Fraud and Corruption Control—Local Government

Tabled: 19 June 2019

3 Fraud and corruption controls over staff expenditure

Councils deliver vital services including health, community support, economic development, and waste and environmental management. To perform these functions, councils collect funds, in the form of rates and charges, to deliver services to the community. Council staff are responsible for using these funds responsibly to further council objectives.

The expenditure of council funds by council staff is a fraud and corruption risk that each council must mitigate. Fraud and corruption risks include a council staff member:

  • using a council credit card for personal use
  • using a council fuel card to fill-up their own vehicle
  • seeking reimbursement for items not bought, or not for genuine council business.

Under the Act, councils must ensure that all money they spend is correctly used and properly authorised and develop and maintain adequate internal control systems. We assessed whether councils had adequate fraud and corruption controls over:

  • council credit cards
  • council fuel cards
  • reimbursements made to staff.

3.1 Conclusion

At some of the audited councils, staff have been inconsistently applying fraud and corruption controls over credit and fuel cards and staff reimbursements, and in some cases these controls have failed. Incomplete or inaccurate data, a lack of monitoring for anomalies, and failure to implement and comply with controls have limited the ability of councils to detect fraud and corruption should it occur. Instances where councils have not implemented or enforced their policies and processes show that councils need to do more to strengthen existing controls and undertake proper monitoring to protect council funds.

3.2 Control framework

Figure 3A outlines the key features of a good practice framework to control for fraud and corruption risks over expenditure.

Figure 3A
Control framework over expenditures

Key features include policy and guidance, system controls and business processes, and data analytics and review.

Source: VAGO.

We assessed the control framework over credit and fuel card use and reimbursements made to staff at each of the audited councils.

3.3 Credit cards

Council staff use credit cards to buy high-volume and low-value goods and services. The use of credit cards can save time and money by avoiding lengthy procurement processes for goods and services that staff must purchase frequently. While credit cards are a flexible and efficient way to make purchases, for this reason they also constitute a fraud and corruption risk.

Policy

Clear and accessible credit card policies and procedures are an important fraud and corruption control. Policies should provide employees with clear instructions on how to use their council credit card and should take a strong stance against fraudulent and corrupt use. Policies can also act to deter inappropriate behaviours when they clearly outline controls to detect fraud and the consequences of inappropriate use. It is also essential that councils require cardholders to acknowledge that they have read and understood the policy before being issued with a card.

Policy strengths

Each council's credit card policy clearly states that:

  • the use of a credit card should be for official council business only
  • the council may take disciplinary action in the event of card misuse or breach of the policy
  • cardholders are responsible for keeping their card details and personal identification number (PIN) secure and that they must immediately report lost cards
  • cardholders must provide adequate documentation or a signed statutory declaration for each credit card purchase
  • a manager or supervisor must approve every transaction
  • the withdrawal of cash is prohibited, and card limits must not be exceeded.

While a policy cannot outline the appropriateness of every possible type of purchase, policies should provide examples of inappropriate use, especially where there may be ambiguity. The credit card policies at Shepparton, Strathbogie and Wyndham councils all gave examples of inappropriate use, for example the purchase of fuel, the payment of fines and purchase of alcohol not required to advance council business.

Policy weakness

We identified a policy weakness and associated control risk for Strathbogie, as its policy does not clearly define what is considered sufficient supporting documentation for a transaction. The other councils' policies clearly state that an electronic funds transfer at point of sale (EFTPOS) receipt is not adequate, as it does not itemise what a cardholder purchased. We identified multiple transactions at Strathbogie where there was insufficient documentation to support the spend (see the testing results in Figure 3D).

Data analytics and review

An important part of a fraud and corruption control framework over credit card use is the review and analysis of transaction data to detect potential fraudulent use. Officers who are independent of cardholders and card approvers should conduct these review activities. The level of review activity will differ between councils depending on the number of transactions and credit cards in circulation. Activities range from reviewing a percentage of transactions each month, to a more sophisticated approach using data analytics over all transaction data to detect potential misuse. More sophisticated data analytics could include comparing transaction data against staff leave data and identifying purchases made on weekends and public holidays or out of office hours. We expect that councils with large numbers of credit cards and high spends would have more sophisticated analytics given the increased risk.

