1. This section gives guidance on the prevention, detection, reporting and handling of fraud. The guidance is equally applicable to all public sector organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable, including constituent parts of the Scottish Administration and bodies sponsored by the Scottish Government. NHS Boards (including all Special Boards and Agencies) are subject to the specific arrangements set out in the Scottish Government Strategy to Combat NHS Fraud in Scotland and the Partnership Agreement between NHS Boards and NHSScotland Counter Fraud Services.
2. Organisations should make a clear commitment to ethical standards in public life and develop a fraud policy statement in order to communicate their approach to fraud.
3. All staff are concerned with the prevention and detection of fraud but the prime responsibility for designing, operating and reviewing control systems rests with the managers involved. Managers should consult the organisation's finance function and internal audit where new control procedures are being set up or significant changes to existing procedures are being proposed.
4. Procedures set up to prevent and detect fraud must be carefully followed and monitored. Many frauds are due to failure to comply with existing control systems.
5. Organisations should put in place avenues for reporting suspicions of fraud. Staff should be encouraged to report such suspicions either to their line managers, to the organisation's internal audit (or specialist fraud unit), to the organisation's finance function, or possibly to a hotline set up for the purpose.
6. Organisations should draw up fraud response plans to ensure that timely and effective action is taken in the event of a fraud.
7. Fraud can be perpetrated by persons outside as well as inside an organisation and by collusion. The term "fraud" is commonly used to describe a wide variety of dishonest behaviour such as deception, forgery, false representation, and concealment of material facts. It is usually used to describe the act of depriving a person of something by deceit, which may involve the misuse of funds or other resources, or the supply of false information. Computer fraud covers the use of information technology equipment to manipulate programs or data dishonestly (e.g. by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system was a material factor in the perpetration of a fraud. The fraudulent use of computer time and resources is included in this definition.
Managing the risk of fraud
8. Accountable Officers are responsible for establishing and maintaining sound systems of internal control that support the achievement of the organisation's policies, aims and objectives. The systems of internal control are designed to respond to and manage the whole range of risks that an organisation faces. Managing the risk of fraud - both internal and external - should be seen in the context of the management of this wider range of risks. See the section of the SPFM on Risk Management.
9. In broad terms, managing the risk of fraud involves:
- assessing the organisation's overall vulnerability to fraud;
- identifying the areas most vulnerable to fraud risk;
- evaluating the scale of fraud risk;
- responding to the fraud risk; and
- measuring the effectiveness of the fraud risk strategy.
10. Guidance on all these areas is provided in the Treasury document Managing the Risk of Fraud - a Guide for Managers.
Promoting an anti-fraud culture
11. In addition to maintaining sound systems of internal control, public sector organisations should also promote an anti-fraud culture. Organisations should therefore make a clear commitment to ethical standards in public life and develop a fraud policy statement in order to communicate their approach to fraud. Model wording for a fraud policy statement can be found in Managing the Risk of Fraud - a Guide for Managers. The Scottish Government's Counter Fraud Strategy and Counter Fraud Policy are reproduced at Annex 1 and Annex 2 respectively.
Prevention and detection
12. All staff are concerned with the prevention and detection of fraud but the prime responsibility for designing, operating and reviewing control systems rests with the managers involved. Overall responsibility for ensuring that such systems and procedures are in place rests with Accountable Officers but managers must take responsibility for setting up proper systems of control and for ensuring that there is strict compliance. Managers should consult the organisation's finance function and internal audit where new control procedures are being set up or significant changes to existing procedures are being proposed.
13. Appropriate preventive and detective controls should be put in place. Preventive controls are designed to limit the possibility of an undesirable outcome being realised whilst detective controls are designed to spot errors, omissions and fraud after the events have taken place. There are a range of controls - e.g. physical checks, reconciliations, supervisory checks, segregation and rotation of duties, and clear roles and responsibilities - which address risks, including that of fraud. Managers should consider, in consultation with the organisation's finance function and internal audit as appropriate, which controls are the most appropriate in their particular circumstances.
Systems of control
14. Systems with proper controls lessen the opportunity for fraud. Managers with responsibility for awarding contracts (including minor contracts), making payments, authorising grants and the like must ensure that they have well understood procedures for authorising contracts and other approvals. It is important that:
- staff dealing with these procedures are familiar with them;
- payment procedures include a check that the purchase, grant or whatever has been properly authorised;
- there is adequate separation of duties; and
- accounting and other records, such as cash balances, bank balances, physical stock counts, are reconciled with the actual position.
