Investigation Into Oracle Project Allegations

HillsboroughCountyAviationAuthority
InternalAuditDepartment
Project#2015005
InvestigationofAllegationsRelatedtotheOracleProject(CIP#632515:HCAA
EnterpriseResourcePlanning&AnalyticsProgram)
EXECUTIVESUMMARY
PURPOSEOFINVESTIGATION
Thepurposeofthisinvestigationwastoassesstheallegationsresultingfromananonymousemailand
subsequent allegations from current and former employees related to the procurement and
implementationofCapitalImprovementProject(CIP)#632515:HCAAEnterpriseResourcePlanning&
AnalyticsProgramaswellaspotentialinformationsystemssecurityrisks.Fourallegationsaredescribed
withinthisreport.TheDepartmentofEthics,Diversity,andAdministrationassistedwithAllegation#2.
BaysideSolutions,Inc.(BSI)washiredtoassistwithAllegation#4.
BACKGROUND
OracleEnterpriseResourcePlanning(ERP)softwaresystemwasimplementedin1998toautomatethe
Authority's general ledger, accounts receivable, accounts payable, project accounting, purchasing and
inventory functions. Oracle software maintenance and support services have been purchased each
successiveyeartoensurethattheERPsystemremainscompliantwithcriticalbusinessandcybersecurity
requirements.TwomajorupgradeshavebeenperformedsincetheERPsystemwasimplemented.As
partofongoingbusinessautomationinitiatives,managementdetermineditwasnecessarytoexpandthe
ERPsystemtosupportadditionalbusinessfunctionsincludingHumanResources,EmployeeTimeKeeping,
Payroll,Budgeting,AnalyticsandAdvancedBusinessReporting.CIP#632515:HCAAEnterpriseResource
Planning&AnalyticsProgram(theProject)wasapprovedbytheBoardattheSeptember4,2014Board
meetingaspartofthe2015CapitalandOperatingBudgetwithabudgetof$9,324,700.
RESULTSOFINVESTIGATION
Allegation#1:OracleProjectwasnotproperlyprocured.
AsofNovember30,2015,$8,159,350hadbeenspentontheProject.97%ofthecostsassociatedwith
theProjectrelatedtopurchasesofsoftwareandhardwarefromOracleAmerica,Inc.,consultingservices
fromKPMG,LLP,andstaffaugmentationservicesfromVeredusCorporation.
Otherthansomeminordocumentationinconsistencies,theAuthorityPoliciesandStandardProcedures
relatedtothesolesourceprocurementfromOracleAmerica,Inc.wereproperlyfollowed.Information
wasprovidedbyInformationTechnologyServices(ITS)andProcurement,reviewedbyLegalAffairs,and
ultimatelypresentedandapprovedbytheAuthorityBoard.TheconsultingservicesfromKPMG,LLPwere
properly procured utilizing an existing contract and the staff augmentation services from Veredus
Corporationwereproperlyprocuredbasedonacooperativecontract.
Claims were made that a formal solicitation should have been performed to hire consultants for the
implementationoftheProjectandthatGauthamSampathwashiredonasanemployeeandothersas
temporaryemployeesthroughVeredusCorporationtocircumventtheprocurementprocessinthehiring
ofaconsultant.Mr.SampathandthetemporarystaffingthroughVeredusCorporationwerebroughtto
theAuthoritythroughchannelsthatwereallowable.ThereisnothinginthecurrentAuthorityPolicies
andStandardProceduresthatprohibitshiringofanindividualforaprojectwithaspecificdurationand
cooperativecontractsareanapprovedprocurementmethod.
InvestigationofAllegations/InternalAuditReport/Project#2015005
Allegation#2:Existenceofconflictsofinterestandpreferentialtreatment.
Whiletherewereindicationsofpotentialconflictsofinterest,theemploymentofMr.Sampathandhis
wife(whowasatemporaryemployeethroughVeredusCorporation)wasterminatedinNovember2015.
Therefore,thepotentialconflictsofinterestnolongerexist.
SeparateallegationsweremadethatMr.Sampathtooktwovacationsanddidnotrecordunileavein
accordance with Authority Policies and Standard Procedures. This was alleged to be preferential
treatment.Mr.Sampathsvacationwasnotproperlymonitoredwhichledtohoursnotbeingproperly
deducted from his unileave balance. Prior to his termination, the unileave balance was accurately
adjustedbyFinancefortheunileavehoursactuallyused.