Figure 3B details the number of credit cards used across the audited councils and the total spend on cards, according to data provided by the audited councils and their banks.

Figure 3B
Number of credit cards in use at the audited councils and total spend in data provided during the audit

Council

Cards used during testing period

Total spend on cards

Shepparton

24

$633 300

Strathbogie

27

$228 700

Wellington

106

$1 000 000

Wyndham

256

$4 900 000

Source: VAGO, based on council data.

At the time of the audit, the councils did not have formalised processes to conduct data analytics over credit card transactions. However, both Wyndham and Shepparton have started projects to use data analytics to report on fraud and corruption risks over credit cards. Figure 3C outlines specific findings for each council.

Figure 3C
Use of data analytics by audited councils

Council

Findings

Shepparton

Shepparton has the lowest number of cards in circulation compared with the other councils and does not conduct data analytics over transactions. Instead, the finance team conducts 'spot checks' on a number of transactions each month. The team applies a risk-based strategy with more scrutiny applied to transactions from staff to whom the council has recently allocated a credit card. Shepparton could consider formalising this process by documenting checks conducted and undertaking data analytics over all transaction data to identify specific fraud and corruption risks.

In early 2019, Shepparton began a project to develop a new performance report on credit card transactions that will go to the executive leadership team each year. This is a positive step towards increased reporting and trend analysis over credit card transactions.

Strathbogie

Strathbogie does not conduct data analytics over transactions. A finance officer undertakes ad hoc reviews over transaction records and refers potential anomalies to managers. However, this is not a formal process of consistent trend analysis and reporting.

Wellington

Wellington does not conduct data analytics over transactions. A manager reviews at least 10 per cent of total card transactions each month, checking that cardholders have followed processes, that an employee has attached the correct receipt, and that the item they purchased was for a business use.

Wyndham

At the time of our audit, Wyndham had already begun a project to analyse credit card transaction data and report to the chief financial officer (CFO) on:

  • spend patterns
  • transactions on weekends
  • transactions with outstanding approvals
  • reviews of high-risk supplier types.

Wyndham has now formalised monthly exception reporting using data analytics. The reports are provided to the CFO for review and action as necessary.

If Wyndham can report consistently, this will be a positive addition to their fraud and corruption control framework.

Source: VAGO, based on council data.

Credit card testing

To test the effectiveness of credit card controls, we examined a selection of purchases made on council credit purchasing cards to confirm that they were for official council business and in accordance with council policies and procedures. Appendix B outlines our testing methodology.

Control 1: adequate receipts and supporting documentation

Council staff must be able to provide adequate documentation to prove that each transaction was for genuine council business.

We identified examples where the documentation supporting transactions was inadequate, as detailed in Figure 3D. These instances also demonstrate insufficient scrutiny by approvers who ultimately approved these transactions.

Figure 3D
Examples of inadequate supporting documentation

Council

Audit findings

Shepparton

  • $56.50 at a cafe, which had no receipt attached.
  • $27.20 at a hotel, where the itemised receipt does not match the EFTPOS receipt.

Strathbogie

  • A transaction at a local cafe for $48.50. Cardholder stated on the expense form that the transaction occurred on a Tuesday for a 'meeting re advertising', but the receipt showed the transaction was on a Saturday and included the purchase of a child's serving of a drink and meal. The same cardholder went back to the same cafe the next day on Sunday and purchased breakfast. The transaction description states it was for a 'comms meeting'.
  • A transaction of $74.50 at a local hotel, described as 'after work drinks' and 'good morale after busy week'. The receipt was illegible.
  • A transaction at a restaurant for $167 as a 'Comms group meeting' for three people. The statutory declaration stated that 'no itemised register receipt was available', and the EFTPOS receipt was timed at 7.27 pm. The statutory declaration was incomplete and not dated and was witnessed by a senior executive.
  • A transaction of $555.10 described as 'Christmas Drinks' accompanied by an illegible receipt.

