This bulletin is designed to assist councils in dealing with serious fraud threats such as those that have recently impacted a number of Queensland councils.
The department has been informed of a sophisticated scam that has resulted in a number of councils experiencing significant financial losses, and has been providing advice in relation to this through its regional office network.
The scam involved a person, purporting to be a representative of a vendor providing goods and services to the council, requesting that the council officer change the vendor’s bank account details in the accounts payable system.
The request was supported by falsified documentation, including letterheads and bank deposit slips which confirmed the new bank account details.
Where changes were made to the vendor details as a result of this request, payments were directed to an unknown party, going undetected until such time as the original vendor contacted council and queried non-payment.
Steps council should take to mitigate the risk of this scam
The scam appears to have targeted larger councils with high volumes of vendors and transactions; however, it is essential that all councils, irrespective of size, constantly remain vigilant of such risks and ensure that appropriate policies and procedures are in place with staff appropriately trained in their application.
To help mitigate the risk to council from scams of this nature, following are some key steps that councils should consider incorporating into existing business practices, policies and procedures:
- Establish a formal process, which clearly and unambiguously sets out the procedures, responsibilities and controls for dealing with any requests for any changes to vendor master data.
- Restrict capacity to make changes to vendor master data to a small group.
- The process should include:
- a check to ensure that the address, phone numbers and email domains in the change request match the vendor master file details;
- a bank deposit slip, with the BSB and bank branch details being checked;
- independently verifying the request for change by speaking with the vendor's nominated contact person recorded in the vendor master file data, or if the person requesting the change is the same person, a more senior vendor representative; and
- verify any recent changes to vendor bank account details that have been processed.
- Training in the procedure should be provided to all relevant staff.
- The ability to make master data changes should be limited to as small a group as appropriate.
On a broader scale, council should identify key people to be included in the circulation of fraud alerts and conduct training for all staff in identification and management of specific fraud risks and fraud prevention and control.
Additional resources available
The Local Government Association of Queensland (LGAQ), with the support of the Department, has developed a range of resources, templates and support services to particularly assist smaller councils in the implementation of a fraud management regime.
The following is a link to the LGAQ website which provides full details of the resources and templates developed as well as other support services available to councils to assist with fraud prevention and management:
Any further enquiries on this matter should be addressed to:
Mr Gary Kleidon
Manager, Program Implementation and Review
Department of Infrastructure, Local Government and Planning
PO Box 15009
Brisbane QLD 4002