Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, June 1, 2017

Official Report 519KB pdf

---

National Fraud Initiative

Welcome to the 15th meeting in 2017 of the Public Audit and Post-legislative Scrutiny Committee. I ask everybody to make sure that their electronic devices are switched off or turned to silent so that they do not interfere with the meeting.

Agenda item 1 is to take evidence on the national fraud initiative, which is a biennial counter-fraud exercise that runs across the United Kingdom. It helps to identify fraud and error in the public sector by comparing data that public bodies have submitted and flagging up data matches that suggest that there has been an error or fraud. Exercises in Wales, Scotland and Northern Ireland are run by each jurisdiction’s audit office, and the Cabinet Office oversees the exercise.

Our committee’s interest in the national fraud initiative arose from an evidence session with Audit Scotland on the most recent exercise in Scotland. As part of our new post-legislative scrutiny role, we decided to examine whether the legislation that underpins the operation of the NFI could be improved to help secure even better outcomes.

We will have two panels today, the first of which consists of representatives from local authorities that responded to our call for evidence. I welcome Brian Muldoon, who is corporate investigation team manager at Aberdeen City Council; Elaine Greaves, who is internal audit manager at Midlothian Council; Heather Mohieddeen, who is senior auditor at Midlothian Council; Atholl Scott, who is internal audit manager at Moray Council; Yvonne Douglas, who is audit and compliance manager at South Lanarkshire Council; and Cecilia McGhee, who is audit adviser at South Lanarkshire Council.

The panel is large, and not every panellist needs to answer every question, but I will let my colleagues direct the questioning.

I will kick off the questions. Does each council feel that the act that underpins the national fraud initiative is clear about which bodies should take part in it, how they should do so and whether participation is compulsory? Brian Muldoon is not looking at me, so he gets to go first. [Laughter.]

We have been involved in the national fraud initiative since it started, and we believe that it is important to tackle fraud within public authorities. We listed in our submission the areas in the national fraud legislation that we felt could be strengthened.

I was looking for whether the legislation is clear about which bodies should take part in the initiative, how they should do so and whether participation is compulsory. There seem to be slight differences of opinion among local authorities as to who is covered by the legislation.

I believe that all public bodies should participate in the initiative; after all, public money is involved. I know that there seemed to be issues with universities providing data to Audit Scotland. It is important that everybody works together and that, where public money is spent—whether directly by a local authority or a Government department or by private industries that are involved—we should be able to extract data. In my submission, I gave the example of Aberdeen City Council tendering for the new Aberdeen exhibition and conference centre, which a private contractor is building. Because public money is being spent, we feel that we should be able to extract data from that company, but the legislation would need to be strengthened in order for us to do so.

I do not know whether Elaine Greaves or Heather Mohieddeen wants to take on that question. I am asking principally about what the existing legislation covers, rather than whether it should be extended.

It is very important that participation should be compulsory, because the more organisations that take part, the more the value of doing so is increased. The other bodies that should be involved include Her Majesty’s Revenue and Customs, which has a lot of data that could be used. Awareness of the NFI exercise should be increased among the general public to show the preventative measures that we are taking.

As far as legislation goes, England has the Prevention of Social Housing Fraud Act 2013, but we do not seem to have anything similar in Scotland. That is important because, when we investigate data matches, it would help to have the legislation to do something about them. We have recovered quite a lot of council houses in Midlothian, but the emphasis is on getting the house back rather than taking legal action, because we do not have the legislation to do so. It would be good if the legislation could be strengthened to help with doing the data matches.

Does Heather Mohieddeen have anything to add to that?

No—I have nothing to add.

From a Moray Council perspective, the NFI should be compulsory. We have dealt with it for a number of rounds now, and all local authorities participate, under review by Audit Scotland.

I have no strong feelings about other bodies that might participate. Some have been added recently, and that has perhaps assisted in getting increased scope and coverage of potential data matches and improved the range of matches that are available. That means, of course, that at each round we are being provided with an increasing number of matches that have to be validated, and that has a resource implication. I am keen to see additional bodies participate, provided that that does not result in our being swamped with too much information. A lot of the matches that are returned to us are valid—they are okay, and there is nothing to be concerned about. There are a lot of false positives that need to be considered.

