Authorities need to learn from £1m Dundee City Council fraud - Accounts Commission

A £1 million fraud perpetrated at Dundee City Council from 2009-2016 was the result of failures in fundamental controls within the council’s financial systems, the Accounts Commission has found.

Former Dundee City Council IT officer Mark Conway, who specialised in financial IT systems, was sentenced to over 5 years imprisonment last year after admitting defrauding the authority.

Between August 2009 and May 2016 Conway, who had high level access to the Council’s electronic financial systems, created numerous false invoices which he had paid into his own accounts to cover gambling debts.

The invoices would range from nearly £6000 to more than £27000 and spanning the seven year period of the fraud.

The overall amount obtained totalled £1,065,085.32.

Conway, from Brechin in Angus, admitted the fraud at the High Court in Edinburgh on 2 August 2018.

Considering a report on the significant fraud, the Accounts Commission noted that the extent of the fraud could have been limited if the council had addressed significant weaknesses in its invoicing systems.

On investigation, the employee who perpetrated the fraud had unrestricted access to several systems which allowed him to insert fake invoices into the system and alter the bank payment details of suppliers without detection.

The report found that the council acted quickly in response to the discovery of the fraud, and has since addressed the issues that led to the fraud and brought in more robust management of their financial systems. Since 2016 it has taken significant steps to improve its resilience to prevent future fraud and corruption.

Graham Sharp, Chair of the Accounts Commission, said: “Lessons must be learnt from this serious and prolonged act of fraud. Our role is to provide the assurance people expect that all councils have in place robust checks to ensure public money is properly spent and accounted for. This case provides clear lessons for every council in Scotland.

“Councils must have fundamental internal controls in place to ensure secure IT systems, and those responsible for using them, must be managed appropriately. Managers in all Scottish councils are responsible for ensuring these arrangements are in place.”