They say that life sometimes imitates art. Now we have an example of that in the world of Sarbanes-Oxley compliance, courtesy of that knucklehead in Seattle charged the other week with embezzling company money just like those characters in the film “Office Space.”
You may have already seen the headlines. A former IT employee at online retailer Zulily.com, has been charged with embezzling more than $300,000 from the company last year by altering the computer code in Zulily’s financial systems. Investigators pieced together the man’s scheme after they searched his laptop and found a file labeled “Office Space,” the 1999 film about unhappy office workers who swindled their company using the same method.
Of course any crime based on “Office Space” will get attention because we all snicker at soulless corporations cheated by a clever employee — but for compliance and audit professionals, there’s more here. If an employee can change the code in company software to commit financial fraud, that’s a flaw in IT general controls. Which is a threat to SOX compliance.
In fairness to Zulily, the company did do many things right. It found the embezzlement scheme quickly, conducted a thorough investigation, and cooperated with local law enforcement to bring the alleged perpetrator to justice. Plus, Zulily is a subsidiary of e-commerce giant Qurate Retail, which routinely has more than $2.7 billion in sales per quarter. A $300,000 fraud is not a material item that’s going to launch an SEC probe.
Still, as we’ve written many times before on these pages, IT general controls can be a glaring weak spot for effective internal control and SOX compliance — so we should take a look at what happened here. That it springs from “Office Space” just makes the analysis that much more fun.
IT Code and Diversions
The knucklehead in question is one Ermenildo Castro, charged just before Christmas with three felony counts of theft by prosecutors in Seattle. According to court filings, Castro worked as a software engineer at Zulily from December 2018 until he was fired in June 2022. He served on the company’s “shopping experience team,” where he was directly involved in coding the customer checkout process for Zulily’s website.
In February 2022, police say, Castro wrote a piece of software code that diverted the shipping charges on customer purchases to an account at payments company Stripe.com that Castro controlled. The code only targeted a small fraction of all Zulily customer purchases, but within several weeks Castro still managed to embezzle $110,000.
Within two weeks, Zulily’s anti-fraud department had noticed discrepancies between the amounts that some customers were being billed and the amounts then charged to their credit cards, and opened an investigation. One hiccup, however: Castro, as a member of Zulily’s e-commerce team, was part of that team asked to investigate.
Then, police say, Castro launched a second scam. He wrote up another piece of software code that double-charged some customers for shipping, and then routed the full shipping charges both to Zulily and to Castro’s account at Stripe. That allowed him to embezzle another $151,000, police say.
While all this was happening, police say Castro ran yet another fraud against the company: he loaded up his online shopping cart with items he wanted to buy, and then altered Zulily’s software code so that he could buy them for pennies on the dollar. Over the course of three months in 2022, police say, Castro bought 1,294 items that had a total value of more than $41,000, but he only paid $254.
Even better: part of that discount-price scheme was to impress a woman Castro had met on Tinder, police say. Castro told the young woman to load up her Zulily cart with items she wanted, and he would buy them for her. She racked up a wishlist worth $3,000. Castro allegedly bought the goods for $40.95. I’ve asked several single female compliance professionals whether this constitutes dating fraud in addition to, ya know, actual fraud. Opinions vary but they all recommend that the woman in question dump Castro immediately.
That third fraud seems to have been Castro’s undoing. The anti-fraud team quickly noticed his unusual number of purchases, launched an investigation, found the goods at his house, and fired him in June. Investigators then searched Castro’s company laptop (which he had dutifully returned), and that’s when they found a mysterious folder called “Office Space.” In that folder were step-by-step instructions for the other two-shipping charge frauds. Investigators went through the audit logs of their software code updates, and found the changes in users accounts assigned to Castro.
Police were subsequently called, and according to filings from Seattle police, Castro admitted to everything. Moreover, “Castro confirmed that he named his scheme to steal from Zulily after the movie.”
Best practices about IT general controls all flow from Principle 11 of the COSO framework on effective internal control: “The organization selects and develops general control activities over technology to support the achievement of objectives.”
Each principle of the COSO framework then has several more specific “points of focus,” and for our Office Space example here, perhaps the most relevant one revolves around security management:
Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
We don’t know much about Castro’s exact role on Zulily’s IT security team, but we can still review some best practices other companies would want to keep in mind about their own IT general controls and fraud risk.
For example, companies should generally keep their software testing environment (where they experiment with new code) separate from their production environment (where the code is pushed into the live website, app, or other IT system). Castro had at first claimed that he was only testing Zulily’s e-commerce platform to see if someone could alter the prices on goods, and then forgot to kill the code so the purchases ended up going to his house by accident.
That sounds like baloney to me, and apparently it did to law enforcement as well since Castro is now facing charges. But it does raise the point that employees should almost never be allowed to “test in production” because that opens the door to frauds like this one.
This case also underlines the importance of accurate audit logs to see who introduced what changes to IT code. Points to Zulily on this score, because the company was able to match the suspicious code changes back to accounts under Castro’s control fairly quickly.
Still, we have another internal control concern here: companies need a method of inspecting and intercepting every bit of code entering your ERP software environment before that piece of code goes live. This goes beyond mere change management controls, which typically just record who made what change. We need a better system of IT general controls that can actually review each change before it happens, and block changes that might be dangerous.
In Zulily’s case the fraud involved was not a material amount, but that won’t necessarily be the case in other frauds. Castro’s stunt could have operated at a larger scale that was material.
If you’re a company on the receiving end of that threat, it’s no laughing matter — no matter how much you secretly like “Office Space.”