8/18/2019 Investigation into Oracle Project Allegations
1/63
Hillsborough County Aviation Authority
Internal Audit Department
Project #2015‐005
Investigation of Allegations Related to the Oracle Project (CIP #6325‐15: HCAA
Enterprise Resource Planning & Analytics Program)
8/18/2019 Investigation into Oracle Project Allegations
2/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority
EXECUTIVE SUMMARY
PURPOSE OF INVESTIGATION
The purpose of this investigation was to assess the allegations resulting from an anonymous email and
subsequent allegations from current and former employees related to the procurement and
implementation of Capital Improvement Project (CIP) #6325‐15: HCAA Enterprise Resource Planning &
Analytics Program as well as potential information systems security risks. Four allegations are described
within this report. The Department of Ethics, Diversity, and Administration assisted with Allegation #2.
Bayside Solutions, Inc. (BSI) was hired to assist with Allegation #4.
BACKGROUND
Oracle Enterprise Resource Planning (ERP) software system was implemented in 1998 to automate the
Authority's general ledger, accounts receivable, accounts payable, project accounting, purchasing and
inventory functions. Oracle software maintenance and support services have been purchased each successive year to ensure that the ERP system remains compliant with critical business and cyber security
requirements. Two major upgrades have been performed since the ERP system was implemented. As
part of ongoing business automation initiatives, management determined it was necessary to expand the
ERP system to support additional business functions including Human Resources, Employee Time Keeping,
Payroll, Budgeting, Analytics and Advanced Business Reporting. CIP #6325‐15: HCAA Enterprise Resource
Planning & Analytics Program (the Project) was approved by the Board at the September 4, 2014 Board
meeting as part of the 2015 Capital and Operating Budget with a budget of $9,324,700.
RESULTS OF INVESTIGATION
Allegation #1: Oracle Project was not properly procured.
As of November 30, 2015, $8,159,350 had been spent on the Project. 97% of the costs associated with
the Project related to purchases of software and hardware from Oracle America, Inc., consulting services
from KPMG, LLP, and staff augmentation services from Veredus Corporation.
Other than some minor documentation inconsistencies, the Authority Policies and Standard Procedures
related to the sole source procurement from Oracle America, Inc. were properly followed. Information
was provided by Information Technology Services (ITS) and Procurement, reviewed by Legal Affairs, and
ultimately presented and approved by the Authority Board. The consulting services from KPMG, LLP were
properly procured utilizing an existing contract and the staff augmentation services from Veredus
Corporation were properly procured based on a cooperative contract.
Claims were made that a formal solicitation should have been performed to hire consultants for the implementation of the Project and that Gautham Sampath was hired on as an employee and others as
temporary employees through Veredus Corporation to circumvent the procurement process in the hiring
of a consultant. Mr. Sampath and the temporary staffing through Veredus Corporation were brought to
the Authority through channels that were allowable. There is nothing in the current Authority Policies
and Standard Procedures that prohibits hiring of an individual for a project with a specific duration and
cooperative contracts are an approved procurement method.
8/18/2019 Investigation into Oracle Project Allegations
3/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority
Allegation #2: Existence of conflicts of interest and preferential treatment.
While there were indications of potential conflicts of interest, the employment of Mr. Sampath and his
wife (who was a temporary employee through Veredus Corporation) was terminated in November 2015.
Therefore, the potential conflicts of interest no longer exist.
Separate allegations were made that Mr. Sampath took two vacations and did not record uni‐leave in
accordance with Authority Policies and Standard Procedures. This was alleged to be preferential
treatment. Mr. Sampath’s vacation was not properly monitored which led to hours not being properly
deducted from his uni‐leave balance. Prior to his termination, the uni‐leave balance was accurately
adjusted by Finance for the uni‐leave hours actually used.
Allegation #3: Overbilling of hours through Veredus.
Approximately $1,400,000 was paid to Veredus Corporation between April 1, 2014 and November 30,
2015 for 13,150 labor hours. Approximately 9,500 of the hours were for the Project while the remaining
hours related to other staffing needs within ITS. Based on the testing and verification performed over the
pay rates and approval process of hours billed, there is no evidence that overbilling occurred.
