Local Authority Internal Audit Virtual Forum

23 February 2022


Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

CEO's welcome

Thank you for joining us for our session today. Many local authorities have innovated to tackle fraud and collaborate effectively to meet the challenges. A reduction in fraud can indeed be a source of sizeable savings. Local authorities remain keen to develop a consistent risk and performance methodology for the sector and for individual councils to estimate the potential risk they face on a consistent basis, hence the creation of the Fighting Fraud and Corruption Locally strategy which will be covered today in addition to fraud risk assessment. As well as the obvious financial impact, fraudulent incidents may subject organisations to privacy concerns, and reputational damage. It is essential that organisations are proactive in predicting and assessing their exposure to these threats in order to mitigate the likelihood and impact of a fraud incident.

In addition to our guest speakers, we are also joined from the Institute by Liz Sandwith, Chief Professional Practices Advisor; Derek Jamieson, Director of Regions; and our chair Piyush Fatania, Head of Audit, Risk, Assurance and Insurance Services for Gloucestershire County Council, and member of the Institute’s Council.


Chair's opening comments

Welcome to our Local Authority Forum.

Each pound a criminal takes is a pound less for vital public services. Fraudsters are like a virus constantly revising and sharpening their techniques and local authorities need to do the same. Councils have a good record in countering fraud and the strategy contains numerous case studies and examples of successes. However, local authorities report that they are still encountering barriers to tackling fraud effectively, including lack of incentives, data sharing, information sharing and powers, but also that they require support from senior stakeholders and those in charge of governance.

Our speakers today are Ashlee Mewburn and Damien Margetson from KPMG, who will share their advice/guidance around undertaking a fraud risk assessment.


Key takeaways

Size of the fraud problem

The annual ACFE (Association of Certified Fraud Examiners) report is a useful guide to reference.

  • Estimates indicate that a typical organisation loses 5% of its annual revenue to fraud
  • Frauds lasted an average of 14 months before detection with 29% lasting over two years
  • Internal control weaknesses were responsible for 35% of frauds in non-profit organisations
  • Asset misappropriation is by far the most common fraud (86% of cases). Of these, 20% related to invoicing fraud
  • Creation of false documents and altering documents were the most common methods of concealing fraud

Building blocks of fraud risk management

A fraud risk assessment is part of a broader picture.

  • Culture: Robust governance, strong framework of policies and procedures
  • Monitoring: Embedded anti-fraud programme
  • Remediation: Closing the loop, plans to address identified issues

A common issue is a fraud risk assessment gathering dust on a shelf (digitally speaking).

This is an issue. An assessment should not be an ad-hoc activity.

Things change frequently. A fraud risk assessment should be regularly refreshed. 

Fraud risk assessment

There are six steps which are outlined in more detail in the slide deck (see link below).

 

Tips

  • Preventative controls work best when built into systems
  • Hard (system) controls are more effective than soft behavioural controls
  • Consider manual workarounds for processes. These are often the root cause of why frauds take place, typically less oversight, rushed, evade hard controls, easier to manipulate
  • Risk appetite often sits on the side of the fraud risk assessment process as it needs to be set at board level. However, it's impossible to stop all fraud so there needs to be a tolerance. Understanding risk appetite helps to determine where investment in prevention/detection should be focused to maximise return
  • Ideally fraud risk assessment should be a 1st line activity, facilitated by 2nd or 3rd  lines. This is because fraud risk management must be embedded at the 1st line to be effective
  • It is important to talk about fraud and its regular assessment. Maintaining awareness is part of the capability to prevent and detect it

Click here for the slide deck.

Fighting fraud and corruption locally

Simon Bleckly, Head of Audit Risk and Assurance for Warrington Borough Council and HIA, Salford City Council is part of the FFCL Strategic Advisory Board and Operational Group.

The FFCL is the local government counter fraud strategy in England (also used in other home nations). The operational group brings regional groups together to share good practice techniques. It offers projects to support the strategy in terms of data analytics, measurement, schools, social care, etc. The group also has a knowledge hub with a forum and documents share.

The knowledge hub is hosted on KHub, and is freely accessible for local authorities. Click here for details.

A recent session on current fraud trends in local authorities identified:

  • Covid frauds
  • Cases of employees working elsewhere while sick (easier with remote working)
  • Cases of employees having multiple jobs (easier with remote working)
  • Credit card abuse due to taking payments remotely
  • Misuse of corporate procurement (home delivery)
  • Misuse of service users finance arrangements
  • Creditor/Payroll diversion – change of bank details (often on the back of phishing)
  • Increase in tenancy fraud
  • Increased organised crime infiltration affecting council activities

Chair's closing comments

The length of time before fraud can be detected (14 months according to ACFE) reinforces the importance of preventative and detective controls. It's important to remember that fraud isn’t always a about money. Close working, between internal audit and fraud teams, where both exist, ensures an integrated approach to make sure nothing falls between the gaps. Fraud prevention and detection is everyone’s responsibility.


Institute's closing comments

Our next LA forum on 23rd March looks at cultivating a healthy culture.

Please contact mandy.coleman@iia.org.uk if you would like to join the Chartered IIA's Fraud Forum, or if you would like to share details of a fraud investigation at the next meeting. 

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith liz.sandwith@iia.org.uk


Q&A and chatbox comments

Q: Can you ever have something other than zero appetite to fraud?

A: In an ideal world, there would always be zero appetite. Given the scale of the issue, can organisation really justify the level of resource to get to that position? It's always about the level of risk that can be tolerated to maintain business as usual, as with any risk. Some organisations apply a risk appetite to reported fraud in terms of what's investigated
Comment: Two members commented that their authority has had no investigation for two years
Comment: There should also be zero tolerance to fraud
Comment: Agree with the speaker. This has been the challenge for many organisations over the years - the reality that you will experience fraud and cannot reduce the risk to zero without unacceptable costs or ceasing doing business. There has to be an open and realistic discussion about risk appetite

Q: Could you say something about the safeguards that you would expect internal audit to put in place if an auditor undertakes a counter-fraud role such as a fraud risk assessment?
A: Not overly familiar with the public sector standards. At a practical level, the main thing is it needs to be done competently, and if that means internal audit then it’s better than being done poorly by 2nd or 1st  lines. Operational staff need to be accountable to help mitigate against internal audit marking its own homework
Comment: The IASAB has guidance on internal audit roles in counter fraud Guidance on internal audit's role in counter fraud
Comment: Emerging fraud risk | mandate fraud - email hacks into supplier to then facilitate a change of bank request