Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, September 3, 2020

Official Report 557KB pdf

---

National Fraud Initiative 2018-19

Item 2 is to take evidence on the national fraud initiative 2018-19. I welcome our witnesses from Audit Scotland: Fiona Kordiak, director of audit services; Angela Canning, audit director for audit services; and Anne Cairns, manager of performance audit and best value. I invite Fiona Kordiak to make an opening statement.

Thank you, convener. Audit Scotland’s “National Fraud Initiative 2018/19” report was published on 9 July. The NFI is a counter-fraud exercise across the United Kingdom public sector that uses data matching to help prevent and detect fraud. It looks for fraud and error in relation to things such as blue badges, public sector pensions and council tax discounts. The NFI exercise takes place every two years. During 2018-19, 124 Scottish public sector bodies participated in the exercise—an increase of 11 from the 2016-17 NFI exercise.

I will highlight briefly some of the key messages in our report. The Covid-19 pandemic has brought significant risks and challenges across the public sector, including additional fraud risks that it will be important for public bodies to identify and manage. Many staff are working remotely under extreme pressure, which makes good governance and sound controls more important than ever. We have highlighted some of those emerging fraud risks in our NFI report. We also published a briefing paper, on 23 July, which provides more detail on emerging fraud risks from Covid-19 and—crucially—on what public bodies can do to reduce those risks.

Since we last reported on the NFI in July 2018, outcomes valued at £15.3 million have been recorded, which represents a fall of £2.4 million. That fall could be the result of less fraud and error in the system; stronger internal controls that prevent fraud and error from happening in the first place; or less effective detection of fraud and error.

Most organisations demonstrate a strong commitment to counter-fraud and to the NFI. However, some could act more promptly, and could ensure that sufficient staff are in place to investigate data matches. Local auditors have identified specific areas in which some public bodies need to improve, and audit teams will follow up on those in the next exercise.

Audit Scotland continues to work with the Cabinet Office and the Scottish Government on developing new ways to prevent and detect fraud, and on enhancing participation in the NFI across Scotland.

As always, convener, my colleagues and I are happy to answer any questions that the committee may have.

Thank you. I ask Colin Beattie to open the questioning on the committee’s behalf.

Fiona Kordiak said that 11 more organisations participated in the exercise this year. The effort is voluntary—it is not enforceable. How many bodies do not participate, and are not currently invited to do so? I am thinking of arm’s-length external organisations and so on. We discussed that with the previous Auditor General for Scotland, and the committee expressed concerns. Do you have any comments on that?

Audit Scotland can mandate bodies to participate in the national fraud initiative, but only those that are subject to the Auditor General or Accounts Commission audit regimes. That does not include ALEOs, but bodies such as ALEOs and public sector bodies that fall outwith the remit of those audit regimes can volunteer to take part.

Do they volunteer?

When we think about the bodies that we might mandate, we take a view on how significant the NFI is likely to be for them. There is a cost to bodies for taking part in the exercise, so we sometimes take the view that for a very small body, or depending on the type of activities that a body undertakes, it would not be worth while for them to participate. If the committee is interested in which public sector bodies participate in the NFI, there is a full list on our website.

How many bodies actually volunteer?

I do not have the information to hand. I will pass that question on to Anne Cairns to see whether she knows. If not, we can quickly get back to you on that. Anne, do you have any further information?

I do not have the information to hand. In the last exercise, some housing associations volunteered some of their data, and we had some joint boards involved. We will be able to come back to the committee with that information.

My concern is whether there is a large gap in the information gathering. There certainly was when we discussed the exercise on previous occasions, and I would like to understand the extent to which that issue is continuing.

I will return to fraud, which is always a popular subject for the committee. You flagged up that there is an increase in cybercrime, phishing emails and various scams trying to access public sector systems. We have read in the newspapers about all the ransomware and so forth. How much evidence do you have of that activity occurring, and how widespread is it?

I should stress up front that the likely fraud risks resulting from Covid-19 that we have outlined in our NFI report and in our more detailed briefing are based on our professional judgment, our experience of auditing the public sector and helpful discussions that we have had with colleagues in Police Scotland, NHS Scotland counter-fraud services and the Scottish local authorities chief internal auditors group.

I am not talking about Covid-19.

Our briefing and the risks that we have outlined in relation to Covid-19 are not based on detailed audit work, so we do not yet have a clear picture of the spread or prevalence of those risks in practice. What we have to date is some anecdotal evidence that suggests that those risks are real. For example, I can talk about Audit Scotland’s own experience: we have certainly seen an increase in email phishing risks since the start of the pandemic.

Over the years, when the NFI has come before the committee, the question of fraud, cybercrime and so on has repeatedly come up. Leaving the specific issue of Covid-19 aside—I will maybe explore that in a moment—do you think that public sector bodies are taking adequate or appropriate action to minimise the risks and day-to-day issues around phishing and various other scams that take place?

I have been reading about one or two councils south of the border that have been subject to ransomware. I am not sure of the extent to which anybody can be prepared for that. I would be interested to hear your comments in that regard.

The NFI report that we are talking about today does not specifically cover areas such as cybercrime or phishing attacks. We know from our work that there is an increased prevalence of phishing attacks and cybercrime in public sector bodies and in bodies more generally.

We have done audit work in some bodies to look at general levels of preparedness. That aspect has improved in recent years, as there has been much more publicity and visibility around those threats. However, threats develop and move quickly, and it is hard for any organisation to keep up to date with the latest threat level. We have not done any detailed work on that area, and certainly not as part of our NFI work.

I mentioned it because you flagged up an increase in that area.

You have already touched on Covid-19 slightly. Clearly that is a whole new ball game, and we are still in the early stages. Again, I have noticed newspaper reports from south of the border indicating that a substantial proportion of funds may have gone adrift, shall we say—they have been issued to the wrong people or under the wrong criteria, or whatever. I saw the figure of £600 million for one particular tranche of money.

