Investigation into Oracle Project Allegations

8/18/2019 Investigation into Oracle Project Allegations

1/63

Hillsborough County Aviation Authority

Internal Audit Department

Project #2015‐005

Investigation of Allegations Related to the Oracle Project (CIP #6325‐15: HCAA

Enterprise Resource Planning & Analytics Program)


2/63

Investigation of Allegations / Internal Audit Report / Project #2015‐005


EXECUTIVE SUMMARY

PURPOSE OF INVESTIGATION

The purpose of this investigation was to assess the allegations resulting from an anonymous email and

subsequent allegations from current and former employees related to the procurement and

implementation of Capital Improvement Project (CIP) #6325‐15: HCAA Enterprise Resource Planning &

Analytics Program as well as potential information systems security risks. Four allegations are described

within this report. The Department of Ethics, Diversity, and Administration assisted with Allegation #2.

Bayside Solutions, Inc. (BSI) was hired to assist with Allegation #4.

BACKGROUND

Oracle Enterprise Resource Planning (ERP) software system was implemented in 1998 to automate the

Authority's general ledger, accounts receivable, accounts payable, project accounting, purchasing and

inventory functions. Oracle software maintenance and support services have been purchased each successive year to ensure that the ERP system remains compliant with critical business and cyber security

requirements. Two major upgrades have been performed since the ERP system was implemented. As

part of ongoing business automation initiatives, management determined it was necessary to expand the

ERP system to support additional business functions including Human Resources, Employee Time Keeping,

Payroll, Budgeting, Analytics and Advanced Business Reporting. CIP #6325‐15: HCAA Enterprise Resource

Planning & Analytics Program (the Project) was approved by the Board at the September 4, 2014 Board

meeting as part of the 2015 Capital and Operating Budget with a budget of $9,324,700.

RESULTS OF INVESTIGATION

Allegation #1: Oracle Project was not properly procured.

As of November 30, 2015, $8,159,350 had been spent on the Project. 97% of the costs associated with

the Project related to purchases of software and hardware from Oracle America, Inc., consulting services

from KPMG, LLP, and staff augmentation services from Veredus Corporation.

Other than some minor documentation inconsistencies, the Authority Policies and Standard Procedures

related to the sole source procurement from Oracle America, Inc. were properly followed. Information

was provided by Information Technology Services (ITS) and Procurement, reviewed by Legal Affairs, and

ultimately presented and approved by the Authority Board. The consulting services from KPMG, LLP were

properly procured utilizing an existing contract and the staff augmentation services from Veredus

Corporation were properly procured based on a cooperative contract.

Claims were made that a formal solicitation should have been performed to hire consultants for the implementation of the Project and that Gautham Sampath was hired on as an employee and others as

temporary employees through Veredus Corporation to circumvent the procurement process in the hiring

of a consultant. Mr. Sampath and the temporary staffing through Veredus Corporation were brought to

the Authority through channels that were allowable. There is nothing in the current Authority Policies

and Standard Procedures that prohibits hiring of an individual for a project with a specific duration and

cooperative contracts are an approved procurement method.


3/63



Allegation #2: Existence of conflicts of interest and preferential treatment.

While there were indications of potential conflicts of interest, the employment of Mr. Sampath and his

wife (who was a temporary employee through Veredus Corporation) was terminated in November 2015.

Therefore, the potential conflicts of interest no longer exist.

Separate allegations were made that Mr. Sampath took two vacations and did not record uni‐leave in

accordance with Authority Policies and Standard Procedures. This was alleged to be preferential

treatment. Mr. Sampath’s vacation was not properly monitored which led to hours not being properly

deducted from his uni‐leave balance. Prior to his termination, the uni‐leave balance was accurately

adjusted by Finance for the uni‐leave hours actually used.

Allegation #3: Overbilling of hours through Veredus.

Approximately $1,400,000 was paid to Veredus Corporation between April 1, 2014 and November 30,

2015 for 13,150 labor hours. Approximately 9,500 of the hours were for the Project while the remaining

hours related to other staffing needs within ITS. Based on the testing and verification performed over the

pay rates and approval process of hours billed, there is no evidence that overbilling occurred.

