Fraud: Some cautionary tales
These stories are a timely reminder that everyone plays a part in discouraging and preventing fraud. Use these stories to start conversations with your colleagues about whether your own internal controls are up to date and remain fit for purpose. We’ve included a list of resources and other useful information at the end of this post.
False invoicing
An auditor told us about an incident where a supplier’s email account was hacked and a false invoice was submitted for payment. The organisation made the payment after amending the supplier’s bank account details in its Masterfile, in keeping with its normal internal controls. The bank identified the payment as a possible fraud and raised it with the organisation. By the time the organisation had confirmed that the payment was made to the wrong account, the money couldn’t be recovered. The organisation reported this to the Police and updated the internal controls to require all requests for changes to the Masterfile to first be confirmed directly with the supplier.
Theft of cash
A council-controlled organisation was running a weighbridge at a landfill. After CCTV cameras were installed, they discovered that an operator had been withholding receipts from customers at the weighbridge and giving them to subsequent customers. This meant not having to record all sales in the till, enabling the operator to steal cash. Once this was discovered, the operator was dismissed and the matter was reported to the Police.
Theft of property, plant, and equipment
An auditor told us about an incident where old laptops that were due to be distributed to community groups by a contractor were instead sold by the contractor, who kept the cash. A routine audit of information technology equipment identified that the laptops were not distributed to community groups and were unaccounted for. The incident was reported to the Police.
Payroll fraud
We have seen a number of incidents where scammers have masqueraded as a staff member, and sent an email request to change the staff member’s bank account details. The employer has made the change without independently verifying the change request with the staff member. These incidents are usually discovered when the staff member questions why they haven’t been paid. In many instances, the lost money can’t be recovered because it has been transferred offshore before the bank can be informed.
Misuse of a fuel card
An auditor reported an incident where an organisation stored backup fuel cards behind the counter at a couple of service stations, which employees could use for small purchases of fuel for work vehicles. There was a sudden spike in the amount of fuel bought on those cards. They launched an investigation but couldn’t confirm who was using the cards, so the cards were cancelled and the matter was reported to the Police.
Theft of money held in trust
An entity that collects and manages money on behalf of members of the public unintentionally paid a scammer. The scammer accessed a member of the public’s email address and modified the bank account details on a payment request form, so the requested funds were paid into the scammer’s bank account. The entity didn’t confirm the change in bank account details before making the payment, so the fact that the payment was made to the wrong account wasn’t discovered until the member of the public complained about not receiving the payment. There haven’t been any charges or convictions because the scammer can’t be identified.
Further resources
Our website contains good practice material about discouraging fraud and what public organisations should consider when it comes to preventing fraud. We’ve also published a number of reports on the topic of fraud.
Our 2017/18 central government audits highlighted information communications technology controls as an area of focus for central government agencies to consider. The National Cyber Security Centre has published some guidance to help public organisations develop stronger information security (InfoSec) policies and procedures, and to improve their InfoSec maturity and capability.
The International Fraud Awareness Week website also contains some useful information and resources about how organisations around the world are doing their bit to prevent fraud.
Paul O’Neil from the Serious Fraud Office spoke at Audit New Zealand’s information updates earlier this year about the future of fighting fraud in the public sector. You can watch a video of Paul’s presentation below: