The Covid-19 pandemic has raised significant challenges for the public sector. In such emergency situations, the risk of both fraud and error increases because organisations are more stretched than before, and controls and governance are changing rapidly.
This article is based on the report prepared by Audit Scotland, which you can read in full here.
What new risks are emerging?
- Staff may be transferred to new teams to ease resource pressures or be working remotely, without a full understanding of the required procedures and controls
- Staff working under extreme pressures, which may mean some internal controls are suspended or relaxed. This pressure can also result in a lower level of scrutiny and due diligence to get tasks done more quickly, for example payments may be made without checking goods and services were received to a satisfactory quality
- More scam and phishing emails, allowing allow fraudsters to access public-sector systems
- Staff working remotely poses potential security risks e.g. when using personal devices. This can create both cyber security risks and a high risk of unauthorised individuals gaining access to confidential information by sharing a network
- Normal controls may be relaxed to allow bodies to buy goods or services urgently and new suppliers, resulting in increased procurement fraud
- More fraudsters selling popular or hard to get items that never arrive or turn out to be counterfeit e.g. medicines, PPE and hand sanitiser products that are unsafe and do not provide the necessary level of protection
- Councils receiving applications for Covid-19 related support, using fraudulent documents and details
- Payroll fraud may increase as normal controls around expenses, overtime etc may be relaxed
How can we reduce these risks?
Many of the risks above are avoidable if sound governance and controls are in place. Here are some suggestions of what public bodies can do to manage these risks.
- Review the latest guidance from key sources, such as:
- Carry out a risk assessment to identify the most vulnerable areas under the new working conditions. This will include a review of IT system security for remote working
- Ensure Internal Audit reviews systems of control. Some of the existing controls are unlikely to be still relevant and appropriate and some new systems will need to be implemented to address new and emerging risks
- Ensure existing ways of reporting types of fraud or irregularity are still operating and are promoted internally on a regular basis e.g. anti fraud hotlines and whistleblowing processes
- Continue staff training, especially for staff moved to work in areas that are new to them
- Run ‘dummy phishing’ exercises to test employees’ reactions, with a requirement to revisit training modules if an employee ‘fails’
- Consider bank account verification and active company search services e.g. that are available from the Cabinet Office or NAFN to the UK public sector
- Review NFI submission requirements that will require data to be submitted related to Covid-19 payments and services
What the future holds
Additional risks will continue to emerge throughout 2021 as fraudsters identify new ways to target public money and services. Public bodies and auditors should stay alert to new scams and approaches by fraudsters, and regularly review their controls and governance arrangements to ensure they remain fit for purpose.
Remember that existing controls may be compromised, and it can be difficult to put in place robust controls for new processes. But with good governance and sound controls it is possible to navigate such crisis situations as these effectively.
If you would like more fraud and error resources, visit the Audit Scotland counter-fraud hub here.
Jessica Kimbell, GovNet