It should be noted that all these examples are attributable to one former manager. We discuss this further in Section 4.4.

Wellington

  • $150 at a firearm vendor, where there were two receipts for different amounts and they were not itemised.
  • $400 transaction described as a gift card for a farewell, but the receipt attached was for $19.15.
  • $1 480 payment to an association supported by a document with a copy and paste of a declined transaction.
  • $89.25 at a travel agency supported by a document that was a screenshot that did not reflect the amount paid.
  • one instance of a cardholder submitting an incomplete statutory declaration.

Wyndham

  • $610 payment to an institution where the supporting documentation for the transaction was a handwritten note on a 'membership renewal' form.
  • $325.20 payment to an airline where the supporting documentation did not reference the passenger, date or destination.
  • Two transactions for $100 and $115 to a health and beauty spa where the transaction descriptions state a 'prize' for a council event, but the cardholders had only attached EFTPOS receipts, which did not itemise the purchases.
  • A transaction for $676.50 where the tax invoice itemised $630 worth of goods, but the EFTPOS receipt stated that $676.50 was spent.

Source: VAGO, based on council data.

Although each of these transactions represents a differing level of risk of fraudulent spend, all demonstrate the need for council controls to ensure staff support spends with adequate documentation.

In response to our findings, Strathbogie advised that it had reviewed its policy to address issues, with the policy now:

  • describing the circumstances in which entertainment expenses can be incurred
  • prohibiting the purchase of alcohol without written approval from the CEO
  • outlining the revised internal controls and auditing that apply, including the requirement to identify the business purpose for the expense.

Wyndham has acknowledged the deficiencies in its documentation. It has also noted that there were review and assurance processes that existed in relation to these transactions, such as travel registers and purchased goods being sighted, that were not formally captured within its established credit card transaction system. Wyndham advises that it has taken steps to ensure greater compliance with existing controls.

Control 2: only the allocated cardholder may use the credit card

Banks that issue credit cards require in their terms of use that only the allocated cardholder use the card. Council staff using a credit card that the bank has not allocated to them is a fraud and corruption risk, as it:

  • misrepresents who is making a purchase
  • increases the risk that a bank may not refund illegitimate spends due to lax controls over card security and the failure to abide by the bank's terms of use
  • may limit a council's ability to accurately monitor an individual cardholder's expenditure
  • is a way that a council officer can bypass controls, including approval processes, to commit fraud, as there is no way to ensure that the card approver is not also the person who incurred the expense
  • results in cardholders submitting and confirming statements that include transactions for which they are not responsible.

We matched the council's transaction data with its staff leave data and identified transactions at Shepparton, Wellington and Wyndham that occurred while the allocated cardholder was on leave. These transactions range from purchases made for accommodation, food and beverage to tourist attractions. Although the audited councils advise that all transactions were for official council business, they could not always confirm exactly who made the transaction, significantly weakening this fraud and corruption control. We have outlined these transactions in Appendix C.

Shepparton implemented card management software in 2019 that allows the council to suspend credit cards while cardholders are on leave. The council now also requires all cardholders to sign a credit card acknowledgement form that states the cardholder must be present for all purchases.

Wyndham notes that it is satisfied through other controls such as sighting the goods, multiple staff being present for transactions listed, and activities being promoted or reported on, that a business purpose existed and none of the transactions were fraudulent in nature.

We also identified two transactions at Wyndham, described in Figure 3E, which occurred after a cardholder's termination date. These transactions represent:

  • an employee using a card not allocated to them
  • a failure of the council to cancel a card when a staff member left the council
  • the likely purchase and approval of a transaction by the same staff member.

Figure 3E
Credit card transactions after employee termination date

At Wyndham, two transactions occurred five days after a staff member (the cardholder) had left the council, for amounts of $564.87 at a supermarket and $23.90 at a hardware store.