Allegation #4: Utilization of overseas workers which creates a security risk.

Seven users did access Authority Information Systems from overseas. However, other than Mr. Sampath,

they were restricted by network security policy which only allowed access to the Veredus environment.

They did not have access to the balance of the Authority’s network. Since

a part of the environment, BSI was unable to determine specifically what data may have been

transferred. Additionally, the data in the Veredus environment has changed throughout the progression

of the Project, so what is currently available in the Veredus environment does not necessarily represent

data that may have been present historically. Lastly, there were several security settings that were not

enabled which rendered some of the analysis conducted by BSI to be inconclusive. See Appendix 1 for corrective action taken and Appendix 2 for the results of the BSI analysis.

FINAL ASSESSMENT

Overall, the investigation of the allegations did not identify any specific fraudulent activity. However,

there were several Authority Standard Procedures that were not followed:

S150.01, Standards of Ethical Conduct

S270.06, Remote Access to Authority Information Systems

S270.07, Password Security

S270.09, ITS – Authorization for Access to Authority Information Systems

S611.01, Payroll and Time Reporting.

Additionally, there are various processes within the ITS, Procurement, and Human Resources

Departments that could be clarified and improved to provide additional guidance. These will be discussed

in detail with Authority Management.


4/63



TABLE OF CONTENTS

Transmial Leer

Introducon, Policy, and Allegaons 1

Allegaon #1 2

Allegaon #2 3

Allegaon #3 7

Allegaon #4 8

Conclusion 9

Appendix 1: Correcve Acon Taken 10

Appendix 2: Report from Bayside Soluons, Inc. 11


5/63


6/63


Hillsborough County Aviation Authority Page 1 of 11

INTRODUCTION, POLICY, AND ALLEGATIONS

On July 20, 2015, Laura Tatem, Director of Internal Audit received an anonymous email noting various

allegations in regards to the Oracle Project which is officially titled CIP #6325‐15: HCAA Enterprise

Resource Planning & Analytics Program, but will be referenced throughout this report as “the Oracle

Project”, “the Project”, or “Project #6325‐15”. In accordance with Authority Standard Procedure

S150.02, Ethics and Compliance Program and Investigations, Ms. Tatem brought the information forward

to Elita McMillon, Director of Ethics, Diversity, and Administration.

Upon discussion with Mrs. McMillon, it was discovered that the Department of Ethics, Diversity, and

Administration was already in the process of looking into certain potential conflicts of interest related to

an employee that was one of the key team members working on the implementation of the Project. The

employee was Gautham Sampath. Additionally, the Human Resources (HR) Department was in the

middle of determining whether or not Nirmala Perumal, the wife of Mr. Sampath, could be hired on as a

full time employee. Ms. Tatem and Mrs. McMillon reviewed the email and created a summary listing of the allegations that required further investigation. The email indicated there were other issues that

would be sent in subsequent emails. Ms. Tatem replied to the original email asking for more information

to substantiate the claims. No other emails were received from that email address.

In order to verify the credibility of the allegations in the anonymous email, Ms. Tatem and Mrs. McMillon

began to gather information and data as discretely as possible as to not alert anyone of the allegations.

Authority Standard Procedure S150.02, Ethics and Compliance Program and Investigations, indicates that

“all investigations will be performed in a discreet manner to avoid damaging the reputation of innocent

persons.”

Subsequent to the initial anonymous email, and during the information gathering stage of the

investigation, other information was brought forward from both current and former employees. Based

on the original email, the new information brought forward, and discussions with various Authority staff,

the allegations can be summarized as follows:

Allegation #1: Oracle Project was not properly procured.

Allegation #2: Existence of conflicts of interest and preferential treatment.

Allegation #3: Overbilling of hours through Veredus.

Allegation #4: Utilization of overseas workers which creates a security risk.

In order to assess the various allegations, information was gathered and research performed to

understand the Project, the surrounding circumstances and structure of the Project, and the contracts in

place related to the Project.