It is clear that it will take time for all that to work through. Will there be a specific effort from Audit Scotland to identify where such misapplications have taken place here? Are public bodies realistically able to take any more measures than they are currently taking to act against that type of fraud? Is it unrealistic to expect them to do so? Given that they have been the main conduit, do you have any examples of councils that have developed good practice in that regard?

I will pass that on to Anne Cairns, who might be able to provide some information on what she is hearing from councils and what they are currently doing.

Audit Scotland is trying to be proactive in that area. We published a briefing paper, “Covid-19: Emerging fraud risks”, to try to increase awareness in public sector bodies of the types of fraud that are possible, and to offer suggestions for remedial action that bodies can take to address those issues.

You are right to note that we have not yet undertaken any detailed audit work. That will take a bit of time. As you probably know—and as the Auditor General has flagged up—our audit teams are currently fully engaged in auditing the 2019-20 financial statements. The normal timetable for that work has been delayed, but towards the end of this year, we will start to think about planning our activity for 2021. Fraud will be a particular issue for consideration, and we will think about how we can best target our efforts.

With regard to the NFI, we are in discussions with the Cabinet Office. It already has some proposals to introduce specific data matching in relation to Covid-19 support measures, so it is on the case in that regard.

We think that councils have been quite active so far. You mentioned councils’ work in dealing with fraud risks, so I will hand over to Anne Cairns, who might be able to say a bit more about what she is hearing about what councils are doing, particularly in relation to some of the business grant support that they are administering.

09:30  

With regard to the NFI in particular, the Cabinet Office is currently running a small pilot down south, in about half a dozen English councils, to explore the best ways to data match and use all available facilities in order to identify fraud specifically in applications for funding relating to Covid-19. We hope that that will be rolled out across Scotland at the end of this month or in October. It will look specifically at the grants that were paid out to businesses. The Cabinet Office is finalising the outcomes of that pilot and trying to identify exactly which data set matches give the best outcomes.

However, that will happen in the future. The grants and funding that you are talking about have been paid out since the beginning of April. From quite early on, we been working with the Cabinet Office and have been able to access some of its systems. The Cabinet Office pays out grants worth multiple millions of pounds every year, and they have systems in place that allow them to check bank account verification details and whether a company is actively trading. Those systems have been available to our councils since spring, which means that when councils pay out grants or funding, they are able to tap into them and verify any suspicions about a particular claim or check whether several claims have been put through.

As well as that, councils have been actively sharing cases when they have come across an application for funding and have identified that it is not right, such as when it is fraudulent or its details are incorrect. That information is shared across Scottish councils daily, believe it or not, which means that if someone attempts to get funding from one council, other councils are made aware of the details. We have found that fraudsters are attacking by presenting themselves as representatives of national companies with offices, shops or whatever else they might have across the country.

Councils have been pretty proactive. The system is not perfect; it was set up very quickly. However, that sharing has been and still is going on.

I would like to ask one last question. Audit Scotland builds its audit programmes according to its desired outcomes and so forth. The speed with which funding has had to be distributed during Covid-19, and the fact that there has been a rather low level of scrutiny and lesser due diligence than there would normally be, has obviously created new challenges for Audit Scotland in how it approaches its audits and requests its auditors in the field to approach those audits. Are you alert to that and prepared for it?

We are very alert to that risk. All of our audit work is risk based, so we identify risks that come about as a result of new payment streams being brought in at speed. As you said, bodies have to balance the need to get money out to those that need it most, at speed, with the need to get internal controls in place. In the NFI report and briefing, we flagged some of the additional risks that have come about from staff working in unfamiliar areas and with capacity issues and so on. All of that brings risks. Our audit teams are very alert to those risks and we will be looking at them as part of the 2021 audit.

I am in discussions with the other audit agencies across the UK that face exactly the same issues, and they are interested in exchanging experiences and good practice and thinking about how we address those risks in the years to come. I can give you reassurance that we are very aware of and alert to those risks.

My supplementary relates back to Colin Beattie’s first question about the number of bodies that take part in the NFI. I am really interested in the number of bodies that do not take part. Do you have a figure for the bodies that have said that they will not take part?

I do not have that figure to hand. The bodies that are mandated by Audit Scotland do not have any choice. If we choose to mandate a body, it has to take part. In the NFI report that is before the committee, we highlight bodies that we feel are not participating sufficiently well, and local auditors will also highlight any deficiencies. Any body that we ask to take part must do so, but other bodies can volunteer. I do not have to hand a number for you on how many bodies within the public sector audit remit have not been mandated to take part, but I could provide that later if it would be helpful.

I get the fact that some bodies have to take part, but others do not. I am interested in the latter. If you could perhaps come back to us with a number, that would be useful.

We could do that.

Even a list would be of interest, as long as it is not too long.

I would like to pick up that point with Fiona Kordiak. What is the process for mandating a body? Can Audit Scotland just take that decision or does it require regulation? How does that work?

Audit Scotland takes the decision. I will hand over to Anne Cairns, who can perhaps talk the committee through the process of how we go about that. Anne, can you help out, please?

Under the Criminal Justice and Licensing (Scotland) Act 2010, Audit Scotland can mandate any body that falls within its audit remit. We carry out an internal review of such bodies. We know what size they are, the systems that they have and the services that they provide. In conjunction with local auditors who are aware of the local risks, we then make a call as to which bodies would derive most benefit from the NFI.

The bodies that are not currently mandated tend to be very small, with small numbers of employees—they include the smaller central Government bodies. All councils are mandated—as are health boards, apart from the Mental Welfare Commission for Scotland, because of its size. That is how we go about deciding which bodies should be mandated.

Are you confident that every body that should be mandated is being mandated?

Yes.