Allegation #4: Utilization of overseas workers which creates a security risk.
Seven users did access Authority Information Systems from overseas. However, other than Mr. Sampath,
they were restricted by network security policy which only allowed access to the Veredus environment.
They did not have access to the balance of the Authority’s network. Since
a part of the environment, BSI was unable to determine specifically what data may have been
transferred. Additionally, the data in the Veredus environment has changed throughout the progression
of the Project, so what is currently available in the Veredus environment does not necessarily represent
data that may have been present historically. Lastly, there were several security settings that were not
enabled which rendered some of the analysis conducted by BSI to be inconclusive. See Appendix 1 for corrective action taken and Appendix 2 for the results of the BSI analysis.
FINAL ASSESSMENT
Overall, the investigation of the allegations did not identify any specific fraudulent activity. However,
there were several Authority Standard Procedures that were not followed:
S150.01, Standards of Ethical Conduct
S270.06, Remote Access to Authority Information Systems
S270.07, Password Security
S270.09, ITS – Authorization for Access to Authority Information Systems
S611.01, Payroll and Time Reporting.
Additionally, there are various processes within the ITS, Procurement, and Human Resources
Departments that could be clarified and improved to provide additional guidance. These will be discussed
in detail with Authority Management.
8/18/2019 Investigation into Oracle Project Allegations
4/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority
TABLE OF CONTENTS
Transmial Leer
Introducon, Policy, and Allegaons 1
Allegaon #1 2
Allegaon #2 3
Allegaon #3 7
Allegaon #4 8
Conclusion 9
Appendix 1: Correcve Acon Taken 10
Appendix 2: Report from Bayside Soluons, Inc. 11
8/18/2019 Investigation into Oracle Project Allegations
5/63
8/18/2019 Investigation into Oracle Project Allegations
6/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 1 of 11
INTRODUCTION, POLICY, AND ALLEGATIONS
On July 20, 2015, Laura Tatem, Director of Internal Audit received an anonymous email noting various
allegations in regards to the Oracle Project which is officially titled CIP #6325‐15: HCAA Enterprise
Resource Planning & Analytics Program, but will be referenced throughout this report as “the Oracle
Project”, “the Project”, or “Project #6325‐15”. In accordance with Authority Standard Procedure
S150.02, Ethics and Compliance Program and Investigations, Ms. Tatem brought the information forward
to Elita McMillon, Director of Ethics, Diversity, and Administration.
Upon discussion with Mrs. McMillon, it was discovered that the Department of Ethics, Diversity, and
Administration was already in the process of looking into certain potential conflicts of interest related to
an employee that was one of the key team members working on the implementation of the Project. The
employee was Gautham Sampath. Additionally, the Human Resources (HR) Department was in the
middle of determining whether or not Nirmala Perumal, the wife of Mr. Sampath, could be hired on as a
full time employee. Ms. Tatem and Mrs. McMillon reviewed the email and created a summary listing of the allegations that required further investigation. The email indicated there were other issues that
would be sent in subsequent emails. Ms. Tatem replied to the original email asking for more information
to substantiate the claims. No other emails were received from that email address.
In order to verify the credibility of the allegations in the anonymous email, Ms. Tatem and Mrs. McMillon
began to gather information and data as discretely as possible as to not alert anyone of the allegations.
Authority Standard Procedure S150.02, Ethics and Compliance Program and Investigations, indicates that
“all investigations will be performed in a discreet manner to avoid damaging the reputation of innocent
persons.”
Subsequent to the initial anonymous email, and during the information gathering stage of the
investigation, other information was brought forward from both current and former employees. Based
on the original email, the new information brought forward, and discussions with various Authority staff,
the allegations can be summarized as follows:
Allegation #1: Oracle Project was not properly procured.
Allegation #2: Existence of conflicts of interest and preferential treatment.
Allegation #3: Overbilling of hours through Veredus.