The Department of Ethics, Diversity, and Administration assisted with Allegation #2. Additionally, an

outside consultant, Bayside Solutions, Inc., was hired to assist with Allegation #4.


7/63



ALLEGATION #1: Oracle Project was not properly procured.

As of November 30, 2015, $8,159,350 had been spent on the Project. Of these expenses, 97% related to

the software and hardware purchases from Oracle America, Inc. (Oracle), consultant services from KPMG,

LLP (KPMG) and staff augmentation services from Veredus Corporation (Veredus).

The purchases from Oracle were procured via sole source procurement methods. Consulting services

from KPMG were procured utilizing an existing contract between KPMG and the Authority. Staff

augmentation costs through Veredus were procured using a cooperative contract. The majority of the

costs in the “other” category in the chart above were not investigated as they were not deemed pertinent

or material to Allegation #1. However, the procurement of Kaba Workforce Solutions, LLC (Kaba) was

reviewed due to the nature of the procurement being sole source.

Additionally, claims were made that a formal solicitation should have been performed to hire consultants

for the implementation of the Project and that Mr. Sampath was hired on as an employee, as well as the

temporary employees through Veredus, to circumvent the procurement process.

Purchases from Oracle America, Inc.

Other than some minor documentation inconsistencies, the Authority Policies and Standard Procedures

related to sole source procurements were properly followed for the award to Oracle America, Inc.

Information was provided by ITS and Procurement, reviewed by Legal Affairs, and ultimately presented and approved by the Authority Board. The inconsistencies in documentation are considered to be minor

points since it was not necessary for the Procurement Department to procure the Oracle software and

hardware utilizing the sole source purchase method. The Oracle License and Services Agreement with the

effective date of October 17, 2012, with subsequent amendment dated October 24, 2014, was already in

place and provided that orders for programs, hardware, operating system, integrated software and/or

services could be placed for three (3) years from its effective date.


8/63



Purchases from KPMG, LLP

Consulting services from KPMG, LLP were properly procured utilizing an existing contract between KPMG

and the Authority. The contract had remaining Board approved spending authority of approximately

$2,800,000 that could be used for implementation services for the Project.

Purchases from Veredus Corporation

The staff augmentation services from Veredus were procured utilizing an existing contract between the

City of Tampa and Veredus where formal solicitation procedures had already been performed thus

eliminating the need for the Authority to issue a formal solicitation. Authority Policy P410, Procurement,

authorizes the utilization of federal, state, local, or multi‐state cooperative contracts to purchase goods

and services without obtaining three quotes or advertisement. The City of Tampa award qualifies under

this Policy. The temporary staffing was to be used to support several ITS projects such as the

implementation of the Business Intelligence (BI) and Hyperion modules of Oracle and the

Common/Shared Use Passenger Processing System (C/SUPPS), as well as additional support for project

management and information security.

Purchases from Kaba Workforce Solutions, LLC

The Authority Policies and Standard Procedures related to sole source procurements were properly

followed for the award to Kaba. Information was provided by ITS and Procurement, reviewed by Legal

Affairs, and ultimately presented and approved by the Board.

Circumvention of Procurement Process

Mr. Sampath was hired to assist with the development and implementation of the Oracle BI and Hyperion

modules of the Project. This was estimated to be a 1½ to 2 year project for Mr. Sampath. Originally, he

was going to be hired through Veredus as a consultant (as evidenced by various ITS forms completed for

access to Authority systems). However, according to the Director of ITS and the Vice President of Finance, Procurement, and ITS, a cost assessment was performed and it was determined to be much more cost

effective for the Authority to hire him as a full time employee rather than through the Veredus contract.

The Human Resources Department was consulted in regards to this decision and was in agreement with

the decision.

As previously noted, the staff augmentation services from Veredus were based on a cooperative contract.

Mr. Sampath and the temporary staffing through Veredus were brought to the Authority through channels

that were allowable. There is nothing in the current Authority Policies and Standard Procedures that

prohibits the hiring of an individual for a project with a specific duration. Likewise, the use of cooperative

contracts is an approved procurement method.

ALLEGATION #2: Existence of conflicts of interest and preferential treatment.

