I don’t know why, but a financial wrongdoing at an offshore vendor makes big news in the Western world. We saw that happen in instances such as the theft at HSBC’s captive center in Bangalore and the stealing of Citibank’s client account information at Citi’s supplier Mphasis (now part of HP/EDS). The recently reported financial fraud of $4 million at Wipro is the next one that’s making rounds. Frankly, I was surprised when many IT services buyers asked Forrester about this incident and its impact. Here is a snapshot of the story:
What happened at Wipro?
An employee in Wipro’s internal finance department (more specifically someone looking after internal financial controls) got access to Wipro’s bank account password and misused it to transfer out approximately $4 million in small parts over an extended period to relatives’ personal accounts. Wipro did not realize this and the employee continued to steal the money for as long as — according to some members of the Indian media — three years. Finally sometime in December the company got an overdraft note from the bank which did not tally with the bank book showing a positive balance. This triggered an internal investigation and the culprit was quickly discovered. With help of agencies Wipro could recover half of the theft, minimizing losses to $2 million. Wipro took several steps to audit its financial processes to find any loopholes. It also used an external audit agency to vouch that internal controls are sufficient, and as a precautionary measure Wipro made large scale changes (job rotations, internal transfers) to its finance department staff.
Is it a serious issue?
From client questions and the number of companies asking about this, one thing is clear — several Wipro clients are concerned about the event. They told us that all these years Wipro was proud about its process integrity as well as the ethics and value system of its employees. That image, to some extent, is tarnished by this instance, especially as it went on unnoticed for a long period. Against the backdrop of the Satyam saga, we find many stories — some true and some exaggerated — making rounds. But frankly this incident is quite different than earlier instances (and not even worth taking in same breath with the fraud by Satyam’s promoters) that I mentioned above because of the following reasons:
- It’s not unusual to have such financial theft in any part of world
- It happened purely in Wipro’s internal finance function and does not impact any client data or money. It has no reason whatsoever to impact client delivery or client service levels.
- There is no earlier track record (to the best of my knowledge) of such frauds at Wipro which would be interpreted that Wipro works on a porous system. Rather, Wipro took — although late — a quick series of steps to plug the gap and re-designed system with now routinely rotating people and increased control points.
- A loss of two millions is not insignificant, but Wipro surely can absorb it without hampering its financials.
What does it mean?
We don’t believe this incident will impact Wipro or its clients in anyway. But at some level, it’s a gentle reminder of the importance of IT security and that evaluating your vendor’s security standards is a must. Don’t be complacent just because everything has been nice and fine with your provider in the past.
P.S. — I am in the last phase of writing a report on “How Safe Are Offshore Providers?” Recently the Data Security Council of India (DSCI — a Nasscom initiative) did a countrywide survey of the state of IT security in the industry. At almost the same time, the Indian government passed a law making security audits mandatory. Look out for my upcoming report on this subject.