Public eyes – how to deal with rising fraud risk in the public sector

The pandemic has led to seismic changes in our work and personal lives. In relation to fraud risks, it has changed both the internal and external environment in ways that we probably do not yet fully understand. The “eye-watering” (to quote the Public Accounts Committee) estimated levels of fraud in the various Covid grant and support schemes have raised awareness that the public sector is a target for fraudsters. Fraud against individuals is at historic and unprecedented levels, so it can be challenging to decide how internal auditors in local government can respond to these challenges and identify those risks that we can best mitigate.

Where do we start? Before the demise of the Audit Commission in 2015, its report “Protecting the Public Purse” was hailed as the only one of its type globally to include the number, volume and type of fraud cases from every council in the country. Today, we must look for intelligence on fraud risks from a wide range of different sources. 

 

Identifying fraud risks and risk factors

The main fraud risks faced by local government were identified in “Fighting Fraud and Corruption Locally: A Strategy for the 2020s” as:


• Cyber-dependent and cyber-enabled.

• Social care – personal budgets and direct payments.

• Schools.

• Right to Buy / Tenancy.
• Money Laundering.

• Commissioning of services.

• Procurement.

• Payroll.

• Identity fraud.

• Council tax.

• Blue badges.

• Grants.

• Business Rates.

• Insurance.

• Disabled facility grants.

The strategy is supported by a Strategic Advisory Board and an Operational Group that brings together representatives of the counter-fraud networks nationally. The Operational Group recently held a session to assess changes in the fraud risk environment since the start of the pandemic. Using the fraud diamond, we identified increased risk factors for both internal and external fraud.

We found that the following risk areas have become more prevalent:

 

Cyber

Councils are increasingly becoming targets – some receive thousands of attempted attacks each day.

The ransomware attack on Redcar and Cleveland Council in February 2020 was well-publicised, and other councils such as Hackney and Gloucester have been badly affected since. Essex County Council recently announced that it was spending £1m to bolster its cyber defences. The technical and organisational controls required to mitigate the impact and likelihood of these risks are beyond the scope of this article, but this area should be high on any organisation’s assessment of fraud risks – it is now on many councils’ strategic risk registers.

Internal auditors need to be clear about where they get assurance from. Do you rely on second-line assurance from your information security function – do you know what external assurances are obtained in areas such as PCI compliance, penetration testing, PSN health checks and ISO accreditation? Has your organisation’s response to a significant cyber attack been tested thoroughly and incorporated into your emergency planning regime? 

The National Cyber Security Centre publishes guidance on protecting organisations from cyber fraud, but you should also consider whether you have sufficient specialist computer audit resource to provide a view on the adequacy of your organisation’s information security arrangements, either procured externally or resourced in partnership with other councils.

 

Cyber-enabled

These are frauds that existed before computers, but have been made easier using technology. Incidences of these have increased in the past couple of years, possibly because of the changes in the control environment already discussed.

For councils, the main cyber-enabled frauds are creditor and payroll diversion. These are becoming increasingly sophisticated – fraudsters use sites such as LinkedIn to identify staff with roles of interest in an organisation and the working relationships between staff. They use social engineering to obtain information to support a fraud.

It’s crucial for internal audit to network effectively and communicate known risks and events. Does your organisation get alerts from other authorities through local and national networks, or via the National Anti-Fraud Network? Are these circulated to all the relevant teams?

Most cyber-related risks operate on the “weakest link” principle, requiring only one instance of control failure to succeed. Ongoing training and awareness-raising is vital. You need regular activities in this area and compliance cannot be a tick-box exercise.

 

Employee fraud

Examples include:

• Working for more than one employer while working from home.

• Working while sick.

• Taking payments over the phone while working at home and misusing card details.

• Forging sicknotes.

• Providing false references.

 

Procurement fraud

Examples include:

• Colluding with suppliers to win bids, or overcharge for goods and services.

• Misusing corporate procurement cards (ordering items to be delivered to
home addresses).

 

Serious and organised crime

Examples include:

• Organised crime gangs targeting local authorities and influencing staff with authority to make decisions/approvals.

• Criminals becoming involved in activities that impact on council operations (eg, business rates and housing).

 

Tenancy fraud

Examples include:

• An increase in tenancy fraud (especially succession fraud), possibly because fewer tenancy audits were carried out in the past two years.

 

Social care

Examples include:

• Misusing service users’ personal finances – temporary arrangements put into place during the pandemic in relation to checks on direct payments increase the opportunity for misuse and abuse by personal assistants and friends/relatives of direct payment recipients.

• People overstating or fabricating care needs to obtain direct payments.

