The perils of direct entry uploading into a database are well known … and the recent revelation by CBI on the modus operandi used in Satyam to book invoices is a grim reminder of this.
CBI has claimed to have unravelled through cyber forensic technique the modus operandi of Satyam in generating false invoices to show inflated sales.
Investigations revealed that Satyam Computer Services Limited (SCSL) had got a regular application flow for generation of invoices. This regular flow, it was found, has a series of applications like Operational Real Time Management (OPTIMA) for creating and maintaining the projects, Satyam Project Repository (SRP) for generating the project ID, an application to key-in the man hours put in by the employees called Ontime, and a Project Bill Management System (PBMS) for generating the billing advices from the data received from the Ontime and from the rates agreed upon with the customer. Based on the billing generated by PBMS, the Invoice Management System (IMS) generates the invoices.
Apart from the regular application flow, Satyam had another method of generating invoices through Excel Porting wherein the invoices could be generated directly in IMS, bypassing the regular application flow by porting the data into the IMS. This application was actually meant to be used sparingly for emergency requirements.
Investigation revealed that in order to perpetrate the fraud, the accused had surreptitiously got a subroutine incorporated in the Source Code of IMS application, wherein a new user ID called Super User got created and this Super User had the power to hide/unhide the invoices generated in IMS. By logging in as Super User, the accused were hiding some of the invoices that were generated through Excel Porting. Once an invoice was hidden, the same would not be visible to the other divisions of the company, but only to the sales team in the Finance division of Satyam. As a result, the business circles concerned would not be aware that such invoices existed. These invoices were also not despatched to the customers.
And thus the drama of Satyam continues.
The solution to prevent such frauds is not to stop direct data uploads completely. In every business there is a need to upload bulk data through a data porting utility into the database, and hence every application vendor needs to provide such a utility. To minimize the risk of misuse of this facility, some of the basic controls that various organizations may consider are:
Limit access to this utility to only selected persons / selected offices
Ensure that a proper maker checker control exists – either in the system or outside the system
Ensure that suitable exception reports are available, and that these are reviewed by the concerned management / executives / auditors
Ensure that basic controls are built into the utility for e.g. cash entries cannot be passed through data upload, entries into particular GL accounts cannot be passed through data upload, backdated entries prior to the current open period cannot be passed, etc.
The system should be able to earmark such direct upload entries separately, and should be able to generate reports based on this for an independent review at any point of time.