An undisclosed Victorian university that thwarted a recent $3.4 million “cyber fraud” attempt did not report it to the state’s auditor-general, who is concerned it may be the tip of the iceberg in unreported instances of fraud.
The auditor-general today released a snapshot of its audits of eight public universities and a further 51 entities they own for calendar year 2016.
The audits include an examination of internal controls related to financial reporting.
For 2016, the auditor-general found “47 internal control weaknesses and financial reporting issues”, and 42 percent – 13 cases in real numbers – related to “the IT control environment”.
"Universities, as with other public sector entities, rely heavily on IT systems," the auditor-general said.
"Common areas of concern include poor user access, poor password controls, and weaknesses in disaster recovery programs.
"Weaknesses in security and automated controls make material errors and fraud more likely and harder to detect."
For 2016, the auditor-general put specific focus into examining fraud control frameworks in place at the universities.
It found most had “sound policies and procedures in place to manage their fraud risks”, though it called out some areas for improvement, including the reporting of fraud and suspected fraud instances.
The auditor-general noted that new rules came into effect on 1 July last year requiring actual or suspected “significant or systemic fraud” cases to be reported to “the Minister of Finance, [the universities’] audit committee, the relevant government department and the auditor-general”.
“Only two universities made a report of fraud, thefts and losses to the auditor-general during 2016,” it said.
“Given the size and complexity of university operations, this indicates to us that there is insufficient reporting of suspected and actual fraud occurring across the universities, and universities are not complying with their legislative requirements.
“In a recent example, an incident of attempted cyber fraud perpetrated by an external party for $3.4 million and instances of contracts worth $0.4 million awarded to undeclared related parties were not reported to the auditor-general.
“This limits our ability to effectively assess the risk in the sector when conducting our financial audits.”