Allegation#3:OverbillingofhoursthroughVeredus.
Approximately$1,400,000waspaidto VeredusCorporationbetweenApril1,2014andNovember30,
2015for13,150laborhours.Approximately9,500ofthehourswerefortheProjectwhiletheremaining
hoursrelatedtootherstaffingneedswithinITS.Basedonthetestingandverificationperformedoverthe
payratesandapprovalprocessofhoursbilled,thereisnoevidencethatoverbillingoccurred.
Allegation#4:Utilizationofoverseasworkerswhichcreatesasecurityrisk.
SevenusersdidaccessAuthorityInformationSystemsfromoverseas.However,otherthanMr.Sampath,
theywererestrictedbynetworksecuritypolicywhichonlyallowedaccesstotheVeredusenvironment.
TheydidnothaveaccesstothebalanceoftheAuthoritysnetwork.Since
apartoftheenvironment,BSIwasunabletodeterminespecificallywhatdatamayhavebeen
transferred.Additionally,thedataintheVeredusenvironmenthaschangedthroughouttheprogression
oftheProject,sowhatiscurrentlyavailableintheVeredusenvironmentdoesnotnecessarilyrepresent
datathatmayhavebeenpresenthistorically.Lastly,therewereseveralsecuritysettingsthatwerenot
enabledwhichrenderedsomeoftheanalysisconductedbyBSItobeinconclusive.SeeAppendix1for
correctiveactiontakenandAppendix2fortheresultsoftheBSIanalysis.
FINALASSESSMENT
Overall, the investigation of the allegations did not identify any specific fraudulent activity. However,
therewereseveralAuthorityStandardProceduresthatwerenotfollowed:
S150.01,StandardsofEthicalConduct
S270.06,RemoteAccesstoAuthorityInformationSystems
S270.07,PasswordSecurity
S270.09,ITSAuthorizationforAccesstoAuthorityInformationSystems
S611.01,PayrollandTimeReporting.
Additionally, there are various processes within the ITS, Procurement, and Human Resources
Departmentsthatcouldbeclarifiedandimprovedtoprovideadditionalguidance.Thesewillbediscussed
indetailwithAuthorityManagement.
TABLEOFCONTENTS
Transmi alLe er
Introduc on,Policy,andAllega ons
Allega on#1
Allega on#2
Allega on#3
Allega on#4
Conclusion
Appendix1:Correc veAc onTaken
Appendix2:ReportfromBaysideSolu ons,Inc.
10
11
INTRODUCTION,POLICY,ANDALLEGATIONS
OnJuly20,2015,LauraTatem,DirectorofInternalAuditreceivedananonymousemailnotingvarious
allegations in regards to the Oracle Project which is officially titled CIP #632515: HCAA Enterprise
ResourcePlanning&AnalyticsProgram,butwillbereferencedthroughout thisreportastheOracle
Project, the Project, or Project #632515. In accordance with Authority Standard Procedure
S150.02,EthicsandComplianceProgramandInvestigations,Ms.Tatembroughttheinformationforward
toElitaMcMillon,DirectorofEthics,Diversity,andAdministration.
Upon discussion with Mrs. McMillon, it was discovered that the Department of Ethics, Diversity, and
Administrationwasalreadyintheprocessoflookingintocertainpotentialconflictsofinterestrelatedto
anemployeethatwasoneofthekeyteammembersworkingontheimplementationoftheProject.The
employee was Gautham Sampath. Additionally, the Human Resources (HR) Department was in the
middleofdeterminingwhetherornotNirmalaPerumal,thewifeofMr.Sampath,couldbehiredonasa
fulltimeemployee.Ms.TatemandMrs.McMillonreviewedtheemailandcreatedasummarylistingof
the allegations that required further investigation. The email indicated there were other issues that
wouldbesentinsubsequentemails.Ms.Tatemrepliedtotheoriginalemailaskingformoreinformation
tosubstantiatetheclaims.Nootheremailswerereceivedfromthatemailaddress.
Inordertoverifythecredibilityoftheallegationsintheanonymousemail,Ms.TatemandMrs.McMillon
begantogatherinformationanddataasdiscretelyaspossibleastonotalertanyoneoftheallegations.