I support much of what my colleagues have already said. We make extensive use of the NFI exercise, and we welcome as many public bodies as possible participating in it, because that increases the data sets—and therefore the matches—that come to us. As a local authority, we can risk assess the matches when they come back to us and prioritise them. I accept that we might increase the matches if we included more public bodies, but we would then apply our own local risk assessment to those that we would consider prioritising for investigation. The point has been made that, with constraints on our resources, we need to consider that when the matches are returned to us.

We have identified HMRC as a body with which we are particularly interested in matching data, because we believe that that would pull out possible conflicts of interest. We have been interested in that over the past couple of years, particularly in relation to our procurement arrangements, and we are trying to strengthen our internal arrangements in that regard. We would welcome the opportunity to match against HMRC data because that would give us something else to allow us to independently check what our employees are already declaring to us.

09:15  

We turn to questions from members, starting with Colin Beattie.

I am interested in Audit Scotland’s submission, as this is the first time that I have seen reference to

“real time, pre transaction checking”.

I did not know that that existed. The submission says that it has a cost, but do you see a use for it? Are you aware of the facility? Have you considered it and rejected it for cost reasons? Have you considered whether there are advantages in doing real-time checking?

We are aware of the facility on the website to allow us to do it. There is certainly an argument that, if we do checks at the beginning of a claim, we can perhaps rule out some elements of fraud. However, as I say in my written submission, because there is an associated cost, we in Aberdeen City Council have not taken it on board. It is very much left to individual service managers to decide, if they have the budget, that they want to take that proactive approach to claims—

Is it a significant cost?

I did not bring the print-out with me.

I think the cost of the check is about £300.

There is a scale. If you do more checks, it is better value, but I cannot remember the costs just now.

As Atholl Scott said, councils have deadlines for benefit payments and the delivery of services. If we start doing additional checks at the beginning, we may reduce the risk of fraud, but the knock-on effect will be to slow the system down. That would have to be addressed.

Do others have views?

You are talking about a preventative measure. It is interesting that the people who are involved in the councils are generally auditors, and auditors tend to review things after the fact. We look at the NFI population almost retrospectively. Things happen: people claim entitlement to benefits and are paid public funds through the payroll, the creditor system or whatever. All that information is matched, and it comes to us retrospectively. Having risk assessed the data, we then do the checks, as my colleague said.

I think that your point is almost one for the service departments. It involves another potential check when somebody seeks access to or delivery of a service—it would form part of the pre-checks, if you like. We do the follow-up checks when the data is published every two years.

Okay. I was interested because I had not seen reference to real-time checking before.

We have talked about the possibility that, given the scope of the NFI, other public bodies could be included in it. It seems to me that there would be a huge benefit in including housing associations and arm’s-length external organisations. What is your view on that, and what would be the implications?

I think the end result would just be that we had more matches. The matches run into the thousands. We are trying to make sure that they are good matches, which means that they match across a number of fields and that the area is worthy of investigation. I do not think that we would have any resistance to the inclusion of more bodies. The result for us would be that we would be presented with an awful lot more data matches to look at. We would need to develop our procedures for risk assessing because different risks are attached to the adding in of different bodies. There would be a bit of a learning curve for local authorities, which would need to make sure that they adapted their processes so that they continued to take the risk-based approach that they have always taken.

If housing associations, for example, were included, what would be the cost implications for local authorities?

In South Lanarkshire Council, we are the facilitators, so we do not do the investigation. We co-ordinate the upload of data to Audit Scotland and then we facilitate the matches coming in to make sure that the information is passed on to council resources. We then monitor how the individual investigations are proceeding. For us, therefore, it would not have a particular impact as an audit function, but there is a time cost attached to all these things. Housing associations would argue that there was a cost to them because it would involve people spending time uploading the data. Also, the process would be new to any new organisations that were brought in, so it would not be as efficient as the local authority process is, given that we have worked with it for a number of years.

I am still looking at the implications of the matching process. Would mandatory follow-ups of matches improve things?