Mr. Sampath’s official start date as a full time employee of the Authority was December 1, 2014.

Authority Policy P150, Code of Ethics and Ethics Program, and Authority Standard Procedure S150.01,

Standards of Ethical Conduct, require, among other things, leadership‐level employees to complete the

Conflict of Interest Disclosure Form on an annual basis. As a leadership‐level employee, Mr. Sampath’s

completed form was due to his Director by July 1, 2015 and his Director was responsible for forwarding


9/63



the completed form to the Ethics Coordinator by July 15, 2015. The form was not received by the Ethics

Coordinator by July 15, 2015.

Subsequently, the completed form was requested from Mr. Sampath along with the Off Duty

Employment Request Form. The completed forms were provided July 21, 2015. Once obtained, the

Department of Ethics, Diversity, and Administration began questioning the information provided on the

forms.

The following was disclosed on the Conflict of Interest Disclosure Form:

The following was disclosed on the Off Duty Employment Request Form:

Allegations were made claiming that Mr. Sampath had consulting contracts with other entities and that

he was performing work for these other clients on Authority time. The Internal Audit and Ethics,

Diversity, and Administration Departments gathered information to better assess the potential conflicts

of interest.

Innive, Inc. (Innive) was noted on the Conflict of Interest Disclosure Form. Innive is a company

headquartered at 18018 Malakai Isle Drive in Tampa. This address is also the home address of Gautham

Sampath and his wife, Nirmala Perumal, per the Authority’s records in the HR Department. According to

the Company’s website, Innive provides services encompassing all aspects of Oracle E‐Business Suite


10/63



Applications, Business Intelligence, Enterprise Performance Management, and Oracle Fusion Middleware

implementations. Innive is an Oracle Platinum Partner. According to the Florida Department of State

Divisions of Corporations website (www.sunbiz.org), Innive’s Registered Agent and Officer/Director is

Nirmala Perumal. Based on discussions with Mr. Sampath, Innive does not have a bank account, has no

employees, and has not begun any work. When asked about the client list noted on the Innive website,

he indicated Innive partnered with TransSys Solutions (TransSys) and those are the clients of TransSys.

TranSys is also an Oracle Platinum Partner.

Oracle Partner Network (OPN) offers members access to partner‐specific training, resources, go‐to‐

market tools, and support. The following is an excerpt from Oracle’s website:

The Oracle website lists several pages of benefits that are provided to an OPN member at the Platinum

level. However, it does note that “transactions with public sector entities will not be included in

determining any benefit…” See excerpt from website below:

Based on search criteria entered into the Florida Department of State Divisions of Corporations website

(www.sunbiz.org), 13 companies, including Innive, have been registered to transact business in the State

of Florida in which Gautham Sampath or Nirmala Perumal were identified as either the Registered Agent,

Officer, Director, or Authorized Person between the period of August 2008 and March 2015.

Additionally, one Fictitious Name was also registered. A Fictitious Name is a name under which any

person or business shall do or transact any business in this State which is other than the true name of

such person or business. This is commonly referred to as a “d/b/a”, an acronym for “doing business as.”

Of these 14 company names, Innive was the only company with a status of “active.”

Innive was awarded a “non‐exclusive” use contract with Prince George’s County Public Schools (PGCPS)

in Maryland. The Notice of Award was dated June 30, 2015 in response to RFP 049‐15 for Consulting

Services for Oracle E‐business Suite. The award letter was addressed to Mr. Sampath.

Prior to joining the Authority as an employee, Mr. Sampath worked as an employee of Pinellas County.

He was their Chief Technologist and implemented many Oracle applications including ERP 12.1.3, Oracle

Business Intelligence Enterprise Edition (OBIEE), and Hyperion. According to his resume, he was an

employee at Pinellas County from October 2010 through June 2014. He still had access to his Pinellas

County email address as of October 27, 2015.


11/63



While employed by the Authority, Mr. Sampath was receiving RFPs directly from Oracle for other

governmental agencies. When discussed with Mr. Sampath, he indicated that he often takes phone calls

and receives emails from other organizations for his input and expertise. He indicated he was working

on Proof of Concepts for several other entities.