Allegation #4: Utilization of overseas workers which creates a security risk.
In order to assess the various allegations, information was gathered and research performed to
understand the Project, the surrounding circumstances and structure of the Project, and the contracts in
place related to the Project.
The Department of Ethics, Diversity, and Administration assisted with Allegation #2. Additionally, an
outside consultant, Bayside Solutions, Inc., was hired to assist with Allegation #4.
8/18/2019 Investigation into Oracle Project Allegations
7/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 2 of 11
ALLEGATION #1: Oracle Project was not properly procured.
As of November 30, 2015, $8,159,350 had been spent on the Project. Of these expenses, 97% related to
the software and hardware purchases from Oracle America, Inc. (Oracle), consultant services from KPMG,
LLP (KPMG) and staff augmentation services from Veredus Corporation (Veredus).
The purchases from Oracle were procured via sole source procurement methods. Consulting services
from KPMG were procured utilizing an existing contract between KPMG and the Authority. Staff
augmentation costs through Veredus were procured using a cooperative contract. The majority of the
costs in the “other” category in the chart above were not investigated as they were not deemed pertinent
or material to Allegation #1. However, the procurement of Kaba Workforce Solutions, LLC (Kaba) was
reviewed due to the nature of the procurement being sole source.
Additionally, claims were made that a formal solicitation should have been performed to hire consultants
for the implementation of the Project and that Mr. Sampath was hired on as an employee, as well as the
temporary employees through Veredus, to circumvent the procurement process.
Purchases from Oracle America, Inc.
Other than some minor documentation inconsistencies, the Authority Policies and Standard Procedures
related to sole source procurements were properly followed for the award to Oracle America, Inc.
Information was provided by ITS and Procurement, reviewed by Legal Affairs, and ultimately presented and approved by the Authority Board. The inconsistencies in documentation are considered to be minor
points since it was not necessary for the Procurement Department to procure the Oracle software and
hardware utilizing the sole source purchase method. The Oracle License and Services Agreement with the
effective date of October 17, 2012, with subsequent amendment dated October 24, 2014, was already in
place and provided that orders for programs, hardware, operating system, integrated software and/or
services could be placed for three (3) years from its effective date.
8/18/2019 Investigation into Oracle Project Allegations
8/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 3 of 11
Purchases from KPMG, LLP
Consulting services from KPMG, LLP were properly procured utilizing an existing contract between KPMG
and the Authority. The contract had remaining Board approved spending authority of approximately
$2,800,000 that could be used for implementation services for the Project.
Purchases from Veredus Corporation
The staff augmentation services from Veredus were procured utilizing an existing contract between the
City of Tampa and Veredus where formal solicitation procedures had already been performed thus
eliminating the need for the Authority to issue a formal solicitation. Authority Policy P410, Procurement,
authorizes the utilization of federal, state, local, or multi‐state cooperative contracts to purchase goods
and services without obtaining three quotes or advertisement. The City of Tampa award qualifies under
this Policy. The temporary staffing was to be used to support several ITS projects such as the
implementation of the Business Intelligence (BI) and Hyperion modules of Oracle and the
Common/Shared Use Passenger Processing System (C/SUPPS), as well as additional support for project
management and information security.
Purchases from Kaba Workforce Solutions, LLC
The Authority Policies and Standard Procedures related to sole source procurements were properly
followed for the award to Kaba. Information was provided by ITS and Procurement, reviewed by Legal
Affairs, and ultimately presented and approved by the Board.
Circumvention of Procurement Process
Mr. Sampath was hired to assist with the development and implementation of the Oracle BI and Hyperion
modules of the Project. This was estimated to be a 1½ to 2 year project for Mr. Sampath. Originally, he
was going to be hired through Veredus as a consultant (as evidenced by various ITS forms completed for
access to Authority systems). However, according to the Director of ITS and the Vice President of Finance, Procurement, and ITS, a cost assessment was performed and it was determined to be much more cost
effective for the Authority to hire him as a full time employee rather than through the Veredus contract.
The Human Resources Department was consulted in regards to this decision and was in agreement with
the decision.
