Noosa Council’s $1.9m fraud could have been prevented, Acting Director Corporate Services Margaret Gatt told council’s ordinary meeting last Thursday.
Ms Gatt who was employed by council after the fraud event in December 2024 and led the investigation into it, said an international criminal organisation used sophisticated, strategic and targeted social engineering techniques to commit the crime.
She said council had internal controls and processes in place to mitigate such events, but these were not effective in this instance, the incident highlighting non-compliance with some of their standard processes.
“Through our subsequent investigations, we have identified that there were elements of human error that contributed to some failures in our internal controls,” she said.
Ms Gatt said any of the following actions may have reduced the risk or prevented the fraud from occurring:
“1. Adherence to Council practice whereby requests for changes to a supplier’s contact details and/or bank details are verified with the supplier using the original contact details on file or through an independent search for contact details (vendor master file).
2. Verification of the sender’s email to the supplier’s email address from an independent source, such as the supplier’s website may have indicated the different syntax used in the email address, though this in itself may not have alerted Council to any anomalies without direct contact with supplier.
3. Requirement for enquiries from our bank regarding payments and questions of it to be escalated to a senior officer for action.”
Once alerted to the fraud council established a crisis incident response team and engaged an external independent ICT expert to conduct a forensic investigation. This investigation confirmed there was no breach of Council’s systems, no personal data was stolen, nor any rate payer personal information was accessed and there was no impact on Council services, Ms Gatt said.
Council reported the incident to all relevant authorities including the Queensland Audit Office (QAO), relevant Ministers and government departments.
Ms Gatt said following the fraud event, controls and procedures were reviewed and improved and, in conjunction with the QAO recommendations, additional controls implemented.
These controls include:
• “Implementation of a third-party payment protection software that validates banking details.
• Regular Mandatory Cyber Security training for all staff.
• Development of an Organisational Policy and Procedure Creditor Masterfile Maintenance which articulates Council’s commitment to ensuring the accuracy, integrity and security of Masterfile data and outlines Council’s processes in regard to Vendor master file maintenance. This includes staff commitment to compliance to the Policy and Procedure through the understanding of the impacts of non-compliance, both financial and reputational.
• A Council system control whereby changes to supplier contact details require approval. The requirement for all changes to supplier accounts to be recorded in a Register of Creditor Changes, which is reviewed by a senior officer monthly to identify any patterns or anomalies that may indicate fraudulent activity.
• Council will establish an independent financial management assurance program (FMAP) to provide a system of internal controls, reviews, and audits designed to ensure the accuracy, completeness, and proper use of financial information and resources.”
Consultation & Monitoring
As part of the incident analysis, corrective measures and considering lessons learnt, the Audit and Risk Committee and Elected Members have been fully briefed in the matter and ongoing corrective actions. Key internal and external stakeholders will continue to be briefed as process improvements are implemented.
Cr Nicola Wilson who, along with Cr Tom Wegener, is a member of the Audit and Risk Committee, repeated the statement she made in October when the fraud was publicly announced.
“This was preventable and some risks were known but not acted upon,” she said.
Cr Wilson said she was satisfied Mr Gatt’s report gives further detail around how this fraud occurred and mitigations and strategies adopted since.
“Some people have suggested this report should have been written by an independent investigator but I believe Acting Director Gatt is the appropriate person to write this report as she led the investigation in January, meaning she collected contemporary information at the time of the event, had access to our financial systems and staff and with no prior engagement with council,” she said.
“The team’s been working with external auditors, KPMG, and the QAO to establish the facts, ensure no other events have occurred and report the event appropriately in the financial statements.”
Mayor Frank Wilkie said he was personally sorry the fraud event had happened.
“There are people in this organisation who were personally impacted by this crime,” he said.
“It wasn’t something any of us wanted to happen. We’re dealing with human error and we’re dealing with human frailty.
“People make mistakes. It’s human nature to seek to blame. We’ve taken steps to see this doesn’t happen again and there’s lots of lessons learnt.”