15. The degree of control within a system should be proportional to the risks involved, the consequences of failure and the resource costs of eliminating or reducing these factors. Procedures set up to prevent and detect fraud must be carefully followed and monitored. Important considerations therefore are the sections of the SPFM on Checking Financial Transactions and on Risk Management.
16. Many frauds are due to failure to comply with existing control systems. Both internal and external auditors have a role in carrying out independent reviews of systems and the adequacy of controls in place, though managers have the prime responsibility for ensuring their systems are sound and that they are operating as intended. In practice, therefore it is good initial systems design coupled with subsequent supervisory checking and monitoring and alertness to the risks and pointers to fraud that are the principal means of detection.
17. Guidance to managers on the risks which they face and on the procedures they should adopt to avoid fraud or financial irregularity is included in Managing the Risk of Fraud - a Guide for Managers. Key factors in the design of systems and controls will be the nature of the activity, the risks involved and any history of fraudulent activity, whether internal or external.
Separation of duties
19. In any accounting system, the separation of key functions forms an integral part of systems control and is essential to minimise the potential scope for irregularity by staff acting on their own. The need for proper separation of duties applies as much to grant systems as it does to procurement procedures where, ideally, different members of staff should be responsible for requisitioning, ordering and receiving goods and authorising payment. In addition, supervisory checks by managers, both routine and surprise, form an essential part of internal control procedures, and good management practice entails keeping records of such checks, and the results, in all cases. Without adequate separation of duties, the effectiveness of other control measures is undermined. Where resources are limited and separation of duties is not possible, alternative management controls, e.g. supervisory checking, must be employed.
20. Managers and staff must always be alert to the risk of fraud, theft, bribery and corruption. Danger signs of internal fraud include evidence of excessive spending by staff engaged in cash/contract work, inappropriate relationships with suppliers, reluctance of staff to take leave, requests for unusual patterns of overtime and where there seems undue possessiveness of records. Danger signs of external fraud include discrepancies in information, unexpected bank account detail change requests and photocopied documents where originals are expected. Junior staff should resist any pressure from line managers to circumvent internal controls or to over-ride control mechanisms. Such action could be indicative of fraudulent activity and should be reported - see below.
21. Organisations should put in place avenues for reporting suspicions of fraud. Staff should be encouraged to report such suspicions either to their line managers, to the organisation's internal audit (or specialist fraud unit), to the organisation's finance function or possibly to a hotline set up for the purpose. In developing their fraud reporting arrangements, organisations should take into account the Public Interest Disclosure Act 1998, which provides remedies for workers who are dismissed or subject to detriment for making qualifying disclosures. Reporting arrangements should be set out in detail in the organisation's fraud policy statement.
Responding to fraud
22. Organisations should draw up fraud response plans to ensure that timely and effective action is taken in the event of a fraud. Such plans can also help minimise losses and increase the chances of a successful investigation. The fraud response plan should reflect the risk assessment undertaken; include guidance about when to contact the police; and should be reviewed periodically. Guidance on the coverage of fraud response plans can be found in Managing the Risk of Fraud - a Guide for Managers. The Scottish Government's Fraud Response Plan is reproduced at Annex 3.
23. Organisations are responsible for undertaking thorough investigations where there is suspected fraud and for taking the appropriate legal and/or disciplinary action in all cases where that would be justified. Appropriate disciplinary action should also be taken where supervisory or management failures have occurred. Fraud investigation is a specialised area of expertise, and organisations should ensure that those tasked with any investigation have received appropriate training, including that relating to the gathering of evidence. Investigations should consider any control failures and make recommendations on systems and procedures to minimise the risk of a recurrence. Legal advice should be taken where necessary.
24. All discovered cases of actual or attempted fraud should be notified to the organisation's Audit Committee - see the section of the SPFM on Audit Committees. External auditors will be made aware of such cases via the reports to audit committees but consideration should be given on a case by case basis to notifying the external auditors immediately that the fraud comes to light.
25. Cases of fraud in bodies sponsored by the Scottish Government should also be notified to the sponsor unit.