$1M online theft due to 'lack of appropriate procedures' for employees, city says
City manager Jeff Jorgenson says 'numerous changes' have since been made to prevent a repeat
The City of Saskatoon says a "systemic failure" involving a lack of appropriate procedures is what allowed an online fraudster to steal $1 million from the city earlier this year.
But "numerous changes" to the electronic funds transfer process have since been made to prevent future thefts, the city added in a report to city councillors made public Wednesday.
In August, the city reported that a fraudster posing as the chief financial officer of Allan Construction contacted the city and said the company's banking information had changed.
A total of $1,040,000 was transferred to the account to pay for ongoing work on Saskatoon's Senator Sid Buckwold Bridge.
All the money has now been recovered but the city estimates the net cost of its legal services is $75,000 and that fees could rise depending on the outcome of ongoing court actions.
"The city has made numerous changes and additions to the procedures, processes and controls surrounding electronic fund transfers, including how a vendor or employee changes their banking information," city manager Jeff Jorgenson wrote in the report.
Jorgenson was not available for an interview late Thursday afternoon.
No malicious intent found among city employees
Jorgenson's letter included some new details about what led to the theft and the steps taken afterward.
No city employee acted maliciously or in collaboration with the fraudster, Jorgenson wrote.
"However, the team did determine that the fraud was due to systemic failure primarily related to a lack of appropriate procedures or guidelines for employees in this area of the administration to follow."
Jorgenson said "internal actions" were taken involving "a number of individuals." Those actions were not specified.
After the theft, city finance workers spoke to all vendors who had requested city banking information since the beginning of 2019 to make sure the requests were genuine. No other fraudulent requests were found.
"The team also formalized internal controls surrounding the changing of vendor or employee data," Jorgenson wrote.
The city's internal auditor, PricewaterhouseCoopers LLP, reviewed the changes made by the city and suggested some additions, which the city adopted, he added.