AuthorityStandardProcedureS150.02,EthicsandComplianceProgramandInvestigations,indicatesthat
allinvestigationswillbeperformedinadiscreetmannertoavoiddamagingthereputationofinnocent
persons.
Subsequent to the initial anonymous email, and during the information gathering stage of the
investigation,otherinformationwasbroughtforwardfrombothcurrentandformeremployees.Based
ontheoriginalemail,thenewinformationbroughtforward,anddiscussionswithvariousAuthoritystaff,
theallegationscanbesummarizedasfollows:
Allegation#1:OracleProjectwasnotproperlyprocured.
Allegation#2:Existenceofconflictsofinterestandpreferentialtreatment.
Allegation#3:OverbillingofhoursthroughVeredus.
Allegation#4:Utilizationofoverseasworkerswhichcreatesasecurityrisk.
In order to assess the various allegations, information was gathered and research performed to
understandtheProject,thesurroundingcircumstancesandstructureoftheProject,andthecontractsin
placerelatedtotheProject.
The Department of Ethics, Diversity, and Administration assisted with Allegation #2. Additionally, an
outsideconsultant,BaysideSolutions,Inc.,washiredtoassistwithAllegation#4.
Page1of11
ALLEGATION#1:OracleProjectwasnotproperlyprocured.
AsofNovember30,2015,$8,159,350hadbeenspentontheProject.Oftheseexpenses,97%relatedto
thesoftwareandhardwarepurchasesfromOracleAmerica,Inc.(Oracle),consultantservicesfromKPMG,
LLP(KPMG)andstaffaugmentationservicesfromVeredusCorporation(Veredus).
ThepurchasesfromOraclewereprocuredviasolesourceprocurementmethods.Consultingservices
from KPMG were procured utilizing an existing contract between KPMG and the Authority. Staff
augmentationcoststhroughVereduswereprocuredusingacooperativecontract.Themajorityofthe
costsintheothercategoryinthechartabovewerenotinvestigatedastheywerenotdeemedpertinent
ormaterialtoAllegation#1.However,theprocurementofKabaWorkforceSolutions,LLC(Kaba)was
reviewedduetothenatureoftheprocurementbeingsolesource.
Additionally,claimsweremadethataformalsolicitationshouldhavebeenperformedtohireconsultants
fortheimplementationoftheProjectandthatMr.Sampathwashiredonasanemployee,aswellasthe
temporaryemployeesthroughVeredus,tocircumventtheprocurementprocess.
PurchasesfromOracleAmerica,Inc.
Otherthansomeminordocumentationinconsistencies,theAuthorityPoliciesandStandardProcedures
related to sole source procurements were properly followed for the award to Oracle America, Inc.
InformationwasprovidedbyITSandProcurement,reviewedbyLegalAffairs,andultimatelypresented
andapprovedbytheAuthorityBoard.Theinconsistenciesindocumentationareconsideredtobeminor
pointssinceitwasnotnecessaryfortheProcurementDepartmenttoprocuretheOraclesoftwareand
hardwareutilizingthesolesourcepurchasemethod.TheOracleLicenseandServicesAgreementwiththe
effectivedateofOctober17,2012,withsubsequentamendmentdatedOctober24,2014,wasalreadyin
placeandprovidedthatordersforprograms,hardware,operatingsystem,integratedsoftwareand/or
servicescouldbeplacedforthree(3)yearsfromitseffectivedate.
Page2of11
PurchasesfromKPMG,LLP
ConsultingservicesfromKPMG,LLPwereproperlyprocuredutilizinganexistingcontractbetweenKPMG
andtheAuthority.ThecontracthadremainingBoardapprovedspendingauthorityofapproximately
$2,800,000thatcouldbeusedforimplementationservicesfortheProject.
PurchasesfromVeredusCorporation
ThestaffaugmentationservicesfromVereduswereprocuredutilizinganexistingcontractbetweenthe
City of Tampa and Veredus where formal solicitation procedures had already been performed thus
eliminatingtheneedfortheAuthoritytoissueaformalsolicitation.AuthorityPolicyP410,Procurement,
authorizestheutilizationoffederal,state,local,ormultistatecooperativecontractstopurchasegoods
andserviceswithoutobtainingthreequotesoradvertisement.TheCityofTampaawardqualifiesunder
this Policy. The temporary staffing was to be used to support several ITS projects such as the
implementation of the Business Intelligence (BI) and Hyperion modules of Oracle and the
Common/SharedUsePassengerProcessingSystem(C/SUPPS),aswellasadditionalsupportforproject
managementandinformationsecurity.
