Let’s talk fraud

The NHS is losing an estimated 1% of its budget every year to fraud, bribery and corruption. That is a staggering £1.2bn. And every single organisation is likely to be losing its ‘fair’ share of this sum. Yet how big a priority is finding fraud in most organisations? Is there a reluctance to look for fraud on the basis that it will expose poor control systems? And how many organisations see the discovery of fraud as something to be celebrated?

These were all questions considered at a recent HFMA roundtable, supported by the NHS Counter Fraud Authority, to explore the role of NHS finance in preventing and detecting fraud.

Alex Rothwell, the authority’s chief executive, set the scene. ‘Fraud is the most prevalent crime in the UK,’ he said. ‘If you are over 16, you are more likely to be the victim of fraud than any other crime – by a long way. And this risk also applies to businesses and the public sector.’

There is a general acceptance that any business will be subject to fraud, costing between 0.5% and 5% of its annual turnover. Government losses are estimated to be in the region of £33bn to £59bn and the NHS’s vulnerability to fraud, bribery and corruption is estimated at 1% of its total budget – or about £1.2bn a year.

The money is being extracted from the service by many different routes, with more than 120 different types of fraud having been identified by the authority. Just on the workforce side alone, the potential is significant. ‘Are the people we are employing who they say they are?’ asked Mr Rothwell. ‘Do they have the right qualifications? Are agency suppliers being honest with invoicing? Do our own people take advantage of bank opportunities to work for other organisations while reporting sick in ours?

‘All of these issues can feel quite uncomfortable to discuss, particularly when talking about our own staff. But they are real examples and they are reported to us frequently in an organisation that, collectively, has 1.7 million direct employees.’

Rather than ‘hunting down’ employees, Mr Rothwell said the authority was in the business of preventing fraud. ‘We want to suppress loss in the system. But across government, there is a cultural challenge because fraud is essentially a hidden crime,’ he said. ‘Generally, in our experience, people who commit fraud work on the basis that it won’t be looked for or found, rather than thinking that they won’t be caught.

‘So that means if you don’t look for it, you are very unlikely to find it,’ he added. ‘And that is our challenge. Who wants to look for fraud and find it? Who is comfortable with proactively looking for fraud when it may expose a breakdown in control measures or process – something the finance community is judged on?’

The bottom line is that if 1% of the NHS budget is vulnerable to fraud, how much is each health body finding? ‘And if you aren’t finding it,’ he asked, ‘are you comfortable that it’s not there?’

Mind shift needed

Matthew Jordan-Boyd, the authority’s director of finance and corporate resources, said a mind shift was needed – looking for fraud and exposing control weaknesses should not be seen as a negative thing. ‘If we accept that fraud is always changing and that those who are looking to defraud the NHS are continually and actively looking to exploit any opportunities, then I don’t think it is a bad thing to recognise that the control environment needs to be agile enough to respond to those emerging risks.’

He asked if finance professionals saw themselves as playing a key part in the fight against fraud. Having spent the first 15 years of his finance career in NHS bodies before moving to counter fraud, he suggested it hadn’t always been his priority. ‘I had counter fraud training maybe twice,’ he said. ‘But was it part of my everyday thinking when I authorised an invoice – that this could possibly be fraudulent? I’d suggest not.’

Mr Jordan-Boyd believed that in many parts of the NHS, individuals worked with a high degree of autonomy and trust, often working with high financial delegation limits. And he said that sometimes controls needed to be more active. Asking senior officers to declare their interests was not the same as managing interests and actually looking for interests that haven’t been declared, for example.

If people accepted the estimate that all organisations in the NHS experienced fraud of around 1%, he added, then it was concerning that 69% of NHS bodies recorded no fraud identified from reactive investigation.

Three quarters of NHS bodies recorded that no fraud had been prevented. More than 80% of organisations recorded that no funds were recovered from reactive investigations. And 77% of bodies said no sanctions of any type had been imposed.