I turn back to Mr Beattie’s questions on Covid-19 funding. I realise that the situation is still fresh and is on-going, and not for a second would I question all the programmes that have been introduced to support individuals and businesses. However, I have questions on specific aspects of those.

Will all the grants that are coming to Scotland—I am talking about grants that are not necessarily administered in Scotland, but which are coming here—be covered by the national fraud initiative, or will other bodies be responsible for some of them? An example would be the bounce-back loans. Would those come under the initiative or would they fall within someone else’s remit?

The national fraud initiative covers the whole UK. However, regardless of whether a body comes within Audit Scotland’s part of the NFI or within the English or Welsh part, it should be covered if it is viewed as being significant and if it lends itself to data matching—by which I mean that it can produce data sets that can be matched against others.

Anne Cairns might be able to give a little more information on the Cabinet Office’s current consideration of new Covid-19 data sets.

09:45  

The data sets that will be matched for the purposes of the NFI this autumn relate to the grants that are being paid out to businesses. Those do not cover all the funding that has come from the Scottish Government.

There is a fund to support the newly self-employed, under which I believe that people can claim £2,000. The Improvement Service and councils are considering carrying out data matching on that themselves. We tend to examine the larger grants—those of the order of £10,000 or £25,000, say.

As Fiona Kordiak has said, the Cabinet Office deals with matters across the UK. Only the NFI is included in that work. I am aware that in the past few months there have been discussions on how the Cabinet Office might tackle examining other national schemes, but that is outwith the terms of the NFI and I do not have the details to hand.

Given the amount of money that is being disbursed and the number of schemes that have been introduced, has the national fraud initiative’s capacity been increased to reflect the added risk and extra workload?

I do not have that information to hand. I know that the Cabinet Office has been reviewing and consulting on changes to the NFI regime and how it is funded and resourced, but I am not aware of the outcome of that review. I do not know whether Anne Cairns has any further information.

Over the past six months—since the lockdown started—the NFI team in the Cabinet Office has totally reprioritised its work to enable it to consider the funding provided during the Covid-19 crisis.

Within the Cabinet Office, the fraud, error and debt team, which is a wider team that is separate from the one that deals with the NFI specifically, has always dealt with such matters in relation to the large grants that the Cabinet Office and the UK Government pay out. I believe that, over the past six months, that team has also been refocusing its attention towards the Covid-19 funding that has been paid out.

I am not aware of whether those teams now have any extra staff, but they have reprioritised their workloads to focus on Covid-19 matters.

Is that just in the Cabinet Office? Money has also been devolved to the Scottish Government and then sent to councils for them to administer funds. Have they increased their capacity to carry out fraud investigation?

I do not think that we have any information on that at the moment. I am not currently aware of any councils having expanded their fraud teams, but we will consider that aspect as part of our 2020-21 audit, in which we will consider the measures that bodies have put in place to address the various fraud risks. As always, a balance will have to be achieved between prevention and detection.

Would you expect them to do so?

That is a hard one to answer. In our briefing paper, “Covid-19: Emerging fraud risks”, we encourage bodies to make risk assessments and to consider bringing in new internal controls and detection measures in the areas of greatest risk.

At the moment, it is hard for me to make a general pronouncement or to give the committee a general view on what bodies should be doing. All bodies have capacity constraints and so on. The public sector in Scotland has also been under massive pressure to respond to the pandemic, and many of its immediate efforts have naturally been directed towards that response. Efforts will also have to be directed towards the building back better approach and considering what the new normal might look like. Any public body will therefore have to balance its efforts between delivering services to support citizens and the public sector on the one hand, and protecting the public purse on the other.

All public bodies have a duty to protect the public purse, so we expect to see appropriate arrangements in place to prevent and detect fraud. I cannot say at the moment whether that would mean an increase in fraud detection activity or—as Anne Cairns highlighted in relation to the Cabinet Office—a reprioritisation of some of that activity.

Surely fraud detection should be a priority? I am not saying that it must happen immediately, or that it should have happened at the height of the pandemic when the priority for staff was the front-line effort to suppress and defeat the virus. However, as we continue to come out of the pandemic and into a phase of managing—and, I hope, eliminating—the virus, we should have more space to begin that reprioritisation effort and building back better approach.

Part of building back better and protecting the public purse is making sure that we hold to account, as far as possible, those who took advantage of the fact that we were in a crisis to defraud the system. Surely as part of building back better we must have strong measures in place so that we can look back at what happened during the pandemic and can try to get back some of that money to maximise its use. As you say, public finances will be tight. Surely we want to get that money away from people who may have defrauded the system and back to delivering proper public services for communities across Scotland?

You are right. We would expect retrospective checking to be undertaken in high-risk areas. However, that must be balanced with putting in place good protective measures that prevent fraud and error from happening in the first place. We expect bodies to do a risk assessment and to prioritise their efforts where they are going to get the biggest bang for their buck and the most return for the public purse.

How do you measure that? I hear what you are saying about a report next year. We must give people guidance on what the adequate measures are. Is there a process for ensuring that measures are adequate when they are implemented, rather than looking back a year later to see whether they were adequate? Fraud might take place that could have been avoided.

A core part of the normal annual audit activity in any public sector body is a review of the arrangements for the prevention and detection of fraud and corruption.

Our audit teams will look at the issue in the coming year and will report on the adequacy of those measures in their annual audit reports. That will include looking at the internal controls that are in place to prevent fraud and at the investigation and detection activity.

Good governance has never been more important than it is now. Audit and scrutiny committees and bodies must ensure that they are aware of the changing risk profile in their organisations and that they are satisfied with the steps that management is taking to respond to those risks.

In light of that, on 23 August, we published a good practice briefing for audit and risk committees. It highlights some of the questions that they should now ask their organisations about the response to Covid-19. They should be asking about internal control and insurance arrangements, financial reporting, governance and risk management. We have tried to be proactive and helpful.

In the latest year, how much did it cost in total to run and implement the national fraud initiative in Scotland?