PurchasesfromKabaWorkforceSolutions,LLC
The Authority Policies and Standard Procedures related to sole source procurements were properly
followedfortheawardtoKaba.InformationwasprovidedbyITSandProcurement,reviewedbyLegal
Affairs,andultimatelypresentedandapprovedbytheBoard.
CircumventionofProcurementProcess
Mr.SampathwashiredtoassistwiththedevelopmentandimplementationoftheOracleBIandHyperion
modulesoftheProject.Thiswasestimatedtobea1to2yearprojectforMr.Sampath.Originally,he
wasgoingtobehiredthroughVeredusasaconsultant(asevidencedbyvariousITSformscompletedfor
accesstoAuthoritysystems).However,accordingtotheDirectorofITSandtheVicePresidentofFinance,
Procurement,andITS,acostassessmentwasperformedanditwasdeterminedtobemuchmorecost
effectivefortheAuthoritytohirehimasafulltimeemployeeratherthanthroughtheVereduscontract.
TheHumanResourcesDepartmentwasconsultedinregardstothisdecisionandwasinagreementwith
thedecision.
Aspreviouslynoted,thestaffaugmentationservicesfromVereduswerebasedonacooperativecontract.
Mr.SampathandthetemporarystaffingthroughVereduswerebroughttotheAuthoritythroughchannels
that were allowable. There is nothing in the current Authority Policies and Standard Procedures that
prohibitsthehiringofanindividualforaprojectwithaspecificduration.Likewise,theuseofcooperative
contractsisanapprovedprocurementmethod.
ALLEGATION#2:Existenceofconflictsofinterestandpreferentialtreatment.
Mr. Sampaths official start date as a full time employee of the Authority was December 1, 2014.
AuthorityPolicyP150,CodeofEthicsandEthicsProgram,andAuthorityStandardProcedureS150.01,
StandardsofEthicalConduct,require,amongotherthings,leadershiplevelemployeestocompletethe
ConflictofInterestDisclosureFormonanannualbasis.Asaleadershiplevelemployee,Mr.Sampaths
completedformwasduetohisDirectorbyJuly1,2015andhisDirectorwasresponsibleforforwarding
Page3of11
thecompletedformtotheEthicsCoordinatorbyJuly15,2015.TheformwasnotreceivedbytheEthics
CoordinatorbyJuly15,2015.
Subsequently, the completed form was requested from Mr. Sampath along with the Off Duty
Employment RequestForm. The completedformswereprovided July21,2015. Onceobtained,the
DepartmentofEthics,Diversity,andAdministrationbeganquestioningtheinformationprovidedonthe
forms.
ThefollowingwasdisclosedontheConflictofInterestDisclosureForm:
ThefollowingwasdisclosedontheOffDutyEmploymentRequestForm:
AllegationsweremadeclaimingthatMr.Sampathhadconsultingcontractswithotherentitiesandthat
he was performing work for these other clients on Authority time. The Internal Audit and Ethics,
Diversity,andAdministrationDepartmentsgatheredinformationtobetterassessthepotentialconflicts
ofinterest.
Innive, Inc. (Innive) was noted on the Conflict of Interest Disclosure Form. Innive is a company
headquarteredat18018MalakaiIsleDriveinTampa.ThisaddressisalsothehomeaddressofGautham
Sampathandhiswife,NirmalaPerumal,pertheAuthoritysrecordsintheHRDepartment.Accordingto
the Companys website, Innive provides services encompassing all aspects of Oracle EBusiness Suite
Page4of11
Applications,BusinessIntelligence,EnterprisePerformanceManagement,andOracleFusionMiddleware
implementations.InniveisanOraclePlatinumPartner.AccordingtotheFloridaDepartmentofState
Divisions ofCorporations website (www.sunbiz.org), Innives Registered Agent and Officer/Director is
NirmalaPerumal.BasedondiscussionswithMr.Sampath,Innivedoesnothaveabankaccount,hasno
employees,andhasnotbegunanywork.WhenaskedabouttheclientlistnotedontheInnivewebsite,
heindicatedInnivepartneredwithTransSysSolutions(TransSys)andthosearetheclientsofTransSys.