I would say definitely not. In my submission, I indicated that it is absolutely essential that public bodies participate in the process. The requirement on us to provide data for the matching process is vital. However, as I indicated in my introductory comments, an awful lot of matches can be quickly dispensed with. You can look at a match and say very quickly that there is no issue. We have talked about each organisation risk assessing what is important and what is less important, and local government has an external audit process, with appointed auditors who take an interest in what we are doing and look for us to take a proportionate approach. If we did not follow up any matches, that would be commented on in the review of the council’s accounts.

It is important that that part of the exercise is left to the individual body so that it can determine what the priorities are, what should be followed up and what should not be followed up, and can justify that locally to its external auditor.

You would not favour mandatory follow-ups.

I would not favour mandatory follow-ups of all matches.

Does anyone disagree with that?

I do not disagree. I echo Atholl Scott’s point. I do not see any benefit from a specific deadline.

We have to remember that the volume of matches that come in can be an issue. The matches come in in January and it takes many months for us to process them and determine whether they are false positives or whether there is an indication of fraud.

We have a dedicated investigation team in Aberdeen, but it still takes us more than a year to go through all the matches. Putting a deadline on that would impact on the investigators’ other duties.

Does a year not seem an extraordinary length of time?

I agree; it does. However, that is simply because of the volume of work that is associated with the national fraud initiative. A lot of referrals come in, including a lot that come from staff, members of the public and management. I can speak only for Aberdeen, but our investigative team is very busy. We try to prioritise the national fraud initiative, but that comes at a cost to some of our other inquiries.

How long do other councils take to complete the matching process, or at least to complete the investigations?

We have a dedicated corporate fraud team, which comprises two officers. We are in a similar position: we have our usual day-to-day work and we do the NFI exercise on top of that. Our senior auditor is the lead contact for Midlothian Council, and he updates the website and so on. The work is resource intensive.

A lot of the matches go to the Department for Work and Pensions to investigate. That is a concern, because we are reliant on the DWP carrying out the investigations and achieving the outcomes.

I probably do not agree with making follow-ups of matches mandatory, but if we are reliant on other organisations to do their bit and they do not because they also have thousands of matches to check, it is difficult for us to take action on the back of that. If we take the council tax reduction scheme as an example, we are reliant on DWP investigating the housing benefit side. That applies not just to the NFI but to other cases. It is a wee bit swings and roundabouts from that point of view.

It is good to be able to say, “We’ve checked so many matches. It’s risk based. We’re not getting anything from this. Let’s draw a line under it and move on to something else that might be a bit more fruitful.”

What timescale are you looking at to complete the investigations?

In the main, the matches are distributed to the various services—housing and other areas—in the council. In addition to doing their usual work, the officers in those services check the matches to see whether there is a data issue or the genuine potential for fraud.

I have distributed all the matches and officers are in the process of checking them. Later in the year, I will follow that up with them. By September, I expect all the matches to have been gone through and checked, and any potential frauds identified.

When were the matches created?

The data was uploaded at the beginning of October and the matches were released in January. Subsequent matches have continued to be released up to May.

The whole process has taken almost a year.

Yes.

Is that the same for everyone on the panel?

Yes. We pass the matches to individual departments to investigate. We ask them to set number targets and timescales. Our aim is for the majority to be completed by September. The exception is housing benefit, not only because of the volume, but because of the interaction process with DWP. We have to send information to the DWP, which then comes back, so there is a delay before we can confirm whether there has been fraud or an error.

As I said, we ask departments to set their own targets. Basically, we take into account the other controls that they have in place. They have other processes through which they check for fraud, particularly in housing benefit, where they do their own reviews.

Making follow-ups mandatory would take away the flexibility to build in continuous controls in departments that look for fraud daily.

I want to track back one stage. This is all rather complex, and the initiative seems to be rather complex, too. Elaine Greaves made the important point that a lot of public awareness must be built in if there is to be a deterrent effect.

Colin Beattie talked about the process taking a year. Would one of the panellists mind setting out briefly what the process is from beginning to end? How does the initiative stack up?