‘One percent of your turnover is a significant amount of money in most organisations and could be used to support patient care,’ said Mr Jordan-Boyd. He recognised that finance teams and colleagues faced significant challenges and that counter fraud was not at the top of their daily agendas. ‘I guess the questions are: could we do more and how can we support you to be more effective?’

Joshua Reddaway, director of counter fraud and corruption at the National Audit Office, reinforced the messages from the NHS Counter Fraud Authority and highlighted why the government was increasing its focus on counter fraud measures.

‘The scale of what we have seen across central government since the beginning of the pandemic is extraordinary,’ he said. ‘There has been an estimated £21bn of fraud in the accounts that we audit since the beginning of the pandemic compared with £5.5bn the two years before. And those are just the numbers that are auditable.’

It’s clearly a conservative estimate, given that the NHS numbers are not currently included in this total. It is also on top of tax fraud. ‘Only some of this increase relates to the temporary Covid schemes and some of it doesn’t,’ he said.

Mr Reddaway said he was pleased to see the NHS Counter Fraud Authority had produced a strategy for the next three years, building on the government functional standard on counter fraud. But the test would be whether this strategy was mirrored at a trust level.

‘We talk about the need to celebrate the detection of fraud,’ he said. ‘There is a concern that senior people do not like having frauds brought to their attention because it is unpleasant and it has reputational risk attached to it. But if you do detect it, then it is an opportunity to learn from it. It is an opportunity to put in preventative measures.’

A number of questions had to be answered, he said. ‘Can each individual NHS trust set out a risk assessment? Is it possible for a trust to put in place preventative controls and to be able to report against them? And is it possible for the NHS Counter Fraud Authority to help with assurance?’

Shaun Bird, head of financial management at East Suffolk and North Essex NHS Foundation Trust, suggested there was an increasing role for technology – analysing data, using automation and artificial intelligence. But he also said communication should improve.

‘I don’t think we have been great in the past at sharing success stories about finding fraud,’ he said, ‘and sharing how they have come to fruition.’ This communication should also stress that finding and stopping fraud is a key part of finance professionals’ roles.

He agreed with Mr Jordan-Boyd that it wasn’t at the forefront of most finance professionals’ minds in their day-to-day duties. ‘I think we can be more proactive,’ he added.

Participants  

Communication focus

Paul Bell, senior fraud manager at Mersey Internal Audit Agency, agreed on the importance of communication. ‘The current strategy from the NHS Counter Fraud Authority is a good one,’ he said, adding that it built on previous strategies. ‘But what people really like is war stories,’ he said – talking about real cases can stop presentations being dry and improve people’s engagement.

‘At MIAA, we have more than 30 clients, so if there is a fraud at one of those clients, we share the modus operandi and details of who has been affected,’ he said. ‘We do this within about 24 or 48 hours of it actually hitting a particular client in our region – and we share it with other anti-fraud specialists outside of MIAA too.’ This is in addition to the details being shared with the national body.

Mr Bell stressed that finance staff were key targets for this communication – even if the fraud was aimed at procurement colleagues or others in the organisation. ‘Ultimately there is a payment to be processed,’ he added.

It was not just about making people aware of the potential for fraud, but making them aware of their responsibility to look for it and to have the confidence to speak out when they see something they are unsure about.

Audit committees are another key audience for details about successful and unsuccessful local frauds. However, Mr Bell said, committees showed differing levels of interest and understanding around fraud reporting.

‘In the main, we have audit committee chairs and members who will ask really probing questions of our reports – between meetings sometimes. Then we get one or two others where we present a paper and give an overview, but receive little feedback or comment. So, there’s a potential knowledge/engagement gap there, occasionally, in terms of the oversight and scrutiny given by some audit committees.’

Mr Bell said there was a need for counter fraud infrastructure to catch up. For example, organisations were still getting to grips with practices such as fraud risk management. ‘They know they have to do a fraud risk assessment, but understanding what that actually means and the key control frameworks is something that needs to be added.’

