ERP-related questions. He was on the team that did the ERP implementation in 2002, and sits in on the monthly controller's meeting, so he knows that the policy was just recently changed that requires any vendor payments over $10,000 to be reviewed by the assistant controller. He has just gone through a divorce and incurred over $20,000 in lawyer's fees, and his mother has just been placed in an assisted-living home at a cost of $4,000 per month. So he has the "need."

He has worked 70-hour weeks for the past five years and has not received any significant pay raises or promotions since he helped lead the ERP implementation. So he feels the company "owes" him (the rationalization).

And guess what? He already has the opportunity. All he has to do is set up a new user ID in the purchasing system, log in under that ID and cut a purchase order for $9,500 worth of goods to a fake company he has formed (we will call it Acme Inc.). He can then log in under another new user ID in the receiving system that he has added and receive the goods the next day under that user ID. He can use fake names for these new user IDs, or he can even use another employee's ID and password, which he may know, because he helped set them up in the system.

Now all he has to do is create a new user in the accounts payable system and add Acme Inc. as a vendor and then type up and mail an invoice for $9,500. The AP department clerks who receive the bill will dutifully pay it. He can repeat this as often as he dares. Much of this can even be done at the database level, bypassing the need to log in to the systems. He can even set up a new cost center to charge the expense to, because it won't have a real manager reviewing it. He can then initiate entries in the system at the database level that underlies the general ledger and split the expense up into small chunks and spread it over dozens of real departments.

• 1
• |
• 2
• |
• 3
• |
• next