TranSysisalsoanOraclePlatinumPartner.
Oracle Partner Network (OPN) offers members access to partnerspecific training, resources, goto
markettools,andsupport.ThefollowingisanexcerptfromOracleswebsite:
TheOraclewebsitelistsseveralpagesofbenefitsthatareprovidedtoanOPNmemberatthePlatinum
level. However, it does note that transactions with public sector entities will not be included in
determininganybenefitSeeexcerptfromwebsitebelow:
BasedonsearchcriteriaenteredintotheFloridaDepartmentofStateDivisionsofCorporationswebsite
(www.sunbiz.org),13companies,includingInnive,havebeenregisteredtotransactbusinessintheState
ofFloridainwhichGauthamSampathorNirmalaPerumalwereidentifiedaseithertheRegisteredAgent,
Officer, Director, or Authorized Person between the period of August 2008 and March 2015.
Additionally, one Fictitious Name was also registered. A Fictitious Name is a name under which any
personorbusinessshalldoortransactanybusinessinthisStatewhichisotherthanthetruenameof
suchpersonorbusiness.Thisiscommonlyreferredtoasad/b/a,anacronymfordoingbusinessas.
Ofthese14companynames,Innivewastheonlycompanywithastatusofactive.
InnivewasawardedanonexclusiveusecontractwithPrinceGeorgesCountyPublicSchools(PGCPS)
inMaryland.TheNoticeofAwardwasdatedJune30,2015inresponsetoRFP04915forConsulting
ServicesforOracleEbusinessSuite.TheawardletterwasaddressedtoMr.Sampath.
PriortojoiningtheAuthorityasanemployee,Mr.SampathworkedasanemployeeofPinellasCounty.
HewastheirChiefTechnologistandimplementedmanyOracleapplicationsincludingERP12.1.3,Oracle
Business Intelligence Enterprise Edition (OBIEE), and Hyperion. According to his resume, he was an
employeeatPinellasCountyfromOctober2010throughJune2014.HestillhadaccesstohisPinellas
CountyemailaddressasofOctober27,2015.
Page5of11
While employed by the Authority, Mr. Sampath was receiving RFPs directly from Oracle for other
governmentalagencies.WhendiscussedwithMr.Sampath,heindicatedthatheoftentakesphonecalls
andreceivesemailsfromotherorganizationsforhisinputandexpertise.Heindicatedhewasworking
onProofofConceptsforseveralotherentities.
AuthorityStandardProcedureS150.01,StandardsofEthicalConduct,indicatesthefollowing:
Authorityemployeesshouldidentifyandavoidconflictsofinterest,refrainfromplacing
themselvesinapositioninwhichpersonalinterestsmaycomeintoconflictwiththeduty
owed to the public and ...Authority employees shall not use the Authoritys time,
facilities,equipment,orsuppliesforpersonalgain.
Whilemuchofthisinformationpointstopotentialconflictsofinterest,Mr.Sampathsemploymentwas
terminated effective November 20, 2015. Additionally, his wifes assignment to the Authority was
terminated November 2, 2015 when all staffing through Veredus was suspended. Therefore, the
potentialconflictsofinterestnolongerexist.
SeparateallegationsweremadethatMr.Sampathtooktwovacations(oneinApril2015andoneinAugust
2015)anddidnotrecordunileaveinaccordancewithAuthorityPoliciesandStandardProcedures.This
wasallegedtobepreferentialtreatment.
UnileaverecordswereobtainedfromtheAuthoritysFinanceDepartment.Therecordsindicatednouni
leavewastakenbyMr.Sampath.TheFinanceDepartmentmetwithMr.Sampathanddeterminedthat
hehadactuallyused136hoursofunileavethatwasneverproperlyrecorded.Hehadenteredtheuni
leavehoursfortheAprilvacationinStrombergforapprovalbytheDirectorofITS.(Strombergisthe
Authoritystimeandattendancesoftwaresystem.)TheDirectorofITSdidnotapprovetheleavewithin
Stromberg, so the hours were never deducted from Mr. Sampaths unileave balance. Mr. Sampath
recordedthehoursrelatedtotheAugustvacationwithintheHEATsoftwaresystem.(HEATisanITService
ManagementSolutionthatITSusestosupporttheITSHelpDeskinassigningandtrackingtheprogressof
helpdesktickets).Thisisnotthepropersystemforenteringunileaveinformation.Therefore,theAugust
hourswereneverdeductedfromMr.Sampathsunileavebalance.