The council informed us that both transactions were for supplies for a staff Christmas party.

The manager of the staff member stated that they collected the card from the departing staff member and 'As the credit card was in my possession I would therefore have authorised the use of the card and may have even been the one that actually used the card. I suspect this is the case as it is very unlikely I would have provided the PIN to another person to use—but I also don't specifically recall whether this was the case. At this stage this was the only credit card available for the [business unit] to use as it was prior to a card being issued to me'.

Source: VAGO, based on Wyndham data.

This case study suggests that the person who likely made the transactions on an allocated cardholder's card also approved the transactions. We discuss this control weakness and the need for segregation of duties further in Figure 3F.

In response to this finding, Wyndham note that it implemented a control in January 2019, which involves its human resources (HR) area notifying the procurement area on a fortnightly basis of staff movements and employment end dates to ensure its managers retrieve and cancel cards. Wyndham has also recently completed an internal audit of credit card processes to identify key issues and inform its policy and process review regarding the use of credit cards as a payment tool.

Other staff members using a council credit card may compromise investigations into credit card misuse, as a cardholder may be able to claim that others used their card. This is further discussed in Section 4.4.

Control 3: appropriate scrutiny and approval

Card approvers must appropriately scrutinise all transactions and the supporting documentation to confirm that all expenditure is for genuine council business. A delegated card approver's authorisation of a payment is an important fraud and corruption control.

Approvals must be timely, as lengthy delays may increase the risk of fraudulent card use going undetected. We identified a transaction at Wyndham of $140.40 for alcohol in September 2016, described as a 'Mayoral Event'. The card approver did not approve this transaction until July 2017.

Appropriate delegation structures must also be in place to ensure that employees are not able to approve their own spend or a spend incurred on their behalf. We consider this to be especially important for transactions by senior executives. We chose to explore this issue by analysing credit card transactions of the audited councils' CEOs.

CEO expenditure

Shepparton, Strathbogie and Wellington have all allocated a credit card to their respective CEOs. At the time of the audit, these councils required that the mayor approve all CEO card transactions. Wyndham had not allocated a card to the CEO, but an administrative officer was issued with a card.

The basic accounting concept of segregation of duties ensures that an individual who incurs an expense, does not also approve the expenditure. Segregation of duties is also a key fraud and corruption prevention mechanism because it requires at least two people to collude to overcome this control.

We did not identify any issues with CEO transaction data at either Wellington or Shepparton. Wellington also submits the CEO's transactions to its ARC, which is a good practice example. At Strathbogie and Wyndham, we identified instances of weak controls over CEO expenditure, including at times poor segregation of duties, as Figure 3F describes.

Figure 3F
Examples of CEOs approving their own expenditure at Strathbogie and Wyndham

Council

Audit findings

Strathbogie

We identified transactions for the CEO on a senior executive's card, including:

  • $75.40 for lunch between the CEO and a consultant
  • $501.74 for accommodation for the CEO and the senior executive
  • $1 386 on conference tickets for the CEO.

The CEO was the card approver for this senior executive and approved these transactions, in accordance with the set delegation structure. While we note that the council has stated that it is satisfied that these transactions are legitimate and transparent, the practice of the CEO approving their own expenditure does not adhere to segregation of duties principles. It would have been more appropriate for the CEO to have used their own card and to have followed the established approval process, in place at the time, which required the mayor to monitor CEO expenditure.

Wyndham

Wyndham had not allocated the CEO with a credit card. Instead, the council allocated a card to an administrative officer who incurred expenditure on the CEO's behalf, for example, booking their flights and accommodation.

Due to the hierarchical delegations for card approvals, the CEO approved purchases on this administrative officer's card. This delegation structure resulted in the CEO approving their own expenditure for the following transactions we identified in our selection between June 2016 and July 2017:

  • four flights
  • 10 accommodation bookings
  • five conference tickets and two sets of membership fees
  • $61.67 worth of hotel minibar charges
  • a $315.45 restaurant dinner between the CEO and a former councillor.

