Cloud computing company Nutanix has faced significant consequences due to a lack of oversight of its employees handling vendor software, leading to misuse, estimated costs of $11 million, and two pending lawsuits.
Nutanix conducted an internal probe, which revealed that certain employees had used third-party software for an extended period without proper authorization or payment, despite the initial agreement being limited to software evaluation. As a result, Nutanix estimates that it will have to pay $11 million to the two vendors involved in the misuse.
The repercussions of this misconduct have prompted Nutanix to implement remedial measures to address material weaknesses in its internal control over financial reporting (ICFR). These measures were disclosed in a regulatory filing on June 2. Nutanix now faces a federal securities class action and stockholder derivative lawsuit in the U.S. District Court for the Northern District of California, alleging financial misstatements and breach of fiduciary duties related to the software abuse.
While the employee misconduct raises concerns about oversight, experts believe that Nutanix demonstrated a strong response once the misconduct was discovered. Maria D'Avanzo, Chief Evangelist Officer at compliance training provider Traliant, praised Nutanix for making the investigation its top priority and engaging external counsel. The company promptly terminated the employees involved, and its chief information officer resigned in response to the incident.
The software misuse occurred over a prolonged period and was primarily used for interoperability testing, validation, customer proofs of concept, support, and training purposes. It was first identified during a software purchase review on March 6, after which the audit committee, assisted by external counsel, conducted an investigation.
Nutanix acknowledged that its controls did not effectively identify the noncompliant use of third-party software as a risk of material misstatement in its financial reporting. The company also recognized a lack of emphasis on raising concerns about unethical conduct in a timely manner, leading to material weaknesses in its ICFR. This raises the possibility that Nutanix may not have detected potential misstatements in its consolidated financial statements.
While Nutanix bears responsibility for the oversight failures, questions have also been raised about the vendors' role in monitoring compliance with their contracts regarding the software. Maria D'Avanzo highlighted the lack of controls that allowed the software to be accessible to departments beyond the designated evaluation group.
To address these deficiencies, Nutanix has devised a remedial plan in collaboration with its management, audit committee, and board of directors. The plan includes internal awareness campaigns, training programs on appropriate software acquisition and compliance, education on accrual requirements, and the development of additional systems and controls for third-party software. Nutanix believes these measures will rectify the identified material weaknesses and strengthen its overall ICFR.
Nutanix acknowledges that its lack of due diligence has resulted in significant resource expenditures, including the investigation conducted by the audit committee, the formulation and implementation of a remediation plan, the establishment of new controls and procedures, and increased management oversight.
By fLEXI tEAM