As the end of the year draws closer, now is the time to think about the fundamentals of your internal control environment and ensure staff working over the holiday break are fraud aware. Fraud risks are continuing to rise and technology is becoming more sophisticated, so strong, well-designed internal controls remain your entity’s best defence!

In this blog, we provide a reminder of the tools and resources that are available to help your entity take practical steps to strengthen internal controls. We also highlight some key actions that you can take right now. Remember, strong internal controls are not person-dependent, so if you have staff covering key activities at this time of year, these tips can help ensure everyone understands their role and all established internal control processes continue to operate as intended.

Our recent reports to parliament, along with our blogs on everyday internal controls and recognising fraud risks, outline a range of practical steps that entities can implement. We also recently highlighted a real fraud case study in our report to parliament Local Government 2024 (Report 13: 2024–25), offering lessons and corrective actions for all entities. 

The rising risks of vendor fraud

In November, we wrote to all public sector CFOs, reminding them of the need for robust controls amid rising vendor-fraud risks, especially those involving changes to vendor bank details.

Many recent frauds have a common theme – a fraudster impersonates a legitimate supplier and requests changes to vendor bank account details. To protect your entity, robust vendor-related controls are critical.

Key actions to take now

• Treat all vendor change requests with suspicion (including change requests to key contact details in your vendor management system).

• Call the vendor and independently verify the details using contact information from their official website or another trusted source (e.g. an independently sourced phone number). Do not rely on contact details in email signatures or in the email requesting the change.

• Check that the email address syntax matches what’s stored in your vendor management system.

• Review all vendor masterfile changes from the last 6 months, focusing on high-value or frequently paid suppliers. If another party performs these checks on your behalf, confirm what actions they are taking in response to this risk alert.

• Ensure all accounts payable staff have completed cyber and fraud awareness training within the last 6 to 12 months.

Additional measures to strengthen your controls

• Require 2-person approval for all vendor masterfile changes.

• Limit vendor maintenance system access to as few staff as possible.

• Reset passwords for all accounts payable staff.

• Stay alert to spoofed emails designed to appear legitimate.

Proactive, vigilant controls remain the most effective way to safeguard your entity from fraud. Now is the time to tighten your processes and reinforce awareness across your teams!

Resources

Reports

• Local government 2024 (Report 13: 2024–25)
• Fraud risk management (Report 6: 2017–18)
• Fraud management in local government (Report 19: 2014–15)
• Fraud risk management (Report 9: 2012–13)

Better practice guides

• Fraud and corruption self-assessment tool
• Fraud risk assessment and planning model
• Annual internal control assessment 

Blogs

• How understanding the ‘fraud risk triangle’ can reduce employee fraud risk
• Keep fraud risks front and centre in 2024
• Why is it important to report material losses to QAO?
• Are your ‘everyday’ internal controls strong enough to prevent a fraud attempt?
• Beware fraudulent emails