After a few organisations in the area have been victims of mandate fraud, including a local wildlife sanctuary, our audit manager Stuart shares an important reminder about internal controls.
Organisations routinely make payments. The processes (and controls) that help make those payments accurately may be seen as routine. Two recent cases remind us that whilst this may be the case, there is a need to remain vigilant and to stress the importance of strong internal controls on payments to all those involved.
Internal controls on payments cover a number of areas. Our reviews on payments regularly focus on the effective operation of payment controls. For example we:
- Evaluate the arrangements to help prevent duplicate payments.
- Ensure appropriate separation of duties exist.
- Interrogate all expenditure using computer software to help provide assurance these controls are working.
The importance of strong payment controls was highlighted in two recent local cases. In York, a local NHS surgery had £46,000 diverted by the practice manager to his own account1. Part of the fraud involved duplicating payments to legitimate suppliers. The manager was jailed for 20 months.
In another case the Whitby Wildlife Sanctuary was subject to a bank mandate fraud2. The sanctuary was in email conversation with a regular supplier. It appears these emails were intercepted by a hacker who impersonated the supplier and provided their own BACs details resulting in £13,000 being lost. In our November 2018 alert we highlighted a similar instance where a council was similarly targeted and was defrauded of £16,000.
Always remain vigilant. Ensure your own internal controls are well known and followed in every instance.
What to look out for to help prevent this type of fraud:
- A request to change payee details which is unexpected, or which involves pressure to make a change quickly.
- Phone calls which are not from your normal contact or from numbers which cannot be verified.
- Emails or letters which originate from unusual addresses or which are not in keeping with the usual style and quality of the genuine supplier.
How to avoid becoming a victim of mandate fraud:
- Always question any request to change payee details regardless of the source or circumstance, even if the request comes from someone more senior in your organisation or has already passed through other internal departments.
- Always independently verify the request through established channels. Do not trust contact details contained within the request. If the request is received over the phone, end the call and attempt to re-connect with the individual through the creditor’s main switchboard number.
- Never assume that a request is safe because a colleague trusts the source. It is the responsibility of the person changing the creditor details to verify that the request is genuine.
- Never allow yourself to be pressured into bypassing agreed verification processes and procedures.