There was a time when EDS Australia contractor Reecson Denford was living the dream. After taking advantage of his position to steal $2.9 million from EDS client Bank of Queensland (BoQ), Reecson spent $450,000 on French champagne, bought himself a $100,000 BMW and his wife $320,000 worth of jewellery.
There was a time when EDS Australia contractor Reecson Denford was living the dream. After taking advantage of his position to steal $2.9 million from EDS client Bank of Queensland (BoQ), Denford spent $450,000 on French champagne, bought himself a $100,000 BMW and his wife $320,000 worth of jewellery.
Things aren't so great now for the 24-year-old — he's been sentenced to nine years in jail, with Australia's ICT industry reeling at the audacity of his actions. But what's next for EDS (now HP Enterprise Services) and Bank of Queensland itself?
In the aftermath the bank has looked to its agreement with HP Enterprise Services to protect itself.
The EDS employee had discovered a loophole with which he could
make unchecked credit voucher transactions under $10,000 to a body
corporate looked after by his wife, money which was then forwarded
onto his personal account. He made hundreds of transactions between
November 2006 and August 2008.
Denford spent the money to impress his "much older" wife, buying luxury items such as $450,000
worth of French champagne, a $100,000 BMW and $320,000 worth of
jewellery. He even made a trip to the world's only seven-star
hotel in Dubai. The nature of his purchases meant that from the
$2.935 million Denford stole, the bank has only been able to recover
$536,374, leaving it $2.4 million out of pocket.
The question of who footed the bill was something that would
have caused a lot of poring over contracts and discussing service
level agreements, according to Ovum analyst Jens Butler. "Will
EDS/HP have to wear this or will it be covered by BoQ?" he
mused.
A comment by the bank seemed to indicate that it would be
looking to be compensated via the terms of its contract. "It would be inappropriate for BoQ to comment on the particulars
of any employee of one of our outsourcing partners except to say we
consider such breaches seriously and rely on the contractual
guarantees to protect BoQ," a spokesperson for the bank told
ZDNet.com.au.
"They've certainly got something in place," Butler said of the
statement. He said the bank could possibly impose penalties on the
outsourcer or receive credits for future work.
"[It's] $2.5 million out of pocket. [It'll] be looking for
service credits at the very least," Intelligent Business Research
Services (IBRS) advisor James Turner agreed.
EDS owner HP did not shed any light on the matter. As far as the
company is concerned, the matter is over, and not for
discussion. The company said: "HP is satisfied that this unfortunate matter has drawn to a
conclusion. Being a legal matter lead by the Department of Public
Prosecutions, HP has no further statements to add at this
time."
Yet according to analysts, such occurrences will be more
frequent as disgruntled employees in the wake of the financial
crisis see opportunities and take them, so HP may not be able to
just put the issue in its rear-view mirror.
The bottom line is that a lot of people were laid off. That's
definitely driven a high level of fraud. I suspect we'll see more
KPMG forensic partner Gary Gill
"The bottom line is that a lot of people were laid off. That's
definitely driven a high level of fraud. I suspect we'll see more,"
KPMG Forensic partner Gary Gill said.
Redundancies and low morale exacerbate what is called the fraud
triangle, which consists of need, justification and opportunity.
Employees might need money because of the crisis, and feel
justified as their colleagues are laid off so utilise
opportunities they see, according to IBRS' Turner.
So although automatic controls watching transactions and
employee identities will help keep track of fraud, Turner also
believed that communication was an important aspect for preventing
and detecting criminal activity.
Turner thought it strange that Denford's colleagues didn't
notice the fraud earlier considering how much money he had spent.
"One of the best alarms is the line manager if they're doing their
job," he said. "It's hard to imagine being able to flush $3 million
through your lifestyle without someone noticing."
The 2008 fraud survey by KPMG of 420 Australian organisations
showed that the average number of days fraud went undetected was
211 for a manager, 233 for a non-management employee, 240 for a
director, 423 for employees who acted together, 558 for external
offenders and 720 for a senior executive.
The year and nine months that Denford carried out his fraud
puts him in the upper range of those numbers. The amount of the
fraud also put Bank of Queensland on par with only seven
organisations in the fraud survey of 420 who had experienced fraud
worth over $3 million.
Poor internal controls were the most important factor
contributing to major fraud, according to the survey. Certainly,
Denford seemed to have found a loophole in the controls, Turner
surmised, which made him wonder whether EDS had made its auditing
buffer too thin. "There are some areas where you actually need
spare capacity. Were they running too close to the line?" he
asked.
Some people take staples from the cupboard, some people make personal phone calls. You get bad eggs everywhere.
IDC analyst Matt Oostveen
Yet IDC analyst Matt Oostveen said it was a given that
outsourcers would spend less on watching their people because of
the pricing. That's why the financial institutions usually
monitored the outsourcers closely themselves, sometimes with
militant precision. One example of a measure they could take is to
get contractors to take leave in at least two-week blocks so that
the company can send fraud detection teams in for in-depth
checking.
He didn't think that there was anything in the case which
pointed to something wrong with EDS or that there should be a
shake-up. Fraud was just a constant in businesses. "Some people take
staples from the cupboard, some people make personal phone calls,"
he said. "You get bad eggs everywhere."
This realist attitude that "fraud occurs anywhere" meant that,
although Bank of Queensland may be able to use the incident as a
bargaining chip, EDS was unlikely to suffer unduly from the
behaviour of its one bad egg, according to the analysts. The
outsourcer's long-term contract, which runs out in 2014, will also
give it time to repair relations. "The timing is not bad," Ovum's Butler said. "It's got another
3.5 years to rebuild the relationship, to go beyond the call of
duty to clean up the mess."
There was the possibility that the highly publicised fraud case
could put more pressure on outsourcers to keep their auditing up to
scratch, Turner said. Yet whatever actions were taken, some fraud
would always slip through the net. Fraud, like terrorism, was an
"asymmetric war", according to the advisor, which saw lots of money
spent to catch the few who acted up. "It's bloody hard," he
said.