Scottish auditor points to IT access in fraud report
Assessment of £1 million fraud in Dundee City Council throws spotlight on need for effective controls on access to systems
Audit Scotland has warned councils to impose careful controls over access to their financial systems, following a £1 million fraud within Dundee City Council.
The country’s central auditor has published a report on the fraud and said its extent could have been limited if the council had dealt with significant weaknesses in its invoicing systems.
It took place between 2009-16, during which an employee abused his unrestricted access to several systems by inserting fake invoices and altering the bank payment details of suppliers.
The fraud was discovered when officers noticed an invoice for which there was no supporting information, and the money was subsequently recovered.
Audit Scotland’s investigation revealed failures in the fundamental controls within the council: in particular, because some duties were not properly segregated, the employee was able to access a number of systems.
The report says that councils should ensure there is effective segregation of duties and user access rights to the IT systems, along with effective system reconciliation and system documentation.
Graham Sharp, chair of the Accounts Commission, said: “Lessons must be learnt from this serious and prolonged act of fraud. Our role is to provide the assurance people expect that all councils have in place robust checks to ensure public money is properly spent and accounted for. This case provides clear lessons for every council in Scotland.
“Councils must have fundamental internal controls in place to ensure secure IT systems, and those responsible for using them, must be managed appropriately. Managers in all Scottish councils are responsible for ensuring these arrangements are in place."
Picture by Colin, CC-BY-SA-4.0 via Wikimedia Commons