We also identified instances where the CEO presented the administrative officer's card at the point of sale. When the CEO was at a conference in Canberra in June 2016, the transactions included:

  • the purchase of books at two Canberra bookshops, $90.97 and $93.78, where the transaction description states, 'for the CEO'
  • $73 at a Canberra cocktail bar at 11.36 pm, where the receipt is not itemised
  • $38.93 at a convenience store in Canberra where the supporting documentation was a typed note stating 'unable to locate receipt'.

The CEO subsequently approved these transactions.

The council identified that the practice of the CEO approving transactions on the administrative officer's card was unsatisfactory and stopped this practice in 2017. Another executive started approving these transactions.

Wyndham has now issued a separate credit card to the CEO, which will avoid the types of inconsistencies identified in this figure. The CEO's credit card expenditure will be approved by the CFO with appropriate review by the ARC Chair.

Source: VAGO, based on council data.

We consider better practice would be for the councils' CFOs or equivalent to approve CEO expenditure and for councils to refer the full transaction history to their ARC or council for periodic review. This increases financial scrutiny and ensures that mayors are not involved in daily council business, which is not their role.

Strathbogie's Motor Vehicle Policy states that employees who incur parking infringements must pay the infringement. The council's policy prohibits payment of parking infringements using a council-issued purchasing card. At Strathbogie, we identified that a senior executive used their credit card to pay for two parking infringements issued by a neighbouring council to the CEO and a councillor, described in Figure 3G. The CEO also approved the transactions.

Figure 3G
Payment of parking fines incurred by a councillor and CEO

A senior executive paid two parking fines incurred by a Strathbogie councillor and the CEO on their council card, with a total value of $310. The council's supporting documentation for these transactions does not mention the council's policy, which prohibits the payment of fines.

Documentation states that the councillor, the CEO and a third staff member had separately driven to a 'high-level meeting' at another council office and 'did not have time to arrange special parking spaces' but believed they had parked legally.

The senior executive conducted 'an independent assessment of the circumstances' and concluded, '…the officers and Councillor did not intend to risk parking illegally…' and that the council would pay the two parking infringements.

The senior executive advised that the councillor and CEO were not required to follow the established process to contest the fines. The senior executive had contacted the council that issued the fines and was told the 'chances were zero' of a successful appeal, as the fines were issued correctly. The senior executive also noted that another executive at the council had agreed with the decision to pay the fines.

Source: VAGO, based on Strathbogie data.

We confirmed with Strathbogie that after becoming aware that the payment of infringements was contrary to its policy, the CEO and councillor immediately refunded the council for the cost of the infringements.

The initial payment of these infringements by Strathbogie reflects a weak control framework and is contrary to stated council policy and public expectations. We identified a subsequent transaction where another staff member attempted to pay for a parking infringement on their council credit card. When questioned by the card approver, the staff member said they were not aware that the council would not pay for parking infringements. This highlights the importance of communicating policy requirements, and senior executives and councillors role-modelling appropriate behaviour.

3.4 Staff reimbursements

A key fraud and corruption risk in council expenditure is employees obtaining payments to which they are not entitled, in the form of reimbursements. This can involve employees providing false information for the reimbursement of expenses not incurred for council purposes, or beyond set entitlements.

Policies and guidance

To help educate staff on what expenses they can seek reimbursement for, councils should have clear and accessible policies. We found that not all audited councils provide clear policies or guidance for staff reimbursements. Shepparton, Strathbogie and Wyndham do not have policies guiding staff reimbursements. Wellington has guidelines attached to the reimbursement form that provides guidance for staff. We outline specific details of these policies in Appendix D.

Appropriate scrutiny and approval

Appropriate delegation structures must be in place to ensure employees cannot approve their own reimbursement claims or claims for expenses incurred on their behalf. Approvals must be timely as delays may increase the risk of fraudulent card use going undetected. The audited councils also require their employees to provide supporting documentation when seeking reimbursement, to show expenses were for council business and have been paid.