In our report we tried to estimate the cost of the NFI; I am looking at the report just now and that information is on page 17. It is always quite difficult to estimate the cost of participating in the NFI with any degree of precision, but we know that the cost that Audit Scotland pays to participate is £213,750. We asked a number of bodies to estimate the cost of their participation in the NFI and we set out some of that on page 17 of our report. However, many bodies do not do their work on the NFI as a discrete exercise but do it as part of their overall fraud prevention and investigation activity, so it is hard for them to specifically identify that cost. Where they have done so, we have outlined the cost on page 17. We are clear that the costs of running and participating in the NFI are significantly less than the returns. Returns in the current exercise were £15.3 million, which is a combination of overpayments already made and estimated future savings from losses that would have happened if a fraud or error had not been corrected. Although it is difficult to estimate the total cost, it is significantly less than the benefits of the NFI.

What is your ballpark figure for the total cost? Is it £7 million? Is it £5 million? Is it £10 million?

We estimated that as best we could on page 17 of the report. As we have highlighted, we think that the cost for an individual body varies from £120 to £30,000. As I said, the cost for Audit Scotland is £213,750.

You are claiming returns of £15 million over the current period in the latest figures. To judge the value for money for that £15.3 million, you need to know the outcome and how much it cost to achieve that figure. Do you have a total cost against that £15.3 million?

As I said, we know the cost to us, but we have not—

Specifically, do you have a global cost for Scotland?

No. We do not have that.

So you cannot tell the global value for money. My second point is that you say in your report that, since 2006-07, you have recovered just under £144 million in Scotland, which is just more than an average of £13 million a year but, as you also point out, in the past two years that has gone down to an average of £7.5 million a year—it has been almost cut in half. You covered the possible reasons for that reduction in your report and in your remarks, but the public sector in Scotland spends something in the order of £40 billion a year, if we include local government, and £13 million a year on average—even if we take that figure—does not seem a very high amount as a percentage of well over £40 billion, and probably over £50 billion this year. Moreover, it is a decreasing percentage, because total public spending was nearer £30 billion when the initiative started; it has risen to well over £40 billion, and this year over £50 billion, but the amount of fraud is going in the other direction. Do you think that we are scraping the surface of fraud and overpayments and the like in Scotland? It seems a very small figure as a percentage.

It is worth remembering that most public sector expenditure is paid correctly—to the correct people or recipients. Fraud and error are only a small part of the system.

We think that there is a lot of value from the NFI that cannot be measured, so it is not part of the £15.3 million. There is the deterrent impact of the exercise. Employees will be notified on their payslips that their data will be subject to data matching. All the Audit Scotland staff were notified of that just this week, by coincidence. Service recipients will be notified that their data will also be used for data matching. That helps to produce a deterrent impact against fraud.

When organisations investigate the data matches and come across fraud and error, it gives them the opportunity to reflect on why that fraud or error occurred, to go back and review their systems and to tighten up on any weaknesses. In our view, £15.3 million of outcomes is only part of the story. There is the deterrent impact, which cannot be measured, and there is the opportunity that investigating the matches provides for tightening up on systems,

But if you add in all the additional costs on public sector bodies of the internal audit function and the external function, with the NFI on top of that, is this the best that can be done? If we add up the total cost of all the audit in the public sector in Scotland, it comes to tens of millions of pounds. The internal audit function is often put out to fairly expensive multinational accountancy companies, and much of the external function is also put out to big companies, which make a lot of money on it on a consultancy basis. There is then the national fraud initiative on top of that. Is it not time that we looked at things in totality and found a better, more effective way of doing this?

We have seen many examples where the internal audit function has failed and the external audit has been totally inadequate, despite the payments that have been made to the external auditors. Then there is a national fraud initiative, and it is impossible to measure its value for money—although some of the reasons for that are perfectly justified. Do we not need to have a total look at this? Frankly, we are spending a lot of money, but I am not sure that we are getting much of a return from auditors and the NFI.

In my position, I would argue that good governance and good assurance cost money. The public have a right to expect that public money is spent on the purposes intended and is directed to those who are entitled to that money and those services, not to those who choose to defraud the public purse.

Yes, money is spent on internal audit, external audit and the NFI, but what you are seeing today in the NFI report relates to only a small fraction of what those assurance mechanisms bring to the public sector.

You are probably aware that there has been a significant debate in the corporate audit sector, largely focused on the fact that too little audit is undertaken to meet the needs of employees, stakeholders and so on. There is a live debate on that at the moment. There is a more general debate across the UK about the level of assurance that the public can expect and the money that they are prepared to pay for that assurance.

We could always do more on the internal audit process and the external audit process, and that would cost more, or we could do less, but that would provide less assurance. That is a public debate to be had, and people such as you, Mr Neil, obviously have a view.

I am referring to many section 22 reports that describe how, in a number of cases, the audit function has failed miserably, even though those audits have been executed by well-paid individuals, either in the public sector or externally.

I will move on to another proxy for the effectiveness of the initiative. How much of the £15.3 million of outcome from the NFI over the past two years related to fraud as opposed to overspending or wrong spending? How many criminal charges and how many criminal convictions resulted from the fraud element?

10:00  

To take your first point, I argue that the section 22 reports that come to the committee are evidence of the audit process working well, because they mean that significant issues—

Are you saying that the audit function worked well in NHS Tayside? You must be joking.

I think that the external audit function worked well in NHS Tayside.

That was not the committee’s opinion, but we will leave that for another day. We have already dealt with the issue but, quite frankly, I do not think that we would share your enthusiasm or endorsement.

I am sorry for interrupting.

You asked about the split between fraud and error in the outcomes. Of the £15.3 million of outcomes from the particular exercise of the NFI that we are talking about, £5.6 million was actual overpayment or error and £9.7 million was forward savings from losses that were avoided by issues being picked up. Of the £5.6 million of actual payments, £3.2 million—21 per cent of the £15.3 million—was identified as fraud.