Authority Standard Procedure S150.01, Standards of Ethical Conduct, indicates the following:

“Authority employees should identify and avoid conflicts of interest, refrain from placing

themselves in a position in which personal interests may come into conflict with the duty

owed to the public…” and “...Authority employees shall not use the Authority’s time,

facilities, equipment, or supplies for personal gain.”

While much of this information points to potential conflicts of interest, Mr. Sampath’s employment was

terminated effective November 20, 2015. Additionally, his wife’s assignment to the Authority was

terminated November

2, 2015

when

all

staffing

through

Veredus

was

suspended.

Therefore,

the

potential conflicts of interest no longer exist.

Separate allegations were made that Mr. Sampath took two vacations (one in April 2015 and one in August

2015) and did not record uni‐leave in accordance with Authority Policies and Standard Procedures. This

was alleged to be preferential treatment.

Uni‐leave records were obtained from the Authority’s Finance Department. The records indicated no uni‐

leave was taken by Mr. Sampath. The Finance Department met with Mr. Sampath and determined that

he had actually used 136 hours of uni‐leave that was never properly recorded. He had entered the uni‐

leave hours for the April vacation in Stromberg for approval by the Director of ITS. (Stromberg is the

Authority’s time and attendance software system.) The Director of ITS did not approve the leave within

Stromberg, so the hours were never deducted from Mr. Sampath’s uni‐leave balance. Mr. Sampath

recorded the hours related to the August vacation within the HEAT software system. (HEAT is an IT Service

Management Solution that ITS uses to support the ITS Help Desk in assigning and tracking the progress of

help desk tickets). This is not the proper system for entering uni‐leave information. Therefore, the August

hours were never deducted from Mr. Sampath’s uni‐leave balance.

The Director of ITS did not properly monitor Mr. Sampath’s uni‐leave and approved timesheets that did

not have uni‐leave recorded. Per Standard Procedure S611.01, Payroll and Time Reporting, “it is the

supervisor’s responsibility to ensure accuracy of the time sheet…” Additionally, “each employee is

individually responsible for the accuracy of their time sheet .” The uni‐leave balance has since been

corrected by deducting the proper amount of hours. Additionally, Mr. Sampath’s employment was

terminated effective November 20, 2015.

The other claims of preferential treatment included allowing Mr. Sampath to work from home and

allowing him to provide consultation services to other entities during Authority work hours. It was not

deemed necessary to investigate those further since Mr. Sampath is no longer employed by the

Authority.


12/63



ALLEGATION #3: Overbilling of hours through Veredus.

As described previously, the Authority utilized an existing contract between Veredus and the City of

Tampa for staffing services to hire temporary employees to assist with various ITS projects. Temporary

employees working through Veredus log into a time system maintained by Veredus to record their hours

worked. On a weekly basis, Veredus would send copies of the time sheets to Authority personnel for

approval. Copies of each timesheet were included in the Authority’s ERP system (Oracle) with notation

of which ITS staff member gave approval. Additionally, prior to being paid, the supporting timesheet,

along with the invoice from Veredus, was routed through the Authority’s Oracle workflow and approved

electronically by at least two people.

The anonymous email indicated that the staff through Veredus were off ‐site and that they only logged

into the Authority’s network through VPN for short periods of time, but then billed for longer periods of

time. Additionally, subsequent claims were made that the Veredus employees were logging into the

Authority network from overseas locations.

It was confirmed with ITS and Veredus that some of the temporary staff do work remotely (not physically

on site at the Authority). And, based on the type of work they perform, it is not abnormal to only log in

for short periods of time through VPN. Per ITS, much of the work done by the temporary staff was done

on remote machines for testing purposes and would not be done directly on Authority networks. One

individual would act as the “code controller” and upload all the work done on remote machines to the

master development server. The Director of ITS indicated all remote users were located domestically

within the United States. This was confirmed with the management of Veredus who indicated they only

supply domestic staffing services and do not utilize overseas staffing. (See Allegation #4 below which

addresses the claim of overseas workers.)

