The Auditor General for Wales has criticised Harlech Community Council for the way it handled a bank fraud scam.
The community council lost £9,000 in the scam when two payments of £4,500 were made to a third party "without proper authorisation from the council", a report by the Auditor General explains.
The Auditor General for Wales has decided that his audit findings are of sufficient public interest to warrant publishing a report in the public interest under Section 22 of the Public Audit (Wales) Act 2004, in order for his findings to be brought to the attention of the public and to be formally considered by the council. The report notes Harlech Community Council is made up of 12 councillors who are responsible for managing money raised by the council, and spends around £100,000 a year to provide local services.
The report explains: "Following routine audit work on annual returns completed by councils, attention was drawn to a report that Harlech Community Council had been the victim of fraud resulting in the loss of £9,000. The fraud followed a breach of the Clerk’s email address that allowed a third party to access her email account. We extended our audit work to identify how the Council’s procedures failed to prevent the loss being incurred.
"In December 2022, the Clerk made two payments of £4,500 to a third party without proper authorisation from the Council.
"The Auditor General’s report found that there was a failure to carry out proper due diligence when making these two payments.
"This highlights the fact that the Council did not have effective internal controls in place and did not follow its current rules for making payments.
"The ease in which the fraud was carried out also leads to concern that making payments without proper scrutiny in place may not have been an isolated occurrence.
"It is also important that the Council has accurate and accessible records of proceedings and decisions. Harlech Community Council’s minutes do not present an accurate picture of how the loss of £9,000 occurred.
"As electronic banking is becoming more widely used, the Council, and other councils across Wales, must have better cybersecurity processes in place to protect against the risk of losses due to online frauds."
The report notes the Council has "taken some steps to address deficiencies in its internal arrangements".
The report makes five recommendations to Harlech Community Council, some of which are that:
- The Council should review its arrangements for making payments to ensure that all payments are subject to an appropriate authorisation process.
- The Council should review larger payments made over the last 12 months to establish if this incident was an isolated incident or was a regular occurrence.
- The Council should ensure that its website is updated on a regular basis and contains all information the Council is required to publish electronically.
Auditor General, Adrian Crompton said today (Wednesday): “It is concerning that we are commenting about weaknesses in financial management and governance on a regular basis. The fraud at Harlech Community Council is another example of this. It’s important the sector takes notice and make improvements on this ongoing issue of poor financial management and cyber security.”
The Auditor General has decided that his audit findings are of sufficient public interest to warrant publishing a report in the public interest under Section 22 of the Public Audit (Wales) Act 2004, in order for his findings to be brought to the attention of the public and to be formally considered by the Council.