As previously noted, the staff augmentation services from Veredus were based on a cooperative contract.
Mr. Sampath and the temporary staffing through Veredus were brought to the Authority through channels
that were allowable. There is nothing in the current Authority Policies and Standard Procedures that
prohibits the hiring of an individual for a project with a specific duration. Likewise, the use of cooperative
contracts is an approved procurement method.
ALLEGATION #2: Existence of conflicts of interest and preferential treatment.
Mr. Sampath’s official start date as a full time employee of the Authority was December 1, 2014.
Authority Policy P150, Code of Ethics and Ethics Program, and Authority Standard Procedure S150.01,
Standards of Ethical Conduct, require, among other things, leadership‐level employees to complete the
Conflict of Interest Disclosure Form on an annual basis. As a leadership‐level employee, Mr. Sampath’s
completed form was due to his Director by July 1, 2015 and his Director was responsible for forwarding
8/18/2019 Investigation into Oracle Project Allegations
9/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 4 of 11
the completed form to the Ethics Coordinator by July 15, 2015. The form was not received by the Ethics
Coordinator by July 15, 2015.
Subsequently, the completed form was requested from Mr. Sampath along with the Off Duty
Employment Request Form. The completed forms were provided July 21, 2015. Once obtained, the
Department of Ethics, Diversity, and Administration began questioning the information provided on the
forms.
The following was disclosed on the Conflict of Interest Disclosure Form:
The following was disclosed on the Off Duty Employment Request Form:
Allegations were made claiming that Mr. Sampath had consulting contracts with other entities and that
he was performing work for these other clients on Authority time. The Internal Audit and Ethics,
Diversity, and Administration Departments gathered information to better assess the potential conflicts
of interest.
Innive, Inc. (Innive) was noted on the Conflict of Interest Disclosure Form. Innive is a company
headquartered at 18018 Malakai Isle Drive in Tampa. This address is also the home address of Gautham
Sampath and his wife, Nirmala Perumal, per the Authority’s records in the HR Department. According to
the Company’s website, Innive provides services encompassing all aspects of Oracle E‐Business Suite
8/18/2019 Investigation into Oracle Project Allegations
10/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 5 of 11
Applications, Business Intelligence, Enterprise Performance Management, and Oracle Fusion Middleware
implementations. Innive is an Oracle Platinum Partner. According to the Florida Department of State
Divisions of Corporations website (www.sunbiz.org), Innive’s Registered Agent and Officer/Director is
Nirmala Perumal. Based on discussions with Mr. Sampath, Innive does not have a bank account, has no
employees, and has not begun any work. When asked about the client list noted on the Innive website,
he indicated Innive partnered with TransSys Solutions (TransSys) and those are the clients of TransSys.
TranSys is also an Oracle Platinum Partner.
Oracle Partner Network (OPN) offers members access to partner‐specific training, resources, go‐to‐
market tools, and support. The following is an excerpt from Oracle’s website:
The Oracle website lists several pages of benefits that are provided to an OPN member at the Platinum
level. However, it does note that “transactions with public sector entities will not be included in
determining any benefit…” See excerpt from website below:
Based on search criteria entered into the Florida Department of State Divisions of Corporations website
(www.sunbiz.org), 13 companies, including Innive, have been registered to transact business in the State
of Florida in which Gautham Sampath or Nirmala Perumal were identified as either the Registered Agent,
Officer, Director, or Authorized Person between the period of August 2008 and March 2015.
Additionally, one Fictitious Name was also registered. A Fictitious Name is a name under which any
person or business shall do or transact any business in this State which is other than the true name of
such person or business. This is commonly referred to as a “d/b/a”, an acronym for “doing business as.”
Of these 14 company names, Innive was the only company with a status of “active.”
Innive was awarded a “non‐exclusive” use contract with Prince George’s County Public Schools (PGCPS)
in Maryland. The Notice of Award was dated June 30, 2015 in response to RFP 049‐15 for Consulting
Services for Oracle E‐business Suite. The award letter was addressed to Mr. Sampath.
