While the vast majority of senior executives are ethical, we constantly hear of corrupt chief executive officers, chief financial officers and politicians "raping" their stakeholders and spending lavishly for personal perks or using their positions to garner kickbacks that fatten their wallets.
Yet there is another group of people who can take advantage of their positions to fund condominiums on the beach, fancy sports cars and trips to Europe. That's the geeky information technology managers who have access to all of a company's systems.
We know from the somewhat famous "fraud triangle" that three things typically must occur before a person decides to engage in embezzlement of funds: perceived need or "pressure," rationalization, and opportunity.
IT personnel, by the very nature of their job, already have the "opportunity" leg of the triangle. So all that needs to happen is that they have a "need" - e.g., going through a divorce, medical bills, addiction, etc. They subsequently come up with a "rationalization," e.g., they didn't get a promotion, their boss is abusive, nobody will really be hurt, etc.
Imagine the following scenario: Joe has been in IT for over 10 years, is the chief information officer's right-hand man, and is the "go-to" guy for any ERP-related questions. He was on the team that did the ERP implementation in 2002, and sits in on the monthly controller's meeting, so he knows that the policy was just recently changed that requires any vendor payments over $10,000 to be reviewed by the assistant controller. He has just gone through a divorce and incurred over $20,000 in lawyer's fees, and his mother has just been placed in an assisted-living home at a cost of $4,000 per month. So he has the "need."
He has worked 70-hour weeks for the past five years and has not received any significant pay raises or promotions since he helped lead the ERP implementation. So he feels the company "owes" him (the rationalization).
And guess what? He already has the opportunity. All he has to do is set up a new user ID in the purchasing system, log in under that ID and cut a purchase order for $9,500 worth of goods to a fake company he has formed (we will call it Acme Inc.). He can then log in under another new user ID in the receiving system that he has added and receive the goods the next day under that user ID. He can use fake names for these new user IDs, or he can even use another employee's ID and password, which he may know, because he helped set them up in the system.
Now all he has to do is create a new user in the accounts payable system and add Acme Inc. as a vendor and then type up and mail an invoice for $9,500. The AP department clerks who receive the bill will dutifully pay it. He can repeat this as often as he dares. Much of this can even be done at the database level, bypassing the need to log in to the systems. He can even set up a new cost center to charge the expense to, because it won't have a real manager reviewing it. He can then initiate entries in the system at the database level that underlies the general ledger and split the expense up into small chunks and spread it over dozens of real departments.
Or if he is really smart, he can charge it to "inventory" and it will never even show up as an expense to raise anyone's eyebrows. (Maybe a year or so later a physical inventory will be done and the "asset" will never be found, and will just be written off, with no trace back to him.)
"Yes," you say, "but our policy dictates that no one person can access certain mutually exclusive functions in our systems."
But who enforces that policy? The IT guy?
He probably would not be caught by an internal or external audit because the names on the new user IDs are people who don't exist at all, or are former employees, or perhaps temporary workers no longer at the company. One thing is for sure - nothing in the system will point back to the IT person.
And if there was anything that would point to the IT person, it's when the auditors come to do an audit. Then guess whom they will go to and ask for a "dump" of transaction history to analyze? You got it - this same IT person!
GEEK PROTECTION
So what can you do to protect your company?
There are sophisticated auditing techniques that can at least discover the fraud, though they generally cannot point to who was perpetrating it, and can only identify the fraud after it has occurred. And you could do simple things like do background checks on your IT staff. You can take note if your IT manager suddenly arrives at work driving a new Corvette.
But to truly mitigate this risk, there is really only one thing that you can do, and that is to utilize a new breed of technology known as continuous controls monitoring software, or CCM software.
First, it takes a snapshot of your entire history of transactions and every new transaction, and if any of them are "modified" or deleted, tells you almost instantly. Second, it performs dozens of sophisticated testing algorithms for every system in your company that indicate likely fraud, including custom tests as desired. Since it does not rely on a "sample" to detect fraud, but literally tests every single transaction, the timeliness and effectiveness are infinitely better than relying on an end-of-the-year audit. Many of the tests catch problem transactions before they can complete, or at the worst, notify key personnel of a problem within 24 hours.
As an example, one of the tests looks for user IDs that do not correspond to employees in the human resources system. Also, as soon as any transactions were deleted or altered in the system, the CCM software would send a message to the controller and other personnel to investigate (and it would indicate what exact data was involved). Other algorithms would look at the timing of the vendor set-up and the receipt of items, and the fact that a new user ID was involved, or a user ID with unusual activity levels.
The results of all of these algorithms in combination would immediately alert designated personnel that there was a potential problem. Just having the CCM software in place is likely to deter any attempt at fraud. This software is typically hosted offsite by a third-party provider, so the IT manager cannot get to it.
An interesting side effect of this new breed of software is that not only does it stop fraud, but it also catches honest mistakes. For example, it stops dead any duplicate payments to vendors, often improving a company's working capital by millions of dollars within the first few months of implementation. Because it is self-documenting, it also allows external auditors to reduce their testing procedures.
It is only a matter of time before we hear a spate of stories on the news about IT personnel in major corporations getting away with the embezzlement of millions of dollars. Smart companies will not wait until that day comes.
Wylie Roberts, CPA, is a fraud prevention analyst for Oversight Systems, where he helds develop and implement custom fraud detection algorithms for clients.
