How ITAM Could Have Stopped a $40M Heist at Yale University

Beginning around 2013, the director and administrator of Yale's Department of Emergency Medicine started a scheme that lasted almost ten years at a loss of approximately 40 million US dollars (Diaz, 2022). The director had purchase approval of up to ten thousand US dollars. When needed, she would break up the purchases into multiple orders. The director would order computers (laptops, iPads, etc.) and have them shipped to a third party. The director would be paid after the third party sold the assets. The director dodged questions about the orders until an anonymous individual provided a tip after discovering large orders and witnessing the director placing assets in her car. This tip resulted in an audit that exposed operation.

University ITAM Programs

Implementing an ITAM program is a bit more challenging for universities. First, there are three divisions: the student body, professors (and their research), and business operations. On top of these divisions are multiple colleges, such as the college of arts and sciences, the college of business, the college of engineering, and more. Each college may be autonomous in its business operations. The decentralization and different end-user requirements make for a more complicated ITAM program when compared to other industries.

How ITAM Would Have Saved Yale Millions of Dollars

Within two years, a centralized ITAM program would have prevented or stopped this theft.

Monitoring IT Purchases

The ITAM program monitors purchases, and not just purchases that follow policy. A rogue purchase may look legitimate or hidden using a corporate credit card or on an expense report. A valid purchase has a request and approval associated with it. The Yale purchases would have lacked a request from a stakeholder – an end-user, department, or project.

Receiving, Acceptance, and the ITAM Repository

ITAM monitors purchases in anticipation of receiving assets. This monitoring aids in scheduling people to process the receipt of the purchased assets. Furthermore, it is best practice for vendors to upload the list of new inventories into the ITAM repository in anticipation of receiving, deploying, and warranty. The receiving and acceptance process is another gate for the ITAM program. When the asset is received, it goes through an acceptance process to verify the asset was ordered and delivered as purchased, tagged if required, placed into inventory, and the stakeholder is informed of the receipt of the asset.

A "late or missing arrival" report would have flagged these assets as not being received. This report would have led ITAM to contact the vendor to investigate why the assets haven't been received. It would have been discovered that the assets were shipped to a third party.

Invoice Reconciliation

An invoice is only approved if the charged amount is correct, the asset was received and accepted, and configured as purchased. The invoice reconciliation process uses vendor purchase reports to identify missing invoices.

Physical Inventory

Physical inventory is used to validate the assets in the ITAM repository and is also used to increase the accuracy of the fixed asset database. Physical inventory is scheduled based on asset type. For example, desktops and laptops should be inventoried at least every two years. Physical inventories are an effective tool to find off-network assets and lost or stolen assets.

Conclusion

A centralized ITAM program would have greatly limited Yale's loss as long as there was a record of purchasing the IT assets. One of the ITAM program's responsibilities is spending transparency. This transparency is accomplished by centralizing ITAM processes that generate accurate IT asset data.

The IT ecosystem consists of multiple moving parts, which are functional areas such as IT, IT service desk, IT security, finance, compliance legal, business units, project management office, and executives. The ITAM program's responsibility is to unify each part's interests into a single, cohesive approach to maximizing the value of the organization's investment and use of technology. This responsibility includes stopping an employee from theft.

Diaz, J. D. (2022, March 29). A former Yale employee admits she stole $40 million in electronics from the university. NPR. https://choice.npr.org/index.html?origin=https://www.npr.org/2022/03/29/1089525660/a-former-yale-employee-admits-she-stole-40-million-in-electronics-from-the-unive