Recently, a CIO in Tacoma, Washington was convicted of the embezzlement of more than $500,000 from the company that employed him. How did he do it? He acquired computer equipment for the company and then resold it over the internet, retaining the proceeds for himself. He and a friend also set up a sham company to generate bogus invoices for computer supplies and services, which the company paid.
Such schemes by information technology employees are not uncommon. Why is such a scheme so easy for a CIO? There are usually two reasons that explain the ease with which they perpetrate such a scheme. First, they are in a position of trust. Second, the company relies on their expertise and their honesty because their talents are so unique that many of the other company employees do not really understand what they do and are forced to take their word for it when they say that the company has a need for goods or services in the technology realm.
While most technology people in an organization are probably talented hard working employees that deserve the trust that they receive, what can the company do to protect itself from the unscrupulous ones? At the very least, a company must establish basic internal controls to provide some assurance that a technology scheme can be deterred or detected and stopped. Is anyone outside of the IT department involved when a person provides consulting services? Does someone other than the IT department take delivery of purchased goods, and is the existence of purchased equipment verified by a periodic physical inventory? Does the company limit approved vendors to reputable service and equipment providers?
When a company puts so much reliance on its technology staff, basic controls are a must. If you’re interested in learning more about implementing basic controls or ensure your organization is protected, fill in the form below and a member of our cybersecurity team will be in touch.