The Health Service Executive has paid €2.7m in fees to an IT consultancy which was originally hired for €29,500, according to an internal report obtained by RTÉ's This Week.
The consultancy was hired in 2007 to provide 12 days consultancy, plus some additional days of advice, to a working group within the HSE.
At that time, the working group was involved in setting up an element of the HSE's HealthStat performance management system.
The HealthStat performance management system was established to provide a greater degree of accuracy on key acute hospital outcomes.
Between July 2007 and March 2010 the consultancy firm submitted more than 24 invoices totalling €2.7m.
The spending was approved by two senior managers within the HSE.
This was done without any reference to the agency's finance unit or to the HSE's procurement unit, according to the HSE's internal audit report.
Neither the management consultancy nor the two senior HSE staff who approved the spending have been named in the report.
One of the senior managers has alleged that other senior figures within the HSE were aware of the expenditure.
However, the internal audit team said this allegation was not supported by evidence.
The internal audit unit concluded that "the scope of the original contract arrangement was substantially altered" as a result of the extra payments.
The auditors said: "A new procurement exercise should have been carried out for the development of HealthStat and the associated Performance Management IT system."
"What happened in practice was in contravention of HSE regulations and EU procurement rules," according to the report.
The internal report has also raised questions over the accuracy of some data relating to Primary and Continuing Care outcomes contained on the HSE's HealthStat system.
HealthStat provides monthly results from 29 teaching, regional and general hospitals and 32 Local Health Offices responsible for providing health and social care services in the community.
It was first rolled out in 2008.
The system logs how a hospital or LHO is delivering services to patients and how certain targets are being met, with a focus on waiting times for services; whether the services received are patient-centred; and how staff and financial resources are being used.
Investigators discovered what they described as "datasets with a high risk of being inaccurate or corrupted" in a review of data within the Dublin North LHO.
They described the errors as "serious" and said it had a direct bearing on the reliability of PCCC HealthStat measures, they concluded.
In total, the internal auditors identified ten high-risk concerns which "pose a key risk to the organisation and/or its service users and clients which may have serious implications for the achievement of the organisations objectives".
In their formal response to the report -- the current HSE management said that HealthStat had served the HSE well and was well-regarded both internal and externally.
However, they acknowledged that "the deployment of the IT tool fell short of both expected standards and public sector recruitment regulations".
They said they were satisfied that controls were now in place to prevent a repetition of any breach of regulations.
The auditors said they found no indication of fraudulent or dishonest conduct, nor was any such allegation made to them.
However, they said the project management controls around the IT system development were inadequate, with a "lack of control over the scope of the project.
They said the lack of appropriate phase reviews to ensure the project was achieving its goals; inadequate project documentation and the lack of a properly constituted project board".
The audit report was obtained by RTÉ under a Freedom of Information request.
The report was finalised in late 2012 but its release had been delayed until now as it was the subject of a case taken by third parties to the Information Commissioner, who were challenging the HSE's decision to release the report.