We identified examples at the audited councils of claims paid with inadequate documentation and insufficient scrutiny by approvers who ultimately approved these transactions. Figure 3H outlines these examples.

Figure 3H
Examples of inadequate scrutiny over reimbursement claims

Council

Audit findings

Shepparton

  • Reimbursement claim for two diesel purchases totalling $364.35 for 274 litres of diesel. The payment was listed as 'diesel' on the claim form without the expense dates. The staff member did not explain why they were using their own credit card instead of a council-issued fuel card. They also did not provide the vehicle registration number to confirm that the diesel was for a council vehicle.
  • Reimbursement claim for $675.24. The payment was listed as 'reimburse hampers and rugs' on the claim form, without stating the expense dates and business purpose of the expense.

Strathbogie

  • Reimbursement claim for $21700 for a senior executive's rent in 2016–17, based on a 'loose agreement' between council and the staff member to reduce the executive's gross income. While the council has stated that this was part of a salary packaging arrangement, in which the council incurred no financial loss, no supporting documentation exists. The council advises that this practice ceased in 2017.
  • Reimbursement claim for $3 085 for relocation expenses. While the claimant had attached an invoice, there was no evidence that they had paid the amount to warrant reimbursement. The council confirmed that a former director had made this arrangement, which could have been 'verbal', and no supporting documentation exists.
  • Reimbursement claim for $4 111.50 for course fees, which was 100 per cent of the course costs. However, the council's supporting documentation confirms that the executive group decided that the council would reimburse 50 per cent of the course fees. Council advises that there was a subsequent discussion with the CEO, who had discretion and agreed to the payment of 100percent of the course fees. The CEO's decision was not formally documented and the council's policy states that the executive group should make the final decision regarding contributions towards course fees.

Wellington

  • Reimbursement claim for $44.80. The purpose of expenditure listed on the claim form was 'dinner, training', without stating the date and title of the training.
  • Reimbursement claim for $31.95. The purpose of expenditure listed on the claim form was only the name of a major hardware store. It did not state the business purpose of the expense, nor the item purchased.

Wyndham

  • Reimbursement claim for a $109.57 fuel purchase for a fleet vehicle. The staff member did not explain why they did not use a council-issued fuel card. They also did not provide the vehicle registration number, details of the distance travelled, or what the trip was for.
  • Reimbursement claim for three items totalling $365.13. The staff member did not provide a receipt for one item ($9 coffee), which was purchased in September 2017 and claimed in February 2018. The receipt for one item ($321 wireless good) was illegible. The staff member's manager approved the claim for all three items.

Source: VAGO, based on council data.

Although each of these transactions represents a differing level of risk of fraudulent spend, all demonstrate a failure of fraud and corruption controls to adequately document decision-making and confirm the legitimacy of the reimbursement.

3.5 Fuel cards

Councils issue fuel cards for all council vehicles, including:

  • fleet vehicles, which are vehicles shared between council staff and used for council business
  • private-use vehicles, which are vehicles assigned to a specific individual as part of their remuneration package and can be used for both council business and private purposes. Fuel for full private-use vehicles is unlimited.

Like credit cards, council-issued fuel cards present fraud and corruption risks. Examples of fraudulent use that can occur include a council employee using a council-issued fuel card to purchase:

  • non-fuel products at a service station, such as groceries for personal use
  • fuel for their personal car or another person's car
  • non-fuel products such as oil to on-sell and make a profit.

Policies and guidance

We found that not all audited councils have documented fuel card policies or guidelines and, where they do exist, they are either out of date or do not detail consequences for misusing fuel cards. Some audited councils are currently drafting revised policies and guidelines to address these control gaps. We summarise the policy and guidance available on fuel cards for each council in Figure 3I.

Figure 3I
Policies and guidance on fuel cards

 

Shepparton

Strathbogie

Wellington

Wyndham

Policy/guidance available on fuel cards

Fleet Corporate Procedure (May 2017)

Motor Vehicle Procedures (August 2017)

Fleet Management Guidelines (May 2012)

Drivers Handbook (placed in each council vehicle)

Draft Fleet Policy (January 2019)

No fuel card guidance in Motor Vehicles Policy 2014–15.