• Economic pressures increase the motivation for people with relatives in residential social care to divert pension or benefit payments, or steal funds.

 

What can we do?

Most fraud risks that councils face can be mitigated in ways that are familiar to all auditors. Review key financial systems regularly. Focus on separation of duties, compensating controls and random spot checks where fuller oversight is not possible – and ensure there are no areas where significant assurance gaps have opened in the past two years.

Check that temporary procurement arrangements, and other changes to schemes of delegation or access to systems set up at the start of the pandemic, have now been reversed. A report by MHCLG in 2020 provides a comprehensive overview of the procurement landscape and has lots of appendices – including examples of good practice, case studies, a procurement fraud and corruption risk matrix, a fraud review checklist and examples of data analytics tests. Most of these can be adapted for any audit review of this area.

Review arrangements for temporary staff/agency workers. What were the recruitment and vetting processes and what permissions were they given to access systems? Ensure that proper verification checks have been carried out, including qualifications, background checks for high-risk posts, right to work, etc.

Use data analytics. Look out particularly for unusual spending patterns and high-transaction volumes on procurement cards and compare and contrast with pre-pandemic patterns. The Competition and Markets Authority is running a project on public procurement and bid rigging and will share its intelligence with local authorities and discuss the use of data analytics to identify unusual tendering activity.

Examine management review procedures. Have one-to-one interviews and performance reviews been carried out while staff worked remotely? Would managers be aware of the warning signs in their staff – for example, people not taking holidays, living expensive lifestyles, erratic behaviour.

Review relevant policies, procedures and statements – anti-fraud policy, whistleblowing procedure, register of interests, gifts and hospitality. Ensure that these have not fallen into disuse over the past couple of years and are still regularly publicised and checked for compliance.

Training and awareness-raising (for both staff and managers) – it’s important to remind everyone that unethical behaviour will not be tolerated.

 

Managing fraud risks holistically

Ensure that the tone from the top is correct. Show senior managers the financial and operational consequences of fraud and ensure they are aware of the range of fraud risks you face. Fraud and error (and inefficiency) often have the same root causes, so effective fraud risk control measures are not just business overheads.

Incorporate fraud risk assessments into audit planning. If you have a separate counter-fraud team, involve them in the planning process to ensure a co-ordinated approach.

After every internal investigation, ensure both counter-fraud and internal audit staff generate feedback to management on any control issues identified. Both groups gain from sharing knowledge and insights.

 

Doing a fraud risk assessment

People often ask whether fraud should be on the organisation’s strategic risk register. I think the question should be: “Does fraud feature in your assurance framework?” To which the answer is definitely yes.

It’s easy to focus on familiar risks or those your organisation has most information about. The model splits risk scoring into known internal and external issues, encouraging you to consider risk factors, incidents and intelligence from other organisations, as they may have investigated areas, or experienced incidents,
that you haven’t. This should also help to counteract the insular approach in those organisations that say they have no fraud (yes, these still exist).

This assessment should also cover bribery and corruption risks, which can be tricky to assess for probability as there are relatively few examples in the public sector – however their impact score is high.

The fragmented nature of intelligence on the value of frauds in different areas of the public sector is problematic when trying to score fraud risks. This makes intelligence sharing and networking even more important.

The revised IAS 240 comes into effect from the audit of 2023/24 accounts, and requires external auditors to apply greater “professional scepticism” when
assessing an organisation’s response to fraud risks. At the very least you will need to demonstrate that you have undertaken some form of formal fraud risk assessment.

 

What can help you to manage fraud risks?

Fighting Fraud and Corruption Locally (FFCL) hosts a site on the Knowledge Hub, which all local authority staff with an involvement in counter-fraud work can join. The site contains links to all the national publications and reports we have used to identify emerging fraud risks.

We are also starting to populate it with supporting material for some of the key risk areas identified above – part of the “box of promises” that we included in the FFCL Strategy. We encourage both internal audit and counter-fraud staff to use this material to deliver a co-ordinated programme of counter-fraud work.


Conclusion

Although councils face increasing fraud risks, the proper application of key controls provides significant mitigation, so you must be fully aware of where these risks lie. Compliance work must be supported by the right corporate culture – senior management need to understand the consequences of fraud and not see mitigation as an overhead.

Last, but not least, internal auditors can add real value in this area. Fraud, error and other non-compliances share many of the same root causes, so counter-fraud should be one aspect of this element of your assurance framework. 

Simon Bleckly is head of audit, risk & insurance at Warrington Borough Council, head of internal audit at Salford City Council, a member of the Fighting Fraud and Corruption Locally (FFCL) Strategic Advisory Board and chair of the FFCL Operational Group.

 

This article was first publshed in July 2022.