Prior to joining the Authority as an employee, Mr. Sampath worked as an employee of Pinellas County.
He was their Chief Technologist and implemented many Oracle applications including ERP 12.1.3, Oracle
Business Intelligence Enterprise Edition (OBIEE), and Hyperion. According to his resume, he was an
employee at Pinellas County from October 2010 through June 2014. He still had access to his Pinellas
County email address as of October 27, 2015.
8/18/2019 Investigation into Oracle Project Allegations
11/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 6 of 11
While employed by the Authority, Mr. Sampath was receiving RFPs directly from Oracle for other
governmental agencies. When discussed with Mr. Sampath, he indicated that he often takes phone calls
and receives emails from other organizations for his input and expertise. He indicated he was working
on Proof of Concepts for several other entities.
Authority Standard Procedure S150.01, Standards of Ethical Conduct, indicates the following:
“Authority employees should identify and avoid conflicts of interest, refrain from placing
themselves in a position in which personal interests may come into conflict with the duty
owed to the public…” and “...Authority employees shall not use the Authority’s time,
facilities, equipment, or supplies for personal gain.”
While much of this information points to potential conflicts of interest, Mr. Sampath’s employment was
terminated effective November 20, 2015. Additionally, his wife’s assignment to the Authority was
terminated November
2, 2015
when
all
staffing
through
Veredus
was
suspended.
Therefore,
the
potential conflicts of interest no longer exist.
Separate allegations were made that Mr. Sampath took two vacations (one in April 2015 and one in August
2015) and did not record uni‐leave in accordance with Authority Policies and Standard Procedures. This
was alleged to be preferential treatment.
Uni‐leave records were obtained from the Authority’s Finance Department. The records indicated no uni‐
leave was taken by Mr. Sampath. The Finance Department met with Mr. Sampath and determined that
he had actually used 136 hours of uni‐leave that was never properly recorded. He had entered the uni‐
leave hours for the April vacation in Stromberg for approval by the Director of ITS. (Stromberg is the
Authority’s time and attendance software system.) The Director of ITS did not approve the leave within
Stromberg, so the hours were never deducted from Mr. Sampath’s uni‐leave balance. Mr. Sampath
recorded the hours related to the August vacation within the HEAT software system. (HEAT is an IT Service
Management Solution that ITS uses to support the ITS Help Desk in assigning and tracking the progress of
help desk tickets). This is not the proper system for entering uni‐leave information. Therefore, the August
hours were never deducted from Mr. Sampath’s uni‐leave balance.
The Director of ITS did not properly monitor Mr. Sampath’s uni‐leave and approved timesheets that did
not have uni‐leave recorded. Per Standard Procedure S611.01, Payroll and Time Reporting, “it is the
supervisor’s responsibility to ensure accuracy of the time sheet…” Additionally, “each employee is
individually responsible for the accuracy of their time sheet .” The uni‐leave balance has since been
corrected by deducting the proper amount of hours. Additionally, Mr. Sampath’s employment was
terminated effective November 20, 2015.
The other claims of preferential treatment included allowing Mr. Sampath to work from home and
allowing him to provide consultation services to other entities during Authority work hours. It was not
deemed necessary to investigate those further since Mr. Sampath is no longer employed by the
Authority.
8/18/2019 Investigation into Oracle Project Allegations
12/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 7 of 11
ALLEGATION #3: Overbilling of hours through Veredus.
As described previously, the Authority utilized an existing contract between Veredus and the City of
Tampa for staffing services to hire temporary employees to assist with various ITS projects. Temporary
employees working through Veredus log into a time system maintained by Veredus to record their hours
worked. On a weekly basis, Veredus would send copies of the time sheets to Authority personnel for
approval. Copies of each timesheet were included in the Authority’s ERP system (Oracle) with notation
of which ITS staff member gave approval. Additionally, prior to being paid, the supporting timesheet,
along with the invoice from Veredus, was routed through the Authority’s Oracle workflow and approved
electronically by at least two people.