Draft Motor Vehicle and Plant Policy (review 2019)

Information covered by policy/guidance:

fuel card is for a specific vehicle only and cannot be used for another vehicle

(✔)

approved purchases only (e.g. fuel and engine oil)

(✔)

items blocked (e.g. groceries, incorrect fuel type)

(✔)

accurate odometer reading required at every fill-up

(✔)

PIN required

(✔)

signature required

report lost or stolen card immediately

council to review fuel purchases regularly

(✔)

(✔)

consequences for fuel card misuse

(✔)

(✔)

(✔) Denotes item in a draft policy/guidance only.
Source: VAGO, based on council data.

Assigning fuel cards and maintaining accurate records

To help identify fraudulent fuel card use, councils should:

  • assign each fuel card to a specific vehicle
  • maintain accurate motor vehicle and fuel card records
  • update cardholder names with fuel suppliers when councils reassign a vehicle and fuel card to another employee.

We found that three of the four audited councils maintain accurate motor vehicle and fuel card listings. We found that Strathbogie had poor record management of its motor vehicles and fuel cards. We were unable to identify fuel card numbers for all the vehicles we were testing, or the start and end dates for each driver of particular vehicles, as Strathbogie frequently transferred vehicles between staff without updating records correctly. This limits Strathbogie's ability to detect any fraudulent activity.

Fuel card management controls

To prevent non-authorised use of council-issued fuel cards, councils can specify management control requirements for each fuel card.

Figure 3J shows the management control components at each audited council. Only two councils have chosen to require a mandatory PIN rather than a signature, which is a weaker control.

Figure 3J
Fuel card management controls in practice

 

Shepparton

Strathbogie

Wellington

Wyndham

Mandatory PIN

Signature

Prompt cardholder for odometer reading

Source: VAGO, based on council data.

Odometer readings

Collecting odometer readings allows councils to compare the kilometres travelled with the volume of fuel purchased. When the volume of fuel purchased with a fuel card exceeds the distance travelled by the vehicle listed on the card, this can indicate that the fuel card has been used for another vehicle. This indicates potential fraudulent fuel card use. It is therefore important that cardholders only use fuel cards for the vehicle attached to their card.

Audited councils should ensure that staff are aware that odometer readings are required and provide accurate readings without being prompted by service station attendants.

We found that three of the four councils had some fuel card transactions with missing or unusual odometer readings, such as single digits. Odometer readings were not available for analysis at Strathbogie; however, the council advises that staff are reporting odometer readings at service stations inconsistently.

Blocks and restrictions on fuel cards

Councils can implement blocks and restrictions on fuel cards to prevent fuel card misuse. Figures 3K and 3L show whether councils have implemented blocks and restrictions on fuel cards.

Figure 3K
Fuel card blocks: permitted and blocked items

 

Shepparton

Strathbogie

Wellington

Wyndham

Lubricants and engine oils

Blocked

Permitted

Permitted

Permitted

Goods and groceries

Blocked

Blocked

Blocked

Blocked

Service and parts

Blocked

Blocked

Blocked

Blocked

Source: VAGO, based on council data.

Figure 3L
Fuel card restrictions in place

 

Shepparton

Strathbogie

Wellington

Wyndham

Fuel type

Restricted

Restricted

Restricted

Restricted

Fuel volume

Unrestricted

Restricted

Restricted

Unrestricted

Dollar amount

Restricted

Restricted

Restricted

Restricted

Source: VAGO, based on council data.

Detecting fuel card misuse

Councils should review and analyse transaction data to detect fuel card misuse. The level of review activity can range from selecting a percentage of fuel cards or fuel card transactions each month for review, to a more sophisticated approach of routinely running data analytics over all fuel card transactions. The level of review for each council will depend on the number of council vehicles and fuel cards in circulation.

