Is Your CIO Committing Fraud?

IT directors have enormous control over technology expenditures, but they often report to a CFO, COO, or CEO with little technical background. That's a setup that's ripe for fraud, according to John S. Kula, director in the forensic and dispute practice of Deloitte Financial Advisory Services LLP in Chicago. Kula talked with Business Finance about the risks and the red flags.

Business Finance: Are fraud cases involving IT directors a common problem?

John S. Kula: I've seen six or eight of them in the last several years at Deloitte that I've been involved in. And there may be other people at the firm who have also been involved in these, and I wouldn't necessarily know about it.

It appears to be a problem, based on my empirical evidence, that poses a greater danger to companies in the $1 billion to $8 billion or $10 billion dollar range than companies that are larger, although I'm familiar with larger organizations that have had the problem.

BF: How does the fraud arise?

JSK: These companies are constantly upgrading and implementing new technology; they have to do that to be competitive and to be cost effective in their business. And there's huge pressure to minimize head count in the IT department. That causes them to have a greater reliance on IT consultants of various types, sizes, and flavors to help them get things done.

And that's where the risk is. Among IT directors there are those who go bad, and the bad ones sometimes find willing co-conspirators in IT consultants who will overcharge for work that's done and make up invoices for work that was never done.

For example, a consultant sold an operating system license renewal for two-hundred-and-some thousand dollars even though he isn't an authorized representative. So you scratch your head and say, "Well, he's not a reseller for any kind of software, how does he get to charge for a one-year renewal of an operating system license?" The IT director knew it was fiction, but the person the IT director reported to, who is a CFO and a non-technical guy, didn't necessarily realize that.

In an investigation I just wrapped up, part of the description of the work in one of the bogus invoices -- which was full of nonsense "explanations" of the work that our client was billed outrageous amounts of money for -- was DASD rationalization (DASD stands for direct access storage device, or hard drive). Which is OK, except that in the context of this invoice it was like an inside joke between the IT consultant who created the invoice and the IT director who approved it. And I'm sure they both chuckled when they saw it, but it was symptomatic of the fraud that was involved.

BF: What are the warning signs that this kind of thing is going on?

JSK: When you start to go through IT invoices, there are a couple of characteristics that we've seen several times. One is you get very short descriptions: for example, DASD rationalization and then an amount, say $57,000. No number of hours, no number of consultants, no hourly rate.

And a lot of times you don't just see one of these from one IT consultant. I wouldn't say that if you see those it's necessarily fraud, but if you're concerned about fraud and you start to see them, and then do some research on the IT consultant, it's a quick way to get your antennae up really quickly.

A couple of cases have involved IT directors who have come into the company and replaced the IT consultants with their own. The company wasn't having any problems with the old consultants -- they were known, trusted, and well regarded -- yet they were replaced. In some cases people in the IT department recognized issues or anomalies but didn't really have anywhere to go to express their concerns until we came in and started the investigation.

BF: So if a CFO suspects fraud, how should he or she proceed?

JSK: There are a lot of reasons why IT is tough to investigate. Who runs the server for your e-mail? It's the IT people. How much do you want to send me using your company e-mail, given that somebody in your IT department could have a system set up so that every e-mail you send and receive shoots a copy into their folder?

Issue number two is that, especially in midsize companies, it's typically the IT department that's set up for programming the corporate phones; they're all computer-based nowadays. You can turn somebody's desk phone into a microphone, if you know how to do it, and listen to what's going on in that person's office even if the phone's on the hook. One of the things we counsel our clients is that if they have concerns that touch on senior management in the IT department, we probably need to meet offsite to talk about it.

The components of an investigation include the ability to look at accounting records -- primarily proposals, purchase orders, invoices, and payments -- and the ability to understand how IT departments work. For example, if IT is going to implement a new server, how much should it cost? How is it configured? What should be the hardware, software, and consulting components to configure it? There has to be some level of understanding -- and I would suggest sometimes a pretty deep understanding -- of the IT world.

Another part of the investigation is when you take all of the data that you gathered in the other phases, and you sit down and talk to people in a certain order. Some of them may be current employees, some may be former employees, but you've got to know who to talk to, when to talk to them, what you should say -- and what you can't say, because you're going to blow your case if you say the wrong thing to the wrong person at the wrong time.

And then ultimately there comes a point when you want to sit down with the bad guy and, in an appropriate way, confront him with what you know and see what you're going to get out of him -- whether it's a confession or a meeting in his lawyer's office, whatever the case may be.