However, when bodies investigate the matches, they assign the overpayment either to fraud or error, and our understanding is that, if there is any doubt, they tend to classify the issue as error rather than fraud. They classify something as fraud only if they have pretty clear evidence that it is fraud and that there was fraudulent intent. Therefore, we suspect that the fraud element is slightly underestimated.

I will come to Anne Cairns in a moment to see whether she has further information but, at the moment, we do not know the extent to which issues classified as fraud have resulted in prosecution. We know of some individual cases, but we do not know the overall picture.

Anne, can you help out on that?

I will just interrupt before Anne answers. You made the point earlier that one output from the national fraud initiative, which is unquantifiable, is the deterrence effect. If we do not know what happens to the people who allegedly commit fraud, we are missing out on a useful tool for deterrence. If a clear message is sent that people who defraud the public purse and are found out will be taken to the cleaners, surely that has a very effective deterrence effect.

I agree that there definitely would be such an effect. We highlight at least one case in our report in which someone was taken to court. Obviously, there is a time lag with many cases, so it is often some time before we can report the ultimate result.

I ask Anne Cairns whether she has any more information.

Off the top of my head, I do not know the exact number for the 2018-19 exercise because, as Fiona Kordiak said, there is a time lag. However, I suspect that the number would be really small.

Councils have the most outcomes, and there is a cost benefit consideration involved. We hear from councils that, with relatively small fraud involving a few thousand pounds, the procurator fiscal will not take the case through. In those cases, the council will go ahead and try to recover the money. It tends to be only the higher-value cases that go through the prosecution route. It is for the individual bodies, which are mainly councils and NHS counter-fraud services, to determine from their internal review and evidence whether it is worth while spending additional funds to go through that process.

That said, the bodies do report when they get a successful prosecution. For example, NHS counter-fraud services is very active on Twitter, so if it has any cases—even if they have to be anonymous—it likes to share and promote them in that way.

I am going to follow up on what Alex Neil asked about, because it seems to me that, if we want to deter people, we need to know how many prosecutions result from your work. We need to know details of those prosecutions and whether prosecutions have not been taken forward. If the procurator fiscal is a block to prosecutions, let us hear about it. It seems to me that your report should spell out how many people have been prosecuted as a result of your work. Is that not possible?

It is not something that we have ever tried to do to date, Mr Simpson. Trying to gather that information would have resource implications. As Anne Cairns said, there is a time lag between fraud and potential prosecution. It is obviously not for us to question the procurator fiscal’s decision on what to take to court and what not to. Audit Scotland does not have any remit on that. It is for each individual organisation to decide which cases they have the evidence to prosecute on and which ones they do not. Therefore, there is a limit to Audit Scotland’s remit in that area. The number of prosecutions is not something that we have ever tried to gather statistics on before.

It seems to me that we cannot deter people unless we know that people are being prosecuted as a result of your work. It seems a very simple point. That information has to be collated somewhere. I ask you to take that away with you.

Do you think that the organisations that are part of the NFI will have a record of on-going investigations, closed cases or those that are going to go on to the courts? They will have been asked to provide evidence for those. Surely it would be expected that individual organisations would have that information, and the issue is then whether Audit Scotland has the mechanism to collate it nationally—or are we saying that individual organisations do not have that information? It would really worry me if individual organisations did not have a tracking mechanism and if the issue was not only a matter of collecting data nationally.

Organisations will have that data. Such cases are quite rare; they would not have a lot of them on the go. Therefore, we could collate the information. I am not sure how we could track the number of cases that rise from a particular NFI exercise, but we might be able to do that. I would suspect that there might be some cases—even from the last NFI exercise in 2016-17—that might still be working their way through.

Of course, and that is why it would make sense. If an organisation that is part of the NFI detects a fraud, reports it to the police and it is investigated, it will record that information somewhere. If that leads to a prosecution, it will record that somewhere. I understand the difficulty in reporting within a financial year about what prosecutions have been successful, because that is not going to happen—let us be honest about it.

Someone could commit a fraud in 2016, but they might not be convicted for it until 2019 or 2020. No one is expecting you to say what instances of fraud were detected and how many successful prosecutions there were in one financial year. However, if you keep a rolling system that shows what happened in 2016 and how that compares with 2020, you can say that there are X number of investigations still on-going; there were X number of successful prosecutions; and there are X number of court proceedings coming up. If those organisations are collecting their data, as they should be, that should not be a big administrative issue for Audit Scotland. We are already asking you for other information, so it would not seem to be very difficult or cumbersome for you to ask one additional question and collate the information.

As Mr Simpson suggested, you can leave that with us and we will come back to you. We will consider how feasible it is and what the resource impact for us would be, and we will come back to you to say whether we think that it is possible.

Thank you.

That was useful. Fiona, you said in your opening comments that some organisations “could act more promptly” as a result of your recommendations. Which organisations have been dragging their feet?

I will pass that over to Anne Cairns in a moment, so that she can give you the detail. It is worth stressing that, in general, in my experience of being involved with the initiative over the years, bodies have got much better at engaging with and responding to the NFI. In our report, we compare engagement in the current exercise with engagement in the previous exercise. If we went back further to look at other exercises, we would see a picture of steady improvement. Anne Cairns can give you a bit more information about the small number of bodies that did less well in the current exercise.

In our report, we say that three colleges—Perth, North Highland and South Lanarkshire—submitted their data quite late, after several prompts from us and from the local auditors.

I point out that, as we have already mentioned, we increased the number of bodies participating in the most recent NFI, and the majority of the new participants were colleges. For those three colleges, therefore, the process was all strange and new to them. It involved not just a counter-fraud team but the use of information technology to extract data in the relevant format. In some cases, the colleges struggled with the IT resource, and they also cited a lack of general resources to enable them to undertake the NFI. Although we had given guidance and feedback, and the local auditors had experience with other audit clients who had participated in the NFI previously, it was all pretty new to those colleges, and they had other priorities.