I will have a go at that. Essentially, a whole range of datasets are provided in a specification that comes from the Cabinet Office. Each year, in October or thereabouts, we make arrangements in the council for each of the datasets to be uploaded to the secure database that the Cabinet Office operates. There is therefore a bit of work to be done in September or October in relation to that process. We then wait for the matches to be returned, which typically happens at the end of January.

09:30  

What do you mean by “matches”?

Matches can be internal to the authority. For example, there might be two payments for a similar amount to the same contractor, and those will appear as a match. Alternatively, two public bodies could be involved. There might be somebody who is on Moray Council payroll and on Highland Council payroll—that would also be a match.

The matches appear under different criteria. In Moray Council’s case, in the last cycle, we got back about 2,800 matches at the end of January. Those were spread across the match groups—housing benefit, student loans, payroll, creditor payments, housing waiting lists and so on. At the end of January or the beginning of February, I carry out an overview. I have a look at the matches and the volumes and think about the potential issues. Issues that relate to housing benefit or the council tax reduction scheme, which have been mentioned, tend to be passed to the single corporate fraud investigator that we have in the council, because she has a background in benefits and council tax.

I review the remainder to consider whether they are appropriate. I gave a couple of examples earlier. It is quite possible for a supply teacher to work two days a week in Highland Council and three days in Moray Council. That would appear as a match, but it is not an issue, so that can quickly be discounted. Similarly, with creditor payments, there might be a contract with a school bus provider that charges the same rate per day. If there are 20 days at £100 in March and 20 days at £100 in May, the invoice value will be the same, but that is not an issue.

I do an overview of all the sections to determine which matches should be looked at. In the process, there are recommended matches that come from the Cabinet Office. Of my 2,800 matches this year, about 700 are recommended. As I said, some of those I review and some I do not, depending on the risk assessment. The information might be passed to the fraud investigator I mentioned or to a housing officer, somebody who works in community care and who deals with blue badges and residential care or one of my auditors. Those people do not work on the issue constantly. There are other demands on their time, as has been said. However, I look to those people during February, March and April to review in more detail some of the matches that I have indicated as being higher risk. In the most recent period, they have been starting to feed back information on completed investigations. Alternatively, as has been mentioned, if another party is involved, we will send a request, which is feasible in the system, to ask that party to confirm their side of the information so that we can determine what further action might need to be taken. That happens during the spring.

At this point in time, the work that started in October is not fully completed. Ordinarily, our external auditors get a progress update, usually around 30 June. In my programme, five months after the matches have been issued, we should at least have a position statement for the council and the external auditor to say what we have done with the 2,800 matches. Some of them fall off the end of the table, and no further action will be taken, because I have deemed them to be low risk.

That gives you an overview, although I do not know whether that was what you were looking for.

That was extremely useful. Thank you very much.

Mr Muldoon, in your submission, you talk about data being uploaded to the NFI website in September or October but the results not being available until January. You say that, at that point,

“the results are already out of date.”

What do you mean by “out of date”? Does that mean that they are unusable?

Some of them will be unusable. For example, if we submitted data on 1 September and the circumstances of the person to whom the data relates changed two days later, the NFI would not capture that information but the council system would. Therefore, in January, when we get the data matches that were submitted on 1 September, we will already have dealt with the customer who came in to tell us about a change of circumstances on 2, 3 or 4 September. That means that we have to recheck that data when the NFI data comes in in January.

As my colleagues say, it is all about assessing the risk, but some of that risk has already been negated simply because of the delay between our submitting data and getting the matches back. That can be a bit problematic, because it costs us a lot of administrative time. I do not know whether I can say this, but one of the solutions might be not to do the NFI every two years. If we were able to put in place a process whereby the matches were done every six months or every quarter, we might catch situations and not spend as much time simply doing administrative work.

Mr Scott talked about 2,800 potential matches coming in. What proportion of those matches are ultimately found to be fraudulent?

Measurable outcomes for the matches that we receive are very low. I could not give a percentage. We received 4,500 matches this year and it will be a good return if we have 20 positive outcomes.

