It seems to me that IT fraud comes in two main forms: those perpetrated for money or power, and involving failures to act ethically.
The first kind are generally easier to spot and deal with. Consider, for example, these three illustrations of different kinds of buyer fraud:
In each case senior management announced a desire to procure a "world class" packaged solution, but each process led them to a combination of source code licensing and internal, Wintel, development with the assistance of "consultants" from the winning partner.
Neither the internal auditors nor the Big four external auditor brought in to review the inevitable failures found anything wrong with the RFP process. So what did he do?
Simple: he allowed each credible vendor to believe that it had won his confidence to the point that he had given it an improper advantage by talking too much about what his committee really wanted to see in the winning bid. As a result the non IT people on the decision committee saw proposals from companies including SAP and Oracle as wildly inappropriate to their needs -and, indeed as utterly incompetent and unprofessional money grabs.
Their enforcement strategy was simple: the public RFP process had both a drop dead component and a failsafe: the drop dead component was that bids outside the range set by plus or minus 15% of the average of credible current bids or winning bids on comparable previous RFPs, could be discarded unread - and the failsafe gave about 30% of the points awarded during evaluations to the review committee's judgement on proposal (i.e. staffing) credibility.
How? Scope change orders awarded on a cost plus basis - done in plain view of the auditors and everyone else on the grounds that the tiny contracts were trials and only this company's people generally earned the right to continue working to bring million dollar projects to completion.
So what are the patterns, and what data do you need to see if there's cause for concern?
The first kind is trivial for IT people to detect - provided we have the vendor proposals and the RFP documents. Basically, if you have a fairly tight RFP but vendor proposals are all over the ballpark, you get to ask why - and the greater the divergence, the more likely it is that someone's been lying to bidders.
The second type is equally easy to spot - but almost impossible to defeat because the practices involved are easy to defend; and especially so to non technical bureaucrats and politicians. Just imagine, for example, yourself explaining to a defensive, technically ignorant, senior manager that the 15% rule means no one offering a two week, $10K, Perl based solution can compete against a big firm offering a three year COBOL, SDM/70, process.
The third type is easy to spot - but try to prove to a senior executive who doesn't want to hear about computers - they never work anyway, right?- that the people who got kicked out after completing pilot projects are actually no less capable than the people who didn't.
In fact the latter two cases illustrate the practical definition of market hegemony: everybody knows it's fraud, but nobody can do anything about it.
Ethical frauds, i.e. frauds perpetrated by failing to act when you should, are harder to spot, harder to categorise, and hardest of all to be sure about - because the "right" action can be far from obvious, especially if your paycheck is on the line.
Some, of course, are easy to deal with: imagine yourself in a situation where your specialist knowledge combines with your job to give you inside information about a continuing fraud being perpetrated by your boss. Pretty clear what you should do, right?
But most are not that simple. Consider these examples:
In each case the problem is clear, but your ethical obligations are not. So what do you do? Refuse the work? ignore the issue and just do what you're told? step outside your own chain of authority to raise the issue with top management?
I've been in all six situations -and got all six wrong. So what would you have done?