Looking to the future, the local auditors have identified improvement actions in each of the bodies, and those have been reported on and followed up. We have also arranged engagement sessions with the participants later this month; the colleges have been very active in joining the sessions. We will run the sessions through Microsoft Teams—a bit like this meeting—and we will split them into different sections. A lot of the colleges will be grouped together so that they can bounce issues off each other. We hope that that will help them to get a good start on the next exercise.

So you hope that, if they are being helped, the situation will not happen again.

Fiona Kordiak mentioned audit and scrutiny bodies, probably in councils. I used to be a councillor, and I sat on the audit body. I can assure you that—as you have probably witnessed yourself—many councillors are not forensic when it comes to audit and scrutiny. It is all very well to issue a good-practice guide, but I wonder whether you go along to any of those audit committees and witness what goes on, and whether you have any observations on how they are performing.

10:15  

Over my years as an auditor, I have attended various audit committees in local and central Government and in the health sector. The level of scrutiny varies between bodies; some are much more effective than others. Our local audit teams routinely attend pretty much every audit and scrutiny meeting at the bodies that they audit. Part of their job is to comment and report on the effectiveness of scrutiny in each body and they are on hand to assist audit committees in their scrutiny activity. A number of teams have participated in training events for audit and scrutiny committee members, so the audit community is active in that area. Yes, I have seen plenty of audit and scrutiny committees over my 30-odd years as an auditor; over the piece, scrutiny has absolutely improved, but it is still patchy.

Yes—sometimes, I think that those bodies need to be directed, because if they do not know where to look or what to ask, they cannot ask it. A lot of councillors are not experts; we would not expect them to be. Perhaps we need to rethink how those bodies operate. It is just a thought; I am not asking you to comment on that.

I will ask about a couple of things in the report. First, on the subject of council tax reduction, page 14 of the report says:

“Councils have identified more than double the number of cases in 2018/19 but each with a smaller value, suggesting fraud and error is being picked up more quickly.”

Do you have any evidence for that suggestion?

No, we do not have specific evidence for that, because the NFI exercise does not lend itself to that kind of causational data. That is just our suspicion, from what we know is happening out at councils. Anne Cairns can provide more information on that.

Our thinking behind that comment in the report was that, over the past couple of years, the councils have had more and better access to Department for Work and Pensions systems. That also links to the housing benefit outcomes; although the number of such cases has gone up, they are getting identified quickly. For example, over the past couple of years, councils have, particularly on the housing benefit side, been able to access directly Her Majesty’s Revenue and Customs real-time information. If an employer sends a payroll to HMRC that shows a significant difference from an employee’s previous month’s pay, if that person is on housing benefit, an alert goes to a council’s screen to say that their income has gone up or down, so their case might need to be reviewed. That information comes up every day on councils’ screens; obviously, it is sorted by risk settings and value of change. Over the past couple of years, that has been business as usual. Through that, if an alert comes up for a housing benefit claimant, the council can say that the person has moved into a job, or into a better-paid job, and can get them in to review their housing benefit and, at the same time, their council tax reduction. I have a suspicion that that relatively new system is starting to filter through in the results and outcomes.

That all makes sense, but is there any way of confirming that that is the case? Obviously, it is very good if those things are being picked up but, in the report, you point out that not all of that is fraud; a lot of it is just error. People forget that they have the reduction or councils overlook it. It is clear that, if councils are linked up to HMRC and the DWP, that is a good thing. However, it would be useful if we had a little more evidence of that. Is that possible?

We will see what we can do about that. Part of the issue with the NFI has always been that it is very difficult to extract the reasons for movements in outcomes. As I said at the start, it is hard to tell whether there is genuinely less or more fraud and error in the system or whether internal controls are better up front. Perhaps bodies are not investigating the matches that come out as effectively as they might. It is quite difficult to get clear evidence of what is at play in any particular case or with any issue. In the report, we tried to bring out what we thought might be the reasons, but it is quite hard to get tangible evidence. However, we will take that issue away and have a little think about what we could do to more clearly try to pin attribution for the next exercise.

That is very useful.

Finally, the report mentions

“A pilot ... to help identify businesses inappropriately claiming Small Business Bonus Scheme (SBBS) relief.”

Just over £412,000 in incorrect awards was identified. Seven councils took part in that pilot. If similar levels of incorrect awards were spread across Scotland, the figure would amount to £1.9 million.

That pilot was done a wee while ago, so there has been a gap. I presume that it is finished. What has happened in the meantime? The report states:

“the Scottish Government is considering a national roll-out”.

That has not happened yet. Why not?

The report also says:

“Some system weaknesses were also identified”.

Can you say what they were?

I will pass over to Anne Cairns for detail on that. I think that you are talking about the non-domestic rates pilot.

That is correct.

You are quite right. The pilot, which specifically looked at the small business bonus scheme, was done last autumn. We worked with the Scottish Government’s non-domestic rates team in order to undertake the pilot, and we were delighted with the outcomes. The seven councils managed to identify the value of incorrect awards, and they were able to correct that.

The Scottish Government was keen to take that work forward. It was considering whether to extend the pilot to all 32 councils or to try it with different non-domestic rates relief. That was just as the Covid-19 lockdown was starting. The Scottish Government’s non-domestic rates team has been inundated with trying to get business support out to businesses over the past six months.

We caught up with the team just last month. It wants to go ahead and roll out the exercise, but it has not made that much progress. However, we will progress that issue over the next year with the Scottish Government’s non-domestic rates team.

So it has not said when it will roll out the pilot.

No.

What about the system weaknesses that were identified? Can you say what they were?

