No matter the industry, size, or scope, every business has to be wary of the f-word: fraud. We know virtually any department from marketing to HR is vulnerable, and the extra scrutiny typically targets finance and accounting — think embezzlement, payroll fraud, or fictitious revenue. But with the exponential growth of IT budgets‚ this unassuming area has become ripe for liabilities.
A top interim CIO from InterimExecs RED Team who has led complex IT turnarounds for Fortune 500 companies shares the warning signs of IT fraud and how to mitigate the risks.
Watch out for penny shaving
The practice of stealing small, unnoticeable amounts of money over a long period of time has been around for decades. In 1998, for example, four men in L.A. were charged with allegedly installing computer chips in gas pumps that overstated the amount of gas pumped to earn them extra revenue. A parking meter mechanic took a more hands-on approach, pilfering quarters little by little over eight years and eventually collected $210,000 in stolen quarters before he was arrested in 2013. There’s also the popular anecdote about someone who programmed fractions of pennies to be siphoned into a different account that over time, amounted to millions of dollars. No one had noticed because it had been coded into the framework.
Penny shaving, or “salami slicing” as it’s also called, isn’t necessarily new — it was even a plot point in the film Office Space — but as the use of A.I. and machine-learning tools grows, so does the potential to embed fraud in more coded, indecipherable ways.
One way to tackle this is to reverse-engineer and have the A.I. search for that tiny calculation. Robert Jordan, CEO of InterimExecs, cites Google’s AlphaGo, a computer program that builds a human-like neural network and even uses intuition in decision-making. In other words, you can use technology to fight technology. As fast as someone creates that doorway to fraud, you can have a strategy to detect it.
Review your vendors — then review them again
Vendor management is often one of the largest gaps in an organization’s infrastructure, and it usually stems from how the vendors are selected.
“I see a lot of no RFPs,” the CIO says. “I’m always shocked to see that they can just pick whoever they want to work with.” She offers the fictional example of a CIO who forms a Cisco resale company, hires staff, and then awards that newly created company a vendor contract. The Cisco reseller is earning revenue not just from the gear, but the labor for those employees who have been hired as well. Through it all, the company isn’t aware that an obvious conflict of interest is at play.
To sidestep those kinds of liabilities and potential for fraud, she recommends establishing a vendor management program rooted in quarterly reviews.
“Even if you’ve worked with a vendor in the past, a solid CIO is going to want to see what the latest technologies are and understand what’s changed with current vendors of choice.”
Establish checks and balances
Chalk it up to a lack of resources, communication, or team mentality, but many companies operate in silos. That isn’t just problematic for achieving overall company goals. Without partnerships across departments or proper guardrails in place, it also opens the door for fraud.
Our CIO recalls an instance when a vendor bribed her with five figures. “My response to that was, ‘If you want to apply that discount to the company, I’m more than happy to apply it to the contract.’” Another vendor offered her a trip to the Super Bowl. “I was so disgusted because we were actually in the middle of an RFP. That made it even worse. So I just completely kicked them out.”
Appointing a finance controller to work with a CIO builds an extra layer of scrutiny, whether it’s formal audits or a simple cross-check to ensure accountability and transparency. For example, if you go to a football game with a vendor, that would require approval if it’s over a certain dollar amount. This level of audits and ethics may be more prevalent in public-facing Fortune 500 companies who have the capacity to hire extra oversight, but private equity and smaller companies can use finance partners or CFOs to bridge those gaps, too.
“I loved having a controller,” the CIO says. “There’s serious transparency between what I’m doing. He or she is part of my budget planning, they can even be part of the selection process. That gave me comfort.”
InterimExecs RED Team is an elite group of CEOs, CFOs, CIOs, and CISOs who help organizations through turnaround, growth (merger, acquisitions, ERP/CRM implementation, process improvement), or absence of leadership. Learn more about InterimExecs RED Team at www.interimexecs.com/red-team or call +1 (847) 849-2800.
More Resources:
Why Every Company Needs a Technology Roadmap
How Companies Can Stay Ahead of Rising Cyber Security Threats