TheDirectorofITSdidnotproperlymonitorMr.Sampathsunileaveandapprovedtimesheetsthatdid
not have unileave recorded. Per Standard Procedure S611.01, Payroll and Time Reporting, it is the
supervisors responsibility to ensure accuracy of the time sheet Additionally, each employee is
individually responsible for the accuracy of their time sheet. The unileave balance has since been
corrected by deducting the proper amount of hours. Additionally, Mr. Sampaths employment was
terminatedeffectiveNovember20,2015.
The other claims of preferential treatment included allowing Mr. Sampath to work from home and
allowinghimtoprovideconsultationservicestootherentitiesduringAuthorityworkhours.Itwasnot
deemed necessary to investigate those further since Mr. Sampath is no longer employed by the
Authority.
Page6of11
ALLEGATION#3:OverbillingofhoursthroughVeredus.
As described previously, the Authority utilized an existing contract between Veredus and the City of
TampaforstaffingservicestohiretemporaryemployeestoassistwithvariousITSprojects.Temporary
employeesworkingthroughVereduslogintoatimesystemmaintainedbyVeredustorecordtheirhours
worked.Onaweeklybasis,VereduswouldsendcopiesofthetimesheetstoAuthoritypersonnelfor
approval.CopiesofeachtimesheetwereincludedintheAuthoritysERPsystem(Oracle)withnotation
ofwhichITSstaffmembergaveapproval.Additionally,priortobeingpaid,thesupportingtimesheet,
alongwiththeinvoicefromVeredus,wasroutedthroughtheAuthoritysOracleworkflowandapproved
electronicallybyatleasttwopeople.
TheanonymousemailindicatedthatthestaffthroughVereduswereoffsiteandthattheyonlylogged
intotheAuthoritysnetworkthroughVPNforshortperiodsoftime,butthenbilledforlongerperiodsof
time.Additionally,subsequentclaimsweremadethattheVeredusemployeeswereloggingintothe
Authoritynetworkfromoverseaslocations.
ItwasconfirmedwithITSandVeredusthatsomeofthetemporarystaffdoworkremotely(notphysically
onsiteattheAuthority).And,basedonthetypeofworktheyperform,itisnotabnormaltoonlylogin
forshortperiodsoftimethroughVPN.PerITS,muchoftheworkdonebythetemporarystaffwasdone
onremotemachinesfortestingpurposesandwouldnotbedonedirectlyonAuthoritynetworks.One
individualwouldactasthecodecontrolleranduploadalltheworkdoneonremotemachinestothe
masterdevelopmentserver.TheDirectorofITSindicatedallremoteuserswerelocateddomestically
withintheUnitedStates.ThiswasconfirmedwiththemanagementofVereduswhoindicatedtheyonly
supplydomesticstaffingservicesanddonotutilizeoverseasstaffing.(SeeAllegation#4belowwhich
addressestheclaimofoverseasworkers.)
UsingtheinformationprovidedbyVeredusandinformationobtainedfromeachinvoice,afullanalysisof
pay rate, labor burden, and fee was completed for all payments made to Veredus from April 1, 2014
throughNovember30,2015.TofurtherensuretheaccuracyoftheinformationprovidedbyVeredus,
procedureswereperformedtotestasampleoftherawrates(payrates)atVeredussoffice.Nosignificant
exceptionswerenotedduringtheseprocedures.
ThetotalpaidtoVeredusfromApril1,2014throughNovember30,2015amountedto$1,360,471for
13,150laborhours.Approximately9,500ofthehourswerefortheProjectwhiletheremaininghours
relatedtootherstaffingneedswithinITS.Sincemanyofthetemporarystaffwereworkingremotely,their
actualhourscannotbedirectlytested.However,alloftheirtimesheetswereproperlyapprovedbyITS
employeesthroughoutthetimeperiodtested.Additionally,staffofITSindicatedthedeliverableswere
meetingexpectationsandwereproofthattheapplicablehourswerebeingworked.Basedonthetesting
and verification performed over the pay rates and the approval process of hours billed, there is no
evidencethatoverbillingoccurred.
