The recent indictment against a former Netflix Vice President of IT Operations for fraud and kickbacks highlights the importance of fraud in IT procurement.
Procurement fraud in one of the top 10 classic frauds of all time. However, at many organization, IT Operations and IT procurement have largely been excluded from the usual procurement policies, procedures and controls for the ostensible reason that IT procurement is specialized and requires IT expertise. This has proved costly for many organizations and the Netflix case emphasizes the need for greater control over IT procurement.
Critical red flags from the Netflix case, among other things, include:
a) Basic lack of segregation of duties: Despite multiple and constant reminders from internal audit, external audit, compliance and risk teams, companies that fail to implement maker-checker controls do so at their own peril. In the Netflix case, the Vice President of IT was responsible for both contract negotiation and execution.
b) Lack of oversight and controls on IT purchases: It appears that in the Netflix case, the roles and functions performed by the Vice President of IT were largely unsupervised or lacked oversight especially from the Finance function.
c) Ineffective ethics or whistleblower hotline: The Netflix fraud was discovered by chance when the IT executive exited Netflix and moved to another IT company. Several IT vendors paid kickbacks to the IT Executive in exchange for being included as a vendor by Netflix for a period of four years. Further, several employees at Netflix were involved in testing of these products. In at least one reported instance, the DOJ release states that the IT product had ‘severe performance issues’. Surprisingly, none of the vendors or employees appear to have reported the issues through the ethics/whistleblower or similar hotline
Although the overwhelming indictment against the IT Executive represents a welcome sign against fraud, some questions remain unanswered. For example, a) Who else at Netflix was aware, participated or benefited from this scheme? What controls were bypassed? How did the scheme remain undetected for four years?