The anonymous email indicated that the staff through Veredus were off ‐site and that they only logged
into the Authority’s network through VPN for short periods of time, but then billed for longer periods of
time. Additionally, subsequent claims were made that the Veredus employees were logging into the
Authority network from overseas locations.
It was confirmed with ITS and Veredus that some of the temporary staff do work remotely (not physically
on site at the Authority). And, based on the type of work they perform, it is not abnormal to only log in
for short periods of time through VPN. Per ITS, much of the work done by the temporary staff was done
on remote machines for testing purposes and would not be done directly on Authority networks. One
individual would act as the “code controller” and upload all the work done on remote machines to the
master development server. The Director of ITS indicated all remote users were located domestically
within the United States. This was confirmed with the management of Veredus who indicated they only
supply domestic staffing services and do not utilize overseas staffing. (See Allegation #4 below which
addresses the claim of overseas workers.)
Using the information provided by Veredus and information obtained from each invoice, a full analysis of
pay rate, labor burden, and fee was completed for all payments made to Veredus from April 1, 2014
through November 30, 2015. To further ensure the accuracy of the information provided by Veredus,
procedures were performed to test a sample of the raw rates (pay rates) at Veredus’s office. No significant
exceptions were noted during these procedures.
The total paid to Veredus from April 1, 2014 through November 30, 2015 amounted to $1,360,471 for
13,150 labor hours. Approximately 9,500 of the hours were for the Project while the remaining hours
related to other staffing needs within ITS. Since many of the temporary staff were working remotely, their
actual hours cannot be directly tested. However, all of their timesheets were properly approved by ITS
employees throughout the time period tested. Additionally, staff of ITS indicated the deliverables were
meeting expectations and were proof that the applicable hours were being worked. Based on the testing
and verification performed over the pay rates and the approval process of hours billed, there is no
evidence that overbilling occurred.
8/18/2019 Investigation into Oracle Project Allegations
13/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 8 of 11
ALLEGATION #4: Utilization of overseas workers which creates a security risk.
Allegations were made indicating potential security risks associated with the use of overseas workers.
During the testing and analysis of the Veredus billings, it was discovered that there were several
individuals with user IDs in under the “Veridus” group that were not included on any of
the invoices from Veredus. (Note: proper spelling is Veredus, but setup on Authority network used
spelling of Veridus.) VPN logs were reviewed for these users and indicated numerous logins from
overseas. Bayside Solutions, Inc. (BSI) was hired by the Internal Audit Department to assist with this
portion of the investigation.
A “sub‐group” was created within the “Vendors” group in entitled “Veridus”. This sub‐
group contained 17 users. Mr. Sampath and Mrs. Perumal were not included in the “Veridus” group. They
each had two user IDs, an administrative user ID located in the ITS/ITS Admin Accounts group and a regular
user ID located in the ITS/Information Technology Services Users group.
Of the 17 users within the Veridus sub‐group, only six were included on the invoices from Veredus. Of
the 11 not included on the invoices from Veredus, six logged in via VPN. There is no evidence of the other
5 users logging in via VPN. In accordance with Authority Standard Procedure S270.09, ITS‐Authorization
for Access to Authority Information Systems, an individual is granted access to Authority information
systems after completion of the AM‐07 and AM‐10 Forms. Authority Standard Procedure S270.06,
Remote Access to Authority Information Systems, requires the AM‐22 Form to be completed to be granted
remote access.
1. AM‐07 – Access to Authority Information Systems Acknowledgement Form
2. AM‐10 – Authorization for Access to Authority Information Systems
3.
AM‐22 – VPN Software Remote Access Request Form
The AM Forms were obtained and reviewed for those in the Veridus group as well as for
Mr. Sampath and Mrs. Perumal. Many of the forms were not properly completed (e.g., missing contact
information, missing signatures, same phone number for different individuals). Four of the AM‐07 forms
were not on file and 15 of the AM‐10 forms were not on file.
All of the AM forms on file indicated that the individuals worked for Veredus, with the exception of Mr.
Sampath since he was hired as an Authority employee. Based on review of the invoices and on verbal
confirmation from Veredus, several of the users were not affiliated with Veredus.