Page7of11
ALLEGATION#4:Utilizationofoverseasworkerswhichcreatesasecurityrisk.
Allegationsweremadeindicatingpotentialsecurityrisksassociatedwiththeuseofoverseasworkers.
During the testing and analysis of the Veredus billings, it was discovered that there were several
individualswithuserIDsin
undertheVeridusgroupthatwerenotincludedonanyof
the invoices from Veredus. (Note: proper spelling is Veredus, but setup on Authority network used
spelling of Veridus.) VPN logs were reviewed for these users and indicated numerous logins from
overseas.BaysideSolutions,Inc.(BSI)washiredbytheInternalAuditDepartmenttoassistwiththis
portionoftheinvestigation.
entitledVeridus.Thissub
AsubgroupwascreatedwithintheVendorsgroupin
groupcontained17users.Mr.SampathandMrs.PerumalwerenotincludedintheVeridusgroup.They
eachhadtwouserIDs,anadministrativeuserIDlocatedintheITS/ITSAdminAccountsgroupandaregular
userIDlocatedintheITS/InformationTechnologyServicesUsersgroup.
Ofthe17userswithintheVeridussubgroup,onlysixwereincludedontheinvoicesfromVeredus.Of
the11notincludedontheinvoicesfromVeredus,sixloggedinviaVPN.Thereisnoevidenceoftheother
5userslogginginviaVPN.InaccordancewithAuthorityStandardProcedureS270.09,ITSAuthorization
for Access to Authority Information Systems, an individual is granted access to Authority information
systems after completion of the AM07 and AM10 Forms. Authority Standard Procedure S270.06,
RemoteAccesstoAuthorityInformationSystems,requirestheAM22Formtobecompletedtobegranted
remoteaccess.
1. AM07AccesstoAuthorityInformationSystemsAcknowledgementForm
2. AM10AuthorizationforAccesstoAuthorityInformationSystems
3. AM22VPNSoftwareRemoteAccessRequestForm
TheAMFormswereobtainedandreviewedforthoseinthe
Veridusgroupaswellasfor
Mr.SampathandMrs.Perumal.Manyoftheformswerenotproperlycompleted(e.g.,missingcontact
information,missingsignatures,samephonenumberfordifferentindividuals).FouroftheAM07forms
werenotonfileand15oftheAM10formswerenotonfile.
AlloftheAMformsonfileindicatedthattheindividualsworkedforVeredus,withtheexceptionofMr.
SampathsincehewashiredasanAuthorityemployee.Basedonreviewoftheinvoicesandonverbal
confirmationfromVeredus,severaloftheuserswerenotaffiliatedwithVeredus.
InternalAudithiredBSItoprovideconsultingservicestoassesspotentialsecurityviolationsofAuthority
networks,systems,andperipherals.Thisincludedreviewofthe19usersidentified(17intheVeridus
group,Mr.Sampath,andMrs.Perumal)anduseractivitytodetermineifinappropriateaccess,storage
ortransmittaloranylevelofinformationsecuritycompromiseoccurredbetweenMarch1,2014and
October23,2015.AcopyoftheBSIreportisattachedasAppendix2.
BSIalsoanalyzedtheVPNlogsforloginlocationsaswellasanyindicationofpasswordsharing.TheBSI
report indicates the following login locations based on Geolocation (GEO) information of where the
connectionoriginated:
Page8of11
TheBSIreportalsodisclosedinstancesinwhichVPNcredentialswereshared.Sharingnetworkaccess
credentialsisaviolationofAuthorityStandardProcedureS270.07,PasswordSecurity.
BasedontheinformationintheBSIreport,theuserssetupundertheVeridussubgroupwererestricted
bynetworksecuritypolicywhichonlyallowedaccesstotheVeredusenvironment.Theydidnothave
access to the balance of the Authoritys network. However, Mr. Sampath and Mrs. Perumal had
additionalaccesssincetheyhadregularandadminaccounts.Since
a part of the environment, BSI was unable to determine specifically what data may have been
transferred. Additionally, the data in the Veredus environment may have changed throughout the
progressionoftheProject,sowhatiscurrentlyavailableintheVeredusenvironmentdoesnotnecessarily
representdatathatmayhavebeenpresenthistorically.
