http://seattlepi.nwsource.com/business/323910_boeingrice17.html
By ANDREA JAMES
P-I REPORTER
July 16, 2007
Information technology controls are meant to do a lot more than stop
hackers and kill computer viruses -- especially because corporate fraud
comes from within. And internal fraud can happen to any size firm --
even to a Fortune 50, tech-savvy company such as The Boeing Co.
Two recent cases illustrate the point.
In 2006, two former Boeing employees were sentenced to a year in prison
for stealing nearly $300,000 from the aerospace giant.
Former supply chain management director Robert Rice and his subordinate,
Lisa Hernandez, made a series of purchases -- including a $52,000 BMW,
artwork, jewelry and vacations -- that they charged to the company
starting in 2004. And Boeing paid for the items.
How?
Rice had authority to approve expenses on employee charge cards that are
used to buy things outside of the normal supply chain, according to the
U.S. Attorney's Office in St. Louis. (Rice and Hernandez worked in that
city.)
Rice created a shell company in Nevada called Leantraining and set
himself up as a faux vendor. Hernandez would submit charges to Rice, who
approved the expenses as "training materials."
The two also altered receipts and records to cover up the scheme,
according to court documents.
Boeing discovered the fraud after someone made an internal complaint,
the company said.
"Following discovery of Mr. Rice's activities, Boeing tightened
processes and controls around applications and usage of company
purchasing cards, increased the frequency of audits, and implemented
several additional fixes as recommended by the Defense Contract Audit
Agency," Boeing said in a statement to the Seattle P-I.
In a case that surfaced last week, King County prosecutors charged a
former Boeing employee with 16 counts of unlawfully accessing a computer
to steal company information, which prosecutors said later appeared in
newspaper articles.
According to charging documents, Gerald Eastman, 45, a former
quality-assurance inspector in Tukwila, took more than 320,000 pages of
confidential Boeing documents. A company vice president estimated that
had even a small portion of the documents fallen into the wrong hands,
the financial damage to Boeing could have ranged from $5 billion to $15
billion, court documents said.
In its case summary, prosecutors said that the files were not encrypted
or password-protected and that Eastman "had to exploit a weakness in
Boeing's computer system" to retrieve the files. A Boeing spokesman said
security has been tightened since the incident. Eastman is set to be
arraigned Tuesday.
Boeing is a large enough company -- it had $61.5 billion in annual
revenue last year -- that a theft of $300,000 doesn't make a large dent.
(The theft represents 0.0005 percent of revenue.) Even so, companies
seek to prevent fraud by monitoring their computer systems, and the
Sarbanes-Oxley Act of 2002 made it mandatory for all public companies to
do so.
That requirement has been challenging and expensive for companies, and
many executives said auditing costs exceeded the perceived risk.
Now that public accounting firms have to sign off on a company's
computer systems as well as its financial statements, such firms could
charge for more hours of auditing at rates of hundreds of dollars per
hour.
Many firms complained that it didn't make sense, for example, to spend
$500,000 on controls that would prevent $300,000 in theft. Also, it's
unclear whether tighter technology controls alone could have prevented
Rice and Hernandez's theft, because experts say it's easier to defraud a
company if two people are in on the scheme.
But experts say the information technology component of the law is
critical because it seeks to protect the data that back up financial
statements.
Material misstatements because of computer control failures are rare,
but not impossible, according to the Institute of Internal Auditors, an
industry group.
"Risks come from everywhere, but IT is part of the risk profile because
information technology is inherent in almost every process," institute
President Dave Richards said in a 2007 webcast addressing controls. "It
is the workhorse of transaction processing."
Auditors have the job of examining the protective mechanisms within a
company's computer systems. Those mechanisms, called IT controls,
include things such as making sure databases are backed up, that
passwords are secure, and that employees do not have unnecessary access
to sensitive data.
"All data is maintained in systems. If the systems aren't controlled,
then how can you rely on the accuracy of the data?" said Adam Shnider,
director of technology risk management for the Seattle office of
Jefferson Wells, an audit firm. "How can you rely on the data, period?"
© 1998-2007 Seattle Post-Intelligencer
Received on Tue Jul 17 00:42:32 2007