Working practices

Darrell Davies, a regional assurance director also with MIAA, said it was important to understand how organisations worked in practice. ‘Obviously the finance team has a key role to play in the fight to prevent fraud,’ he said. ‘But a lot of the responsibilities for authorising invoices from the organisations we work with sit at divisional or directorate level.

‘I can think of a number of instances where organisations have the appropriate controls and segregation of duties, but where there has been a failure at the local level to really interrogate some of the invoices going through.’

He described one example of an individual ordering large amounts of printer cartridges and then selling them on eBay. The fraud was picked up because someone spotted the person’s eBay profile, but it should really have been obvious from the significant overspend in this area on the budget statement. Having the right controls in place in the central finance function was not sufficient to guard against fraud in these circumstances.

Mr Davies underlined concerns with risk assurance mechanisms. ‘There have been great improvements in this area, but there are very few individual fraud risks that would appear on an organisation’s board assurance framework, with the exception of maybe cyber risks,’ he said. ‘So how do you raise the profile of fraud-related risks when these risks generally end up on departmental risk registers and don’t really have the prominence at a senior level within an organisation?’

Mr Jordan-Boyd said the printer cartridge case was an example of why all staff needed to be alert to the possibility of fraud. ‘It is not that people aren’t doing their jobs,’ he said. ‘They are making sure they are meeting their deadlines and ensuring they deliver in what is a challenging environment. But, in this case, it is just about being vigilant and recognising a budget is overspent, or that the quantity being bought is increasing, and flagging that to their manager.’

Nicky Lloyd, chief financial officer at Royal Berkshire NHS Foundation Trust and chair of the roundtable, said the current financial pressures, and enhanced levels of analysis of expenditure, provided a platform to make progress on fraud detection. 

‘I think probably we have more people examining expenditure now, and looking in places that may not have been subject to close scrutiny previously,’ she said.

The need to deliver significant efficiency savings and address deficit budgets meant it was more important than ever to eliminate any leakage of funds out of the system.

‘There can be a tendency when you have a counter fraud champion to think that finding fraud is their job, and theirs alone, but it should actually be in everyone’s job description, to safeguard public funds,’ she said. When a trust has  been subject to an attempted fraud, the organisation will often change its communications about fraud as a result. ‘We are telling our people that if someone is asking you to do something that you don’t feel comfortable with, just pause, take a moment and talk to somebody – your line manager, your chief finance officer or your counter fraud champion – because your instinct that something is not right is probably accurate,’ she said.

Mr Bird agreed with the benefits of making counter fraud responsibilities explicitly part of people’s job descriptions. But he added that this should be backed up with training – and not just for the finance team.

‘This training and development needs to be embedded within the organisations and provided to everyone who has budget responsibility,’ he said. ‘Awareness and communication needs to be targeted at a wider staff group. And, recognising that prevention is key, finance professionals must see finding and stopping fraud as a key part of their roles.’

Mr Davies said the move to systems provided opportunities for training to be broader than a single organisation.

‘If you’ve got multiple providers all working in the same system, wouldn’t it make far more sense to have a session delivering awareness to the finance, HR and procurement teams from all those organisations?’ he asked.

‘They could share stories and hear similar messages. But also, surely there is an opportunity for doing detection across a range of organisations at the same time.’

For example, this could provide a way to jointly tackle any issues related to bank shift fraud. ‘The challenges of this are obviously around sharing of data and maybe some of the political relationships that exist between some organisations, but it is something we are very much thinking about,’ he said. ‘There is a big opportunity to increase the coverage of the message and the work we do around detecting.’ He added that getting local authorities and third sector organisations involved would also have benefits.