Yes. The system weaknesses were in some of the individual councils. One council had weaknesses in its data recording that meant that, when the data matching was undertaken, things were coming up as matches that, when we looked at them, we could see were due to an error in how the council had recorded things on its systems. That has been corrected and the issue has been raised with that council and shared across the others. There seemed to be particular issues in particular councils in relation to recording data. We have also made an evaluation of the pilot available on our website.

I will have a look at that.

My questions have been covered by other members, so I am happy for you to move on to another member, convener.

Thank you, Mr Bibby. I will go to Mr Bowman.

Good morning, everyone. Although a number of issues have been raised by others, I will run through them to see whether there is a different angle. I will go through them, and then we can come back to them individually, in order to give the panel a bit of a heads-up.

This is a different form of report than normal. How much time and resource did it take to put together, and is the £213,000 figure that you mentioned simply staff costs?

You said that there was a list of the bodies that participated on your website. I apologise if I missed it but, although I found a link in the report that told me the type of bodies that participated, I could not see a list of the named bodies.

How are you ensuring that the message gets out to the right people in governance and that they know that they should be reading this?

I think that Alex Neil asked about the billions of spending in the public sector. How much of those billions have, in fact, been covered by this initiative, and do we have an estimate of the level of fraud—the pounds—in the public sector?

That was a lot of questions—I will hand back to Fiona.

Luckily, I made a note of them as Mr Bowman was asking them.

Yes—it is a different form of report from the last that the committee will have seen the report. We hope that it is more accessible and attractive to the reader. It is less wordy than our previous report and there are more graphics. It is an in-house production, so Audit Scotland’s communications team produce the report. Angela Canning and her colleagues are responsible for all the hard work that goes into it.

No—the Audit Scotland cost of £213,750 at the end is our cost of participating in the NFI, so that money goes to the Cabinet Office. Anne Cairns will correct me if I am wrong on that, but that is not our cost of doing the audit work.

The cost that local audit teams spend on NFI is part of the overall audit effort. It is part of their review of—

Do you have a rough estimate of how many person days or weeks—perhaps you could tell us later?

We might be able to give the committee that information later. I cannot say off the top of my head whether our in-house audit teams have a specific charging code for NFI or one for fraud activity more generally. I think that it might be more difficult to gather the information for the audit firms; I am not sure how they collect their costs. We will get back to the committee on whether we have that information.

I will pass over to Anne Cairns to answer the question about the list of bodies.

On how we get the messages to the right people in governance situations, we have our Audit Scotland communication mechanisms through, for example, Twitter and Facebook, through which we try to get the messages out more generally. In addition to that, each of our audit teams in audit bodies has a responsibility to promote the findings of the report in their individual bodies. They are active in the NFI exercise on a routine basis. If they report any issues with a particular body’s engagement or non-engagement with the NFI, they routinely follow that up as part of the annual audit process. Our audit teams make sure that some of those messages get in front of the people that need to know, particularly audit and risk committees, to help them in their scrutiny.

10:30  

Taking Alex Neil’s point about some of the bad governance that we have seen and Graham Simpson’s point about people perhaps not being familiar with the underlying issues, will you present that information, or will there just be a report that is emailed round audit committees?

It will vary; it will depend on how a particular audit committee goes about its business. For the bodies that participate in the NFI, there will generally be a short summary of the body’s participation and so on in each auditor’s annual audit report, so those bodies will get their specific and unique messages through those reports. However, we hope that our auditors bring the overall report to the attention of their audit committees as well. Practice will vary depending on whether the audit committee has a formal item on its agenda for discussion or whether the report is only circulated for noting. That will vary from body to body, but we are keen that all the work that we do has an impact and, as I said, that is one of the reasons why we have tried to change the format of the report to make it more accessible.

On the format of the report, it would be useful to have a bit of description—of not too many words—of how you went about the exercise. That would have helped me to understand the results.

That is useful feedback, Mr Bowman; we can take that back. We are always interested to get feedback on how well our reports are received and whether there is anything that we can do to improve them. If you are interested in individual results, you can drill down into those on our website, so you can see the outcomes for any particular body that participates in the exercise.

Does Anne Cairns have any information on the list of bodies?

There is a list of participants on the website; it is called something along the lines of “2018-19 NFI participants”, I think. Basically, the list comprises all the councils, all the health boards, apart from the Mental Welfare Commission, and all the colleges. There is a detailed list in relation to the central Government bodies, because the Scottish Government submits data on behalf of some of those bodies and others submit their own data. They are all listed and are split into those that submit their own data and those that have their data submitted by the Scottish Government on their behalf.

We seem to have lost Mr Bowman, so I will go to Willie Coffey.

I will ask a couple of questions about the scope of the exercise. The report looks at areas such as council tax discount and other discounts, pensions, housing benefit, the blue badge scheme and student awards. It seems that the poorer members of our society are targeted. Who decides the scope of the NFI, and why does it not reach out to other areas, such as public procurement and corporate contract awards? Why does it not lift its gaze to a wider audience?

The scope is largely focused on areas where matching different data sets can help to drive out anomalies that may be indicative of fraud or error in the system. Not all areas of public sector spend lend themselves quite so easily to that kind of data comparison.

Anne Cairns will be able to give you a little bit more detail about the discussions that take place at the Cabinet Office, and our discussions with the Cabinet Office, about what would be useful data sets to include. It is worth stressing that the data sets included in the exercise are under review all the time, so we may drop some that might be less useful and less productive, while keeping an eye on new data sets that it could be useful to investigate. Covid-related business grants have been mentioned, and I think that some of them will probably be included in the next exercise.

I ask Anne Cairns to fill us in on the decision-making process for the data sets.

As Fiona Kordiak says, the data sets are kept under review by the Cabinet Office, which holds all the data and does the data matching on our behalf.