Internal Audit hired BSI to provide consulting services to assess potential security violations of Authority
networks, systems, and peripherals. This included review of the 19 users identified (17 in the Veridus group, Mr. Sampath, and Mrs. Perumal) and user activity to determine if inappropriate access, storage
or transmittal or any level of information security compromise occurred between March 1, 2014 and
October 23, 2015. A copy of the BSI report is attached as Appendix 2.
BSI also analyzed the VPN logs for login locations as well as any indication of password sharing. The BSI
report indicates the following login locations based on Geolocation (GEO) information of where the
connection originated:
8/18/2019 Investigation into Oracle Project Allegations
14/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 9 of 11
The BSI report also disclosed instances in which VPN credentials were shared. Sharing network access
credentials is a violation of Authority Standard Procedure S270.07, Password Security.
Based on the information in the BSI report, the users set up under the Veridus sub‐group were restricted
by network security policy which only allowed access to the Veredus environment. They did not have
access to the balance of the Authority’s network. However, Mr. Sampath and Mrs. Perumal had
additional access since they had regular and admin accounts. Since
a part of the environment, BSI was unable to determine specifically what data may have been
transferred. Additionally, the data in the Veredus environment may have changed throughout the
progression of the Project, so what is currently available in the Veredus environment does not necessarily
represent data that may have been present historically.
The BSI report indicated there were several security settings that were not enabled. This caused some
analysis to be inconclusive.
See Appendix 1 for corrective action taken and Appendix 2 for results of the BSI analysis.
CONCLUSION
Overall, the investigation of the allegations did not identify specific fraudulent activity. However, there
were several Authority Standard Procedures that were not followed and there are processes within the
ITS, Procurement, and HR Departments that could be clarified and improved to provide additional
guidance. These will be discussed in detail with Authority Management.
This report was prepared by the Authority’s Internal Audit Department and Department of Ethics,
Diversity, and Administration. It is intended solely for the information and use of the Audit Committee
and Management of the Authority. This restriction is not intended to limit distribution of this report,
which is a matter of public record.
8/18/2019 Investigation into Oracle Project Allegations
15/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 10 of 11
APPENDIX 1: CORRECTIVE ACTION TAKEN
The following corrective action was taken prior to the completion of this investigation:
Corrective Action:
1) Employment of Gautham Sampath was terminated
2) All staffing through the Veredus contract was suspended
3) All User IDs under the “Veridus” group were disabled
4) Mr. Sampath’s uni‐leave balance was adjusted to actual
5) Web VPN was disabled
6) VPN sessions limited to only one concurrent connection
7) VPN sessions terminated after one hour at which time the user can log back in (with the exception
of ITS employees who are provided longer log in times in order to maintain systems)
8) VPN sessions will be supported only if they originate from an Authority device
9)
A new
process
was
established
for
granting
VPN
access
to individuals
from
any
vendor.
The
AM
‐
22 Form was revised specifying more terms and conditions, as approved by Legal Affairs.
Additionally, the following documentation will be required: 1) a letter from the vendor that
indicates a background investigation has been performed, 2) a copy of the individual’s resume
with verifiable contacts, and 3) a copy of the front and back of the individual’s driver’s license.
Although, not a direct result of this investigation, the Board authorized a purchase order to Vaco Risk
Solutions, Inc. (Vaco) at the December 3, 2015 Board meeting for a not to exceed amount of $127,400.
Vaco specializes in providing enterprise solutions that secure people, facilities, processes and
technology. They will provide the Authority with a comprehensive network security assessment.
8/18/2019 Investigation into Oracle Project Allegations
16/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority Page 11 of 11
APPENDIX 2: REPORT FROM BAYSIDE SOLUTIONS, INC.
Bayside Solutions, Inc. (BSI) was hired by the Internal Audit Department to assist with Allegation
#4.
Their
full
report
is
attached
to
this
report.