Using the information provided by Veredus and information obtained from each invoice, a full analysis of

pay rate, labor burden, and fee was completed for all payments made to Veredus from April 1, 2014

through November 30, 2015. To further ensure the accuracy of the information provided by Veredus,

procedures were performed to test a sample of the raw rates (pay rates) at Veredus’s office. No significant

exceptions were noted during these procedures.

The total paid to Veredus from April 1, 2014 through November 30, 2015 amounted to $1,360,471 for

13,150 labor hours. Approximately 9,500 of the hours were for the Project while the remaining hours

related to other staffing needs within ITS. Since many of the temporary staff were working remotely, their

actual hours cannot be directly tested. However, all of their timesheets were properly approved by ITS

employees throughout the time period tested. Additionally, staff of ITS indicated the deliverables were

meeting expectations and were proof that the applicable hours were being worked. Based on the testing

and verification performed over the pay rates and the approval process of hours billed, there is no

evidence that overbilling occurred.


13/63



ALLEGATION #4: Utilization of overseas workers which creates a security risk.

Allegations were made indicating potential security risks associated with the use of overseas workers.

During the testing and analysis of the Veredus billings, it was discovered that there were several

individuals with user IDs in under the “Veridus” group that were not included on any of

the invoices from Veredus. (Note: proper spelling is Veredus, but setup on Authority network used

spelling of Veridus.) VPN logs were reviewed for these users and indicated numerous logins from

overseas. Bayside Solutions, Inc. (BSI) was hired by the Internal Audit Department to assist with this

portion of the investigation.

A “sub‐group” was created within the “Vendors” group in entitled “Veridus”. This sub‐

group contained 17 users. Mr. Sampath and Mrs. Perumal were not included in the “Veridus” group. They

each had two user IDs, an administrative user ID located in the ITS/ITS Admin Accounts group and a regular

user ID located in the ITS/Information Technology Services Users group.

Of the 17 users within the Veridus sub‐group, only six were included on the invoices from Veredus. Of

the 11 not included on the invoices from Veredus, six logged in via VPN. There is no evidence of the other

5 users logging in via VPN. In accordance with Authority Standard Procedure S270.09, ITS‐Authorization

for Access to Authority Information Systems, an individual is granted access to Authority information

systems after completion of the AM‐07 and AM‐10 Forms. Authority Standard Procedure S270.06,

Remote Access to Authority Information Systems, requires the AM‐22 Form to be completed to be granted

remote access.

1. AM‐07 – Access to Authority Information Systems Acknowledgement Form

2. AM‐10 – Authorization for Access to Authority Information Systems

3.

AM‐22 – VPN Software Remote Access Request Form

The AM Forms were obtained and reviewed for those in the Veridus group as well as for

Mr. Sampath and Mrs. Perumal. Many of the forms were not properly completed (e.g., missing contact

information, missing signatures, same phone number for different individuals). Four of the AM‐07 forms

were not on file and 15 of the AM‐10 forms were not on file.

All of the AM forms on file indicated that the individuals worked for Veredus, with the exception of Mr.

Sampath since he was hired as an Authority employee. Based on review of the invoices and on verbal

confirmation from Veredus, several of the users were not affiliated with Veredus.

Internal Audit hired BSI to provide consulting services to assess potential security violations of Authority

networks, systems, and peripherals. This included review of the 19 users identified (17 in the Veridus group, Mr. Sampath, and Mrs. Perumal) and user activity to determine if inappropriate access, storage

or transmittal or any level of information security compromise occurred between March 1, 2014 and

October 23, 2015. A copy of the BSI report is attached as Appendix 2.

BSI also analyzed the VPN logs for login locations as well as any indication of password sharing. The BSI

report indicates the following login locations based on Geolocation (GEO) information of where the

connection originated:


14/63



The BSI report also disclosed instances in which VPN credentials were shared. Sharing network access

credentials is a violation of Authority Standard Procedure S270.07, Password Security.

