http://seattlepi.nwsource.com/business/323910_boeingrice17.html By ANDREA JAMES P-I REPORTER July 16, 2007 Information technology controls are meant to do a lot more than stop hackers and kill computer viruses -- especially because corporate fraud comes from within. And internal fraud can happen to any size firm -- even to a Fortune 50, tech-savvy company such as The Boeing Co. Two recent cases illustrate the point. In 2006, two former Boeing employees were sentenced to a year in prison for stealing nearly $300,000 from the aerospace giant. Former supply chain management director Robert Rice and his subordinate, Lisa Hernandez, made a series of purchases -- including a $52,000 BMW, artwork, jewelry and vacations -- that they charged to the company starting in 2004. And Boeing paid for the items. How? Rice had authority to approve expenses on employee charge cards that are used to buy things outside of the normal supply chain, according to the U.S. Attorney's Office in St. Louis. (Rice and Hernandez worked in that city.) Rice created a shell company in Nevada called Leantraining and set himself up as a faux vendor. Hernandez would submit charges to Rice, who approved the expenses as "training materials." The two also altered receipts and records to cover up the scheme, according to court documents. Boeing discovered the fraud after someone made an internal complaint, the company said. "Following discovery of Mr. Rice's activities, Boeing tightened processes and controls around applications and usage of company purchasing cards, increased the frequency of audits, and implemented several additional fixes as recommended by the Defense Contract Audit Agency," Boeing said in a statement to the Seattle P-I. In a case that surfaced last week, King County prosecutors charged a former Boeing employee with 16 counts of unlawfully accessing a computer to steal company information, which prosecutors said later appeared in newspaper articles. According to charging documents, Gerald Eastman, 45, a former quality-assurance inspector in Tukwila, took more than 320,000 pages of confidential Boeing documents. A company vice president estimated that had even a small portion of the documents fallen into the wrong hands, the financial damage to Boeing could have ranged from $5 billion to $15 billion, court documents said. In its case summary, prosecutors said that the files were not encrypted or password-protected and that Eastman "had to exploit a weakness in Boeing's computer system" to retrieve the files. A Boeing spokesman said security has been tightened since the incident. Eastman is set to be arraigned Tuesday. Boeing is a large enough company -- it had $61.5 billion in annual revenue last year -- that a theft of $300,000 doesn't make a large dent. (The theft represents 0.0005 percent of revenue.) Even so, companies seek to prevent fraud by monitoring their computer systems, and the Sarbanes-Oxley Act of 2002 made it mandatory for all public companies to do so. That requirement has been challenging and expensive for companies, and many executives said auditing costs exceeded the perceived risk. Now that public accounting firms have to sign off on a company's computer systems as well as its financial statements, such firms could charge for more hours of auditing at rates of hundreds of dollars per hour. Many firms complained that it didn't make sense, for example, to spend $500,000 on controls that would prevent $300,000 in theft. Also, it's unclear whether tighter technology controls alone could have prevented Rice and Hernandez's theft, because experts say it's easier to defraud a company if two people are in on the scheme. But experts say the information technology component of the law is critical because it seeks to protect the data that back up financial statements. Material misstatements because of computer control failures are rare, but not impossible, according to the Institute of Internal Auditors, an industry group. "Risks come from everywhere, but IT is part of the risk profile because information technology is inherent in almost every process," institute President Dave Richards said in a 2007 webcast addressing controls. "It is the workhorse of transaction processing." Auditors have the job of examining the protective mechanisms within a company's computer systems. Those mechanisms, called IT controls, include things such as making sure databases are backed up, that passwords are secure, and that employees do not have unnecessary access to sensitive data. "All data is maintained in systems. If the systems aren't controlled, then how can you rely on the accuracy of the data?" said Adam Shnider, director of technology risk management for the Seattle office of Jefferson Wells, an audit firm. "How can you rely on the data, period?" © 1998-2007 Seattle Post-Intelligencer _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 22:53:55 PDT