TheBSIreportindicatedtherewereseveralsecuritysettingsthatwerenotenabled.Thiscausedsome
analysistobeinconclusive.
SeeAppendix1forcorrectiveactiontakenandAppendix2forresultsoftheBSIanalysis.
CONCLUSION
Overall,theinvestigationoftheallegationsdidnotidentifyspecificfraudulentactivity.However,there
wereseveralAuthorityStandardProceduresthatwerenotfollowedandthereareprocesseswithinthe
ITS, Procurement, and HR Departments that could be clarified and improved to provide additional
guidance.ThesewillbediscussedindetailwithAuthorityManagement.
This report was prepared by the Authoritys Internal Audit Department and Department of Ethics,
Diversity,andAdministration.ItisintendedsolelyfortheinformationanduseoftheAuditCommittee
and Managementof the Authority. Thisrestrictionis notintendedto limitdistribution ofthisreport,
whichisamatterofpublicrecord.
Page9of11
APPENDIX1:CORRECTIVEACTIONTAKEN
Thefollowingcorrectiveactionwastakenpriortothecompletionofthisinvestigation:
CorrectiveAction:
1) EmploymentofGauthamSampathwasterminated
2) AllstaffingthroughtheVereduscontractwassuspended
3) AllUserIDsundertheVeridusgroupweredisabled
4) Mr.Sampathsunileavebalancewasadjustedtoactual
5) WebVPNwasdisabled
6) VPNsessionslimitedtoonlyoneconcurrentconnection
7) VPNsessionsterminatedafteronehouratwhichtimetheusercanlogbackin(withtheexception
ofITSemployeeswhoareprovidedlongerlogintimesinordertomaintainsystems)
8) VPNsessionswillbesupportedonlyiftheyoriginatefromanAuthoritydevice
9) AnewprocesswasestablishedforgrantingVPNaccesstoindividualsfromanyvendor.TheAM
22 Form was revised specifying more terms and conditions, as approved by Legal Affairs.
Additionally, the following documentation will be required: 1) a letter from the vendor that
indicatesabackgroundinvestigationhasbeenperformed,2)acopyoftheindividualsresume
withverifiablecontacts,and3)acopyofthefrontandbackoftheindividualsdriverslicense.
Although,notadirectresultofthisinvestigation,theBoardauthorizedapurchaseordertoVacoRisk
Solutions,Inc.(Vaco)attheDecember3,2015Boardmeetingforanottoexceedamountof$127,400.
Vaco specializes in providing enterprise solutions that secure people, facilities, processes and
technology.TheywillprovidetheAuthoritywithacomprehensivenetworksecurityassessment.
Page10of11
APPENDIX2:REPORTFROMBAYSIDESOLUTIONS,INC.
BaysideSolutions,Inc.(BSI)washiredbytheInternalAuditDepartmenttoassistwithAllegation
#4.Theirfullreportisattachedtothisreport.
Page11of11
MISSION
To provide the Board and management with an independent appraisal of the systems of internal
accountingandoperationalcontrol;ofthecompliancetothetermsofagreementsandappropriateness
offeespaidbytenants,concessionaires,andpermittees;andtheappropriatenessoffundsexpended.
INDEPENDENCE
The Internal Audit Department is independent of and does not have direct responsibility, control, or
authorityovertheactivitiesaudited.Thisallowstheauditorstocarryouttheirworkfreelyandobjectively.
Policiesandproceduresareinplacewithinthedepartmenttoidentifyandsafeguardagainstanypotential
threatstoindependence.
CONTACTINFORMATION
LauraTatem,DirectorofInternalAuditLTatem@TampaAirport.com
ElitaMcMillon,DirectorofEthics,DiversityandAdministrationEMcMillon@TampaAirport.com
P.O.Box22287
Tampa,FL33622

Investigation Into Oracle Project Allegations

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Investigation Into Oracle Project Allegations

Caricato da

Copyright:

Formati disponibili

HillsboroughCountyAviationAuthority

Introduc on,Policy,andAllega ons

Appendix1:Correc veAc onTaken

Potrebbero piacerti anche