Based on the information in the BSI report, the users set up under the Veridus sub‐group were restricted

by network security policy which only allowed access to the Veredus environment. They did not have

access to the balance of the Authority’s network. However, Mr. Sampath and Mrs. Perumal had

additional access since they had regular and admin accounts. Since

a part of the environment, BSI was unable to determine specifically what data may have been

transferred. Additionally, the data in the Veredus environment may have changed throughout the

progression of the Project, so what is currently available in the Veredus environment does not necessarily

represent data that may have been present historically.

The BSI report indicated there were several security settings that were not enabled. This caused some

analysis to be inconclusive.

See Appendix 1 for corrective action taken and Appendix 2 for results of the BSI analysis.

CONCLUSION

Overall, the investigation of the allegations did not identify specific fraudulent activity. However, there

were several Authority Standard Procedures that were not followed and there are processes within the

ITS, Procurement, and HR Departments that could be clarified and improved to provide additional

guidance. These will be discussed in detail with Authority Management.

This report was prepared by the Authority’s Internal Audit Department and Department of Ethics,

Diversity, and Administration. It is intended solely for the information and use of the Audit Committee

and Management of the Authority. This restriction is not intended to limit distribution of this report,

which is a matter of public record.


15/63



APPENDIX 1: CORRECTIVE ACTION TAKEN

The following corrective action was taken prior to the completion of this investigation:

Corrective Action:

1) Employment of Gautham Sampath was terminated

2) All staffing through the Veredus contract was suspended

3) All User IDs under the “Veridus” group were disabled

4) Mr. Sampath’s uni‐leave balance was adjusted to actual

5) Web VPN was disabled

6) VPN sessions limited to only one concurrent connection

7) VPN sessions terminated after one hour at which time the user can log back in (with the exception

of ITS employees who are provided longer log in times in order to maintain systems)

8) VPN sessions will be supported only if they originate from an Authority device

9)

A new

process

was

established

for

granting

VPN

access

to individuals

from

any

vendor.

The

AM

‐

22 Form was revised specifying more terms and conditions, as approved by Legal Affairs.

Additionally, the following documentation will be required: 1) a letter from the vendor that

indicates a background investigation has been performed, 2) a copy of the individual’s resume

with verifiable contacts, and 3) a copy of the front and back of the individual’s driver’s license.

Although, not a direct result of this investigation, the Board authorized a purchase order to Vaco Risk

Solutions, Inc. (Vaco) at the December 3, 2015 Board meeting for a not to exceed amount of $127,400.

Vaco specializes in providing enterprise solutions that secure people, facilities, processes and

technology. They will provide the Authority with a comprehensive network security assessment.


16/63



APPENDIX 2: REPORT FROM BAYSIDE SOLUTIONS, INC.

Bayside Solutions, Inc. (BSI) was hired by the Internal Audit Department to assist with Allegation

#4.

Their

full

report

is

attached

to

this

report.


17/63



Hillsborough

County

Aviation

Authority

Internal

Audit

Department

MISSION

To provide the Board and management with an independent appraisal of the systems of internal

accounting and operational control; of the compliance to the terms of agreements and appropriateness

of fees paid by tenants, concessionaires, and permittees; and the appropriateness of funds expended.

INDEPENDENCE

The Internal Audit Department is independent of and does not have direct responsibility, control, or

authority over the activities audited. This allows the auditors to carry out their work freely and objectively.

Policies and procedures are in place within the department to identify and safeguard against any potential

threats to independence.

CONTACT INFORMATION

Laura Tatem, Director of Internal Audit [email protected]

Elita McMillon, Director of Ethics, Diversity and Administration [email protected]


Internal Audit

Department

P.O. Box 22287

Tampa, FL 33622


18/63


19/63


20/63


21/63


22/63


23/63


24/63


25/63


26/63


27/63


28/63


29/63


30/63


31/63


32/63


33/63


34/63


35/63


36/63


37/63


38/63


39/63


40/63


41/63


42/63


43/63


44/63


45/63


46/63


47/63


48/63


49/63


50/63


51/63


52/63


53/63


54/63


55/63


56/63


57/63


58/63


59/63


60/63


61/63


62/63


63/63

Documents

Investigation into Oracle Project Allegations