We found that:

  • all four audited councils did not have regular, routine processes to monitor fuel card use during our audit testing period
  • only Wellington and Wyndham conduct data analytics over fuel card transactions
  • only Shepparton had conducted an internal review on fuel cards.

We note that Wellington and Wyndham have recently introduced routine fuel card monitoring processes.

VAGO testing of fuel card transactions

During this audit, we used data analytics to detect potential fuel card misuse. Our testing primarily focused on fuel cards linked to mayors and senior council staff with private-use vehicles from 1 July 2015 to 30 June 2018. The results of our testing over mayoral fuel cards are in Section 2.2. We did not specifically test fuel cards linked to fleet vehicles, but flagged anomalies we identified.

We tested for:

  • multiple fuel card transactions on the same day
  • multiple fuel type purchases with the same fuel card
  • purchases of non-fuel products with a fuel card.

We detail our test results for council staff in Figure 3M. We did not identify any anomalies at Wyndham.

Figure 3M
VAGO fuel card transaction test results for council staff

Council

Test results

Shepparton

Multiple fuel types purchases: We identified four fuel cards used to purchase both diesel and petrol, even though the vehicles attached to these fuel cards consume diesel only.

Across the four fuel cards, there were 60 petrol transactions totalling $4 146.68 (3 315.12 litres). These transactions occurred between 2015 and 2018.

The council advised that:

  • it had not placed fuel card restrictions on these four cards
  • diesel was for the vehicles and the petrol was for lawn mowers used to maintain gardens in public areas
  • it decided to continue supplying fuel to the teams by allowing a team leader to purchase petrol using their vehicle's fuel card
  • only one of the four cards is still active and permits both diesel and petrol purchases.

Having separate fuel cards, each restricted to one fuel type, would help collect fuel transaction data by vehicle or equipment more accurately. This would assist the council in identifying fuel card usage anomalies.

Strathbogie

We were unable to complete our testing as there were limitations in the data we received from the council. Data limitations included:

  • Strathbogie did not separate fuel data from its expense data
  • missing data fields such as vehicle registration numbers, transaction times, odometer readings, and volume of fuel purchased
  • data on products purchased not being available for all transactions
  • data on transaction locations not being available for all transactions
  • the council not always updating employee names linked with a fuel card when it is reassigned.

Non-fuel product purchases: We identified four transactions across two fuel cards used to purchase non-fuel items.

While the total cost of these items was not material, it shows that blocks and restrictions the council believed were in place were not activated for all fuel cards. Staff could exploit this weakness, which heightens the risk of fraudulent use of fuel cards.

In response to this finding, Strathbogie advise that it has now fully implemented fuel card blocks in accordance with the council's policy.

Wellington

Multiple transactions on the same day: We did not identify any fuel card misuse by the CEO or general managers.

We identified one instance of two fuel fill-ups on the same day in August 2016 with the same fuel card. Both purchases were for petrol and the same odometer reading was entered for both fill-ups. The fill-ups were only 31 minutes apart and the total volume of petrol purchased was 140.9 litres. The council's motor vehicle records show this vehicle's tank capacity is only 80 litres, and so the total amount of petrol purchased within 31 minutes exceeds the tank capacity.

The council confirms that it is unable to identify who was driving that vehicle on that day. This would have been possible if the council had regular routine monitoring processes and identified these transactions soon after they occurred.

Wellington has confirmed that this type of transaction has not happened since, and that it has recently introduced routine fuel card monitoring processes to mitigate the risk of fraud.

Multiple fuel types purchases: We identified five fuel cards that were used to purchase both diesel and petrol. The council was able to explain these transactions. For example, staff purchased diesel on the card for plant equipment and a staff member also mistakenly put diesel in the car.

Source: VAGO, based on council data.

These control weaknesses have the potential to affect all council-issued fuel cards. Weaknesses in fuel card controls can present the possibility for fraudulent activity, especially given the number of fuel cards each council has for private use and fleet vehicles.

Back to Top