29 July 2005
Although public sector bodies have adopted tough safeguards against fraud in recent years, many staff believe these exist on paper only. But now there is a toolkit to help put these policies into practice. Alan Bryce and John Baker explain
Fraud remains one of the most serious threats facing public bodies. Although stronger internal controls have been introduced in recent years, most staff believe the risk is growing, according to a recent survey. This Audit Commission/CIPFA exercise also threw up some other worrying findings – notably that, regardless of stated aims, many organisations are not fully geared up to fight fraud effectively.
The commission is well placed to help. This is not just because of its statutory auditing role but because it has developed a system to help organisations understand their vulnerabilities and develop their own strategies to protect themselves.
This system is the Changing Organisational Cultures toolkit, a software-based analytical package that examines staff's perceptions of fraud vulnerability, evaluates the effectiveness of controls and supports organisations in promoting the highest standards of ethical conduct. The toolkit has been endorsed by the Committee on Standards in Public Life, which is currently chaired by Sir Alistair Graham. In its tenth report earlier this year, examining corruption, the committee strongly praised the toolkit and called on all public bodies to use it.
Attendees at a series of CIPFA-organised fraud awareness workshops were given an insight into how the toolkit can be used to measure and improve the counter-fraud culture of their respective organisations. As part of the demonstration, each attendee had an opportunity to record their perception of their own organisation's counter-fraud culture. It became clear that although public bodies have, in recent years, adopted much tougher policies on paper, there are increased concerns about the effectiveness of these.
While public sector organisations have adopted principles of good governance, in most cases staff are not convinced that they are being implemented thoroughly. Public bodies also seem to be failing to implement effective strategies or change organisational cultures in the manner that the Graham Committee believes is necessary. There is also doubt about whether the internal control systems in use are as effective as they need to be to combat economic crime in the twenty-first century.
The results of the sessions showed that most public sector organisations have declared principles to combat impropriety, with more than 60% of workshop attendees agreeing that their organisations have made a clear commitment to fight fraud and corruption.
Increasingly, this commitment has been documented in counter-fraud strategies, with three-quarters of workshop attendees in 2004 perceiving that their organisations have strategies. This represents a significant improvement on the findings in 1996. Yet most workshop attendees do not believe that any of this has made much difference (88% of attendees in 2004 either did not agree, or only slightly agreed, that the commitment had made a positive difference).
These results suggest that public bodies have taken a tick-box approach to corporate governance. Published surveys have consistently found that the most common factor enabling fraud to occur is the overriding of existing controls. Simply having controls in place is no guarantee that they will be complied with, or that they will prevent fraud.
Over half of staff attending CIPFA's latest workshops perceived that internal controls within their organisations, including proper segregation of duties, either do not exist or do not work effectively. Disturbingly, this is double the level in 1996. The question is whether this represents a significant deterioration in internal control, or merely that public sector employees are more aware of fraud risks.
Although answers are not obvious, conclusions can be drawn. The Graham Committee found that fraud and corruption was not widespread in local government – nor do we have any reason to believe that it is widespread in NHS trusts. But the more negative interpretation must be that internal controls are not sufficiently robust and should be subject to more active oversight by senior management and audit committees.
In particular, public bodies need to consider the implications of the perceived weaknesses of internal controls on their required annual declarations through the Statement of Internal Control. This is intended to provide assurance that control systems are rigorous and effective. But public bodies need to ask themselves how comfortably their overwhelmingly positive Statements of Internal Control fit alongside the results of our workshop surveys.
What is more, if the generic workshop survey findings, indicating limited confidence in internal controls, were replicated within individual public bodies, this would represent a significant fraud concern for those organisations. This, in turn, would require serious action by those public bodies' managements.
Our survey results highlighted particular anxieties, reflecting changes to the public sector risk environment. One area of concern was the increasing use of temporary and agency staff, which makes it essential that adequate pre-employment checks are undertaken – as stressed in the conclusions of Sir Michael Bichard's inquiry into the Soham murders. Yet 55% of staff at our workshops last year do not believe adequate recruitment checks are made on staff, compared with 37% in 1996.
Another example of conflict between theory and practice lies with organisations' registers of interest. Approximately 75% of workshop attendees in both 1996 and 2004 perceived their organisations had registers of pecuniary interest. But less than a third of those attending believe those registers are regularly reviewed. This suggests the registers are operationally weak and do not act as effective deterrents to inappropriate conduct.
Taken as a whole, the workshops showed a worrying lack of confidence in staff perceptions of their organisations' control systems. More than half of participants did not believe their organisations allocated appropriate resources to tackling fraud and corruption.
The results of the Changing Organisational Culture survey and workshops did not just provide feedback that could be used for long-term planning by organisations, but also some quick-win improvements. These included whistle-blowing disclosures made by public sector staff immediately after the workshops. In some cases staff had carried these concerns for several years without having the confidence they could share them with management.
We have also noted that some organisations that insisted they had registers of interest declarations have been contradicted by their staff, who either doubted the existence of the registers or suggested they were not properly maintained. In one case, this led to the re-examination of the register, which was subsequently found to include a number of significantly inappropriate disclosures dating back several years.
It would appear, at the very least, that the Graham Committee's recognition of the need to get the culture right has yet to be fully taken on board by most public sector organisations. Much remains to be done.
The toolkit is proving that it can be an important stimulus to changing that culture, not only through its application in workshops, but also through its on-line availability. The Audit Commission now has an extremely powerful and unique database on public sector counter-fraud culture that organisations can benchmark themselves against.
If the negative message is that the survey findings demonstrate grounds for concern about public bodies' fraud vulnerability, the strongly positive outcome can be that they have to hand a very effective basis for resolving those concerns.
Alan Bryce is audit manager at the Audit Commission and John Baker was counter-fraud and security management adviser at the CIPFA Better Governance Forum and is now head of commercial development at the NHS Counter Fraud and Security Management Service. Further information on the toolkit from the authors on: firstname.lastname@example.org or email@example.com
Setting the standard
The Committee on Standards in Public Life — now chaired by Sir Alistair Graham — published its tenth report in January this year. This found little incidence of corruption and misbehaviour in local government. However, it recommended that all local authorities should take more responsibility for maintaining high ethical standards, that more should create local standards committees and that the culture of intolerance to fraud should be firmly established within all local authorities.
The committee praised the Audit Commission's approach in supporting local authorities' self-learning competence. The commission helps organisations to determine their own strengths and weaknesses in relation to fraud, allowing solutions to come from within rather than imposed from outside. 'The tools have the added benefit of allowing benchmarking against similar organisations and, if widely used, will provide useful aggregate data on ethical culture across the public sector,' said the committee. 'The boards of all public bodies should commit themselves to the adoption and use of the Audit Commission's self-assessment tool, Changing Organisational Culture, which is especially designed to help embed a good conduct culture.'