I’ve been meaning to blog about this for some time, and it is topical today as the Herald reports the ODHB Chair is refusing to resign and faces the sack.
The $17 million fraud perpetrated by the former CIO, Michael Swann, is in my opinion a failure of good governance, and that is squarely the role of the Board, with the Chair holding prime accountability. I also include the CEO as they are the Board’s chief advisor, and should have ensured better systems were in place.
Swann is the crook, and of course primarily to blame. Getting away with some fraud for a small period of time is near impossible to stop when a senior official is corrupt.
But the size and duration of the offending removes the excuses from the Board. There were a number of things the Board and/or the CEO could have done to stop the fraud or make it much more difficult to have had it continue.
And this is regardless of the obvious warning signs about a senior official who had around 20 cars and a handful of yachts that should have rung warning bells.
I’m actually a company director myself for a company with around $10 million turnover. Now no company is perfect and fraud proof, but we do have a strong focus on governance and good process. I suspect the ODHB (and part of the problem is they are partially elected) focuses more on stuff like spending the money, rather than the boring side of processes to do with governance and accountability.
I think of all the ways that the CEO and/or the Board should have got some idea there was something wrong:
- Was there an internal audit function? External audits generally do not detect fraud. A large organisation should have an internal audit function.
- Many of the fake invoices were for software updates that were never done. Was there a policy around independent security checks of the IT system for vulnerabilities that would have exposed these were not done.
- Why was the contract for services not competitively tendered? A contract of $17 million over some years should be decided at board or at least CEO level and be a competitive tender. A CIO should not be delegated the authority to decide this alone. A competitive tender would have probably exposed the company was a sham.
- Why did the CEO or CFO never get suspicious that they had never met staff from this company they had paid $17 million to? When you are spending that much with a company you should have a relationship with them – you may even have had their Directors come along for discussion.
- Did those who signs cheques ever question the invoices? The company I am on is of course much smaller than a DHB, but as a signatory and Director I often question several of the cheques I have to sign. Not in a hostile way, but in a “I don’t know what services this company provided for us, tell me what they did and which approved activity it relates to”
- Why did the Board and/or CEO never question the cost of the IT support services? Even if the services this firm was providing was real, they seem to be to be massively expensive. Did no-one have any experience of value for money for such stuff? Did they question the increase in the IT budget? Did they ever say “Let’s tender this out to see if we can reduce it?”
- Did the Board have a policy of regular reviews of major suppliers and major contracts? The Board should not do the detailed reviews of course, but they should set the policy and require the CEO to implement it, and make recommendations to them?
- Did the Board have a robust financial delegations policy? At what level did expenses have to be approved by the Board, but the CEO, the CFO, Departmental Heads etc? How often did they review this policy?
- When a supplier is a major cost (such as $17 million over several years) you expect them to be a well known firm. No one expects the $5,000 a year supplier to be more well known than the ABC computer shop but if you are paying millions to a company you expect it to be well known (especially in a small city like Dunedin), to have a shopfront, be in the yellowpages, have a website. You may even expect to have had some first or second hand dealings with it.
I could go on and on. To be clear – no organisation can ever be so good they fraud is impossible. Corrupt staff can always work out a loophole to some degree. But the size of the scam, the ongoing duration of it, and the fact it would have been so simple to detect, points to a significant failure in policy, process and governance.
Yes there have been changes in Chairs and CEOs during this time. But unless they are brand new into the job, both the Chair and the CEO need to be held accountable for what happened, and not keep blaming it on the corrupt Swann. His scam was not the genius con of the century. It was simplistic and should have been detected far earlier.