Participants in Scotland are highly vocal and we have quite a few engagement sessions with them across the two-year period. At each engagement session, we ask the fraud specialists—the fraud investigators from councils, the NHS, central Government and colleges—about things that are not included that they think there would be merit in including in future. That is a constant dialogue, and they come to us with some suggestions. Before we include anything, however, we undertake a pilot. There is piloting work going on all the time with the Cabinet Office. We did some piloting around student awards, and the non-domestic rates work was a pilot exercise. Other pilots are under way, such as some work on the Covid business grants, which is just about complete. That is how we take suggestions forward.

In the next exercise, we will probably consider other pilots, but they are risk scored in order to determine which we think would produce the most valuable outcomes. That is done in consultation with the people at the coalface, rather than just having someone at the Cabinet Office or Audit Scotland thinking about what to include.

Essentially, the Cabinet Office determines the scope of that work. It is all about claimants—people who claim things from the system. Surely the opportunity to perpetrate fraud is much wider than that, particularly in public procurement. If we do not have a system that throws up data anomalies in that activity, it is perhaps time that we thought about having one. We cannot totally rely on data anomalies to reveal fraud.

That leads me to my next question. How else does the system try to determine potential frauds that might occur? Surely we cannot just rely on data spikes popping up now and again. Internal audit has to happen, and I am sure that it does, but there must be other means of identifying potentially fraudulent activity that would allow us to extend the scope of our gaze into other areas.

I am really happy that you asked that question. The NFI is only one aspect of the work that Audit Scotland and auditors do on fraud prevention and anti-fraud activity. I will hand over to Angela Canning, who will be able to talk you through a range of other activities that Audit Scotland does, some of which are directly related to procurement.

The committee has heard this morning about the work that we do through the national fraud initiative and about what local auditors do as part of their engagement with directors of finance and finance teams in the bodies that they audit. In recent years, we have been doing more to raise awareness of fraud across the public sector. For example, we have set up a counter-fraud hub on our website to share information about fraud risks and to signpost people to other organisations, such as NHS counter-fraud services.

With regard to procurement, last year we published a short output, which we developed with Police Scotland. It was aimed at auditors, and it was about signalling some of the red flags that might come up around procurement. Auditors have been taking account of that in the work that they do locally on procurement.

Anne Cairns mentioned our engagement with individual public bodies across the public sector. We talk not only to fraud investigators but to organisations such as Police Scotland, NHS Scotland counter-fraud services and the local authorities chief internal auditors group. Fiona Kordiak mentioned the output that was aimed at audit and risk committees, and we have spoken about our briefing on emerging fraud risks from Covid-19. That gives a flavour of the wider work that we have doing recently around counter-fraud.

It would be good to get a sense of where that—[Inaudible.] The NFI focuses purely on—[Inaudible.]—and that is what you are reporting on today. How do we get a sense of the good work in that area, and the value of that work, so that we can see the bigger picture across Scotland?

A good first step for committee members who are interested would be to look at the counter-fraud hub on the Audit Scotland website. If members are interested, we would be happy to provide a briefing in the future on the full range of our fraud activity.

That is good. I have one final question. A number of years ago at the committee, I asked whether, when you discover fraudulent activity in a certain year, you look at the perpetrators in subsequent years. The answer was no—it was all down to the data-matching exercise and whether that threw up any anomalies.

I will ask the same question again. If you look at last year and the year before and see that there is repeat fraudulent activity, why do you not deliberately look at that again in subsequent years? Should we do that?

We remembered that you asked that question last time round, Mr Coffey. Anne Cairns has done a bit of research on it, so I will hand over to her.

When we get the matches at the end of the current—[Inaudible.]—the one that has just finished. We have asked the Cabinet Office about that. If someone has been found to be committing fraud—on housing benefit, for example, or anything else—and the same match comes up next time, it is highlighted. The system highlights what happened the last time round.

Even if the council concerned was not found guilty or the fraud was not proven, if—[Inaudible.]—it would be highlighted in yellow on the screen to alert the council to the fact that the match came up the previous time. At that time, the council will have said, “It’s okay” or “It’s not okay—we’ve sorted it”. However, if the same person has been doing the same thing again, the system highlights—[Inaudible.]

You were breaking up a wee bit there. I will go back to Willie Coffey.

Anne Cairns was breaking up a wee bit, but I got the gist.

Can a random spot check be done during the process, or does it have to involve the computers throwing up spikes and data anomalies? Can you simply do a random spot check and have a look across the landscape? That would let folk know that we are looking, and not just relying on data spikes to alert us.

There are obviously data protection rules on how data, including individuals’ data, can be used, and we need to be alert to those. Increasingly, there has been more of a focus on checks happening before services are awarded or financial support is given. We refer in the report to one of those methods, which is the AppCheck system. There is a move towards doing more checks up front to prevent fraud and error down the line. The NFI exercise then happens further down the line to match various bits of data.

10:45  

Not all the matches that are thrown up will be investigated. They are classified as high, medium or low risk. We would expect all high-risk and medium-risk matches to be investigated, but low-risk matches might be dealt with on a spot-check basis, as you suggest.

That is great—thank you.

I believe that Bill Bowman is back online and has one further supplementary.

Thank you, convener—I am sorry that I missed the responses.

If you say who has participated in the NFI, people can work out who has not. Would a potential fraudster focus on the organisations that do not participate in the fraud check?

They might, but they would not know what other controls an organisation had in place to prevent fraud and error.

It is always a tricky issue. It could be said that, by publicising the kinds of frauds that can and do happen, we are giving fraudsters ideas. However, our general view is that the fraudsters out there are pretty smart and generally do not need any help from auditors on how to go about their business. That approach is therefore probably low risk.

Perhaps the answer is to make sure that everybody participates, as other members implied earlier.

I apologise for dropping out, convener.

Thank you, Mr Bowman. I have no further requests for questions. I thank Fiona Kordiak, Angela Canning and Anne Cairns from Audit Scotland for their evidence. We now move into private session.

10:46 Meeting continued in private until 11:19.