8/18/2019 Investigation into Oracle Project Allegations
17/63
Investigation of Allegations / Internal Audit Report / Project #2015‐005
Hillsborough County Aviation Authority
Hillsborough
County
Aviation
Authority
Internal
Audit
Department
MISSION
To provide the Board and management with an independent appraisal of the systems of internal
accounting and operational control; of the compliance to the terms of agreements and appropriateness
of fees paid by tenants, concessionaires, and permittees; and the appropriateness of funds expended.
INDEPENDENCE
The Internal Audit Department is independent of and does not have direct responsibility, control, or
authority over the activities audited. This allows the auditors to carry out their work freely and objectively.
Policies and procedures are in place within the department to identify and safeguard against any potential
threats to independence.
CONTACT INFORMATION
Laura Tatem, Director of Internal Audit [email protected]
Elita McMillon, Director of Ethics, Diversity and Administration [email protected]
Hillsborough County Aviation Authority
Internal Audit
Department
P.O. Box 22287
Tampa, FL 33622
8/18/2019 Investigation into Oracle Project Allegations
18/63
8/18/2019 Investigation into Oracle Project Allegations
19/63
8/18/2019 Investigation into Oracle Project Allegations
20/63
8/18/2019 Investigation into Oracle Project Allegations
21/63
8/18/2019 Investigation into Oracle Project Allegations
22/63
8/18/2019 Investigation into Oracle Project Allegations
23/63
8/18/2019 Investigation into Oracle Project Allegations
24/63
8/18/2019 Investigation into Oracle Project Allegations
25/63
8/18/2019 Investigation into Oracle Project Allegations
26/63
8/18/2019 Investigation into Oracle Project Allegations
27/63
8/18/2019 Investigation into Oracle Project Allegations
28/63
8/18/2019 Investigation into Oracle Project Allegations
29/63
8/18/2019 Investigation into Oracle Project Allegations
30/63
8/18/2019 Investigation into Oracle Project Allegations
31/63
8/18/2019 Investigation into Oracle Project Allegations
32/63
8/18/2019 Investigation into Oracle Project Allegations
33/63
8/18/2019 Investigation into Oracle Project Allegations
34/63
8/18/2019 Investigation into Oracle Project Allegations
35/63
8/18/2019 Investigation into Oracle Project Allegations
36/63
8/18/2019 Investigation into Oracle Project Allegations
37/63
8/18/2019 Investigation into Oracle Project Allegations
38/63
8/18/2019 Investigation into Oracle Project Allegations
39/63
8/18/2019 Investigation into Oracle Project Allegations
40/63
8/18/2019 Investigation into Oracle Project Allegations
41/63
8/18/2019 Investigation into Oracle Project Allegations
42/63
8/18/2019 Investigation into Oracle Project Allegations
43/63
8/18/2019 Investigation into Oracle Project Allegations
44/63
8/18/2019 Investigation into Oracle Project Allegations
45/63
8/18/2019 Investigation into Oracle Project Allegations
46/63
8/18/2019 Investigation into Oracle Project Allegations
47/63
8/18/2019 Investigation into Oracle Project Allegations
48/63
8/18/2019 Investigation into Oracle Project Allegations
49/63
8/18/2019 Investigation into Oracle Project Allegations
50/63
8/18/2019 Investigation into Oracle Project Allegations
51/63
8/18/2019 Investigation into Oracle Project Allegations
52/63
8/18/2019 Investigation into Oracle Project Allegations
53/63
8/18/2019 Investigation into Oracle Project Allegations
54/63
8/18/2019 Investigation into Oracle Project Allegations
55/63
8/18/2019 Investigation into Oracle Project Allegations
56/63
8/18/2019 Investigation into Oracle Project Allegations
57/63
8/18/2019 Investigation into Oracle Project Allegations
58/63
8/18/2019 Investigation into Oracle Project Allegations
59/63
8/18/2019 Investigation into Oracle Project Allegations
60/63
8/18/2019 Investigation into Oracle Project Allegations
61/63
8/18/2019 Investigation into Oracle Project Allegations
62/63
8/18/2019 Investigation into Oracle Project Allegations
63/63