The credit card scam that defrauded Scotland's arts funding body of more than £100,000 likely resulted from slack security over card details, an official audit found.
The Deloitte audit of a case that led to more than 130 fraudulent transactions being made on a Creative Scotand credit card between December 2010 and July 2011 found a series of "significant control risks" existed at the body, which led to a third party being able to access the card details.
The police are now involved in investigating the case, after an initial contact with police was not followed up by Creative Scotland in 2011. The report says it found no evidence that a Creative Scotland staff member was involved, but "given the nature of the incident, such a possibility cannot be fully discounted."
Initially, when the body, then led by former chief executive Andrew Dixon, discovered the fraud, it did not approach the police, but ordered the independent audit, although the police have since been informed.
The fraud came to light on 27 July 2011, eight months after the first fraudulent payments were made. The audit report, from November 2011, in which names are redacted, says that at the time of the incident, eight corporate credit cards were used at Creative Scotland, held by certain members of staff.
The report says it is unknown how details of the credit card - which was used to buy a series of flights on carriers including Kenya Air, Angola Airlines (to the sum of £72,577), British Airways and Delta - were obtained by a third party. It does say, however, that the card was used by several members of staff, when "ideally, the card should only be used and accessed by the named person".
Also, photocopies of both sides of the card, including the security code number, were kept in desk areas, which was "clearly inappropriate".
Most notably, hotel bookings were made by sending both sides of the card by fax, a practice deemed "the most obvious means by which a third party could have obtained access to the credit card details."
The Finance Department had the responsibility of carrying out credit card spending checks, but this was "not undertaken" and, the report says that "represents a serious control failure."
No members of staff were disciplined for the lapses.
An increased workload, due the merger of Scottish Screen and the Scottish Arts Council, in the finance department was a factor in the crime being overlooked, as well as JP Morgan cards only being provided online. More than £70,000 of the amount lost has been reimbursed by JP Morgan.
A spokesman for Creative Scotland said: "Robust systems are now in place to prevent such fraud happening again."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article