Ms Lloyd wondered if there were ‘flare in the sky’ models that could be borrowed from other sectors. ‘In the airline industry, a safety alert goes out and all operators are instantly notified of the check that needs to be done. And there is a similar process for medicine and medical equipment safety alerts. So could we explore how we can, at pace, better communicate across the chief finance officer community about attempted fraud events?’ she asked.

Mr Reddaway agreed about the value of awareness raising and training. ‘But what you actually need is to focus in on the areas of most vulnerability and build prevention into systems and initiatives,’ he said. He added that there was a tendency across the public sector for counter fraud professionals to focus on small frauds. ‘In looking at the statistics and talking to counter fraud professionals, it is fascinating how much attention is put into things like employment fraud,’ he said.

‘These are often by junior staff and once you do find them, they are easier to resolve because that is the way the power dynamics in the organisation will run.’

He pointed out that the NHS received far more reports about staff fraud (2,300 in 2021/22) than other fraud areas, yet staff fraud was estimated to represent just £22m of its potential vulnerability.

‘Arguably procurement is the area that is a more worrying area of vulnerability [estimated at nearly 30% of the NHS’s vulnerability]. But counter fraud staff may be more wary of challenging senior decision-making around contracts.’

Shifting the dial

Mr Rothwell said it wasn’t just procurement where further scrutiny was warranted, with around half of the vulnerability sitting within primary care in areas such as pharmaceutical contracting. ‘It is just the visibility of things like staff fraud and the systems and processes that we have in place that bring that to light.’

And while the NHS Counter Fraud Authority wants to keep unearthing staff fraud, it is keen to ‘shift the dial’ to these other areas with bigger potential to discover fraud.

The authority is in the early stages of introducing automated technology that finance professionals could use to scrutinise finance data and highlight areas for further exploration on the back of previous spending trends.

Louise Lyall, assistant director of finance at NHS Tayside, said that more intelligence from counter fraud specialists – in Scotland’s case, NHS Scotland Counter Fraud Services – would be helpful. She said that, within finance, there is reliance on internal controls, segregation of duties and the governance that is already in place as a matter of course. The staff involved don’t necessarily link these measures to fraud prevention.

‘It would be helpful to receive some more analytical data and trends so we can then feed that back into the senior management through our strategic risk management group, so that we can start to look at our risk profile around fraud,’ she said. ‘That analytical side of things would be very useful for the finance team and the finance function.’

Tricia Morrison, the authority’s director of performance and improvement, wondered if trusts should mirror their approach to cost improvement when implementing counter fraud work. As part of previous roles, where she had led on the delivery of cost improvement initiatives, she said there was never a discussion around the possibility of exposing fraud as part of the deep-dive reviews into processes and systems. This had never been an explicit part of the work.

‘Nowhere in our conversations was any discussion of fraud,’ she said. ‘We were always talking about where we could find efficiencies in processes and services.’ She argued that there could be closer alignment between cost improvement programmes and counter fraud work.

Her colleague, Mr Jordan-Boyd, picked up this point. ‘I asked a question at a conference recently about whether anyone had fraud as part of their cost improvement programmes – reducing losses by preventing fraud. Nobody raised a hand,’ he said. ‘In a small to medium organisation, 1% of turnover is £4m to £5m – which I am sure would go a long way towards helping to manage some of the current financial challenges.’

In summarising the discussion, Ms Lloyd said that fraud was clearly a hidden crime. ‘It just isn’t talked about in the same way as patient harm,’ she said. ‘And yet it is really important. And if significant funds are diverted, it could in fact lead to patient harm.’

She concluded that communication was paramount – making people aware of the potential for fraud, sharing real examples, learning from near misses and celebrating successes in preventing attempted fraud. But the visibility needed to reach throughout organisations, from the executive team and the audit committee across all staff groups.

‘Absence of evidence is not evidence of absence,’ she said. ‘We know statistically, and from the evidence of the subject matter experts, that fraud is happening. We have to go and find it and stop it.’

NHS Counter Fraud Authority strategy 2023-26