Will the rest of the witnesses answer that? It is a significant point.

A lot depends on the data match. There are many data matches. For example, as Atholl Scott said, we could have care home matches. A resident in a care home may have passed away but the care home may have continued to send invoices to the council, which has learned that the person is deceased through data matches or other avenues. The care home’s errors will appear on those data matches, which means that we can go back to it and say that it has been overbilling us and that we want the money back.

There are other avenues, such as housing benefit, which always has the biggest number of matches. Local authorities cannot investigate those any more; they go to the Department for Work and Pensions. However, the council still has to do a lot of administrative work. Some of it boils down to what is fraud and what is error. If there is a lack of evidence to suggest that fraud has taken place, it could be that there has been an error on the part of the council itself in not doing something on time. Each match has unique indicators of whether there is likely to be fraud.

When the NFI started out, more fraud was probably getting found. With each year that passes, its positive outcomes are diminishing.

Can I assume that that is the case for all our witnesses?

Yes, it is probably the same. When we report to our committees, we do not report percentages; we report actual numbers. For the 2014 exercise, we reported only £91,000-worth of outcomes, which was an £82,000 decrease on the previous exercise. Only a percentage of that is recoverable—some of it may not be recoverable. We are trying to demonstrate to our committees the cost of employee time in investigating fraud by matching the outcome figure—which, at £91,000, is relatively low—with the associated cost of employee time in investigating all the matches.

That is where I am going. At some point, will you conclude that the cost of running the system outweighs its benefit—whether that is recovery, uncovering fraud or deterring fraud? Does the cost outweigh the benefit?

We can do the crude number check by looking at the outcomes figure and what the process costs in employee time. The difficult thing to measure is the deterrent factor, which we should not underestimate. We should not even underestimate the effect of our notifying employees that we are about to data match—which we are required to do—and asking them to ensure that their records are up to date. It is very difficult to attach a figure to that. It is not in the figures that we report, and it is difficult to capture. The qualification that we attach is that by looking just at the numbers, you do not get the full picture. If we did not do the exercise, we could be in a much worse position; we just cannot quantify that.

I might come back on that, depending on what my colleagues ask.

Mr Scott wanted to come in on that.

The numbers that are reported on actual fraud are relatively low. However, we find that the process can disclose errors in national insurance numbers, creditor reference numbers and suchlike that allow us to improve the quality of our data.

We are not picking up too many issues through the NFI, so we are getting some assurance that the systems that we have in place—the checks and balances and so on—are reasonably robust. As Yvonne Douglas indicated, the money that is involved is not a huge amount, but it is certainly worth getting, and the deterrent effect is appropriate. I say to the committee that we have submitted all the key data sets, which take in benefits, payroll and creditor payment, and, having done the reviews, we are reasonably satisfied with the quality of our data. Providing assurance to elected members that the systems that we have in place are robust adds something to the process.

To be clear, Mr Scott, are you comfortable that the benefits outweigh the costs?

That is perhaps related to the point that I made earlier, which was that we need to ensure that that remains the case. If the process is to be expanded in any way, we will need to ensure that any additional inputs that we are required to make will be worth while, in terms of the benefits that would be derived.

Before I ask my question, I should probably remind the committee that up until a couple of weeks ago I was a councillor on Aberdeen City Council.

My question is directed to Mr Muldoon. Aberdeen City Council’s submission states:

“Instead of solely matching data against public bodies, consideration should be given to matching this information against HMRC data. This wider scope would likely require legislative changes, however, it would allow more potential frauds to be identified.”

Will you talk me through some of the benefits that such legislative change would bring? Are there other data sets that would increase the NFI’s utility? What would the resource implications of such legislative change be? Would it improve outcomes?

09:45  

Some of what we said stems from our experience of doing housing benefit investigations, for which there was very specific legislation, including the Social Security Administration Act 1992. I have listed a couple of other acts in the submission.

The authority that investigators were granted allowed us to compel financial institutions, such as banks and credit reference agencies, to give us information that we could use. We could also get that information from HMRC. It is slightly different, but the premise is still there.

Social security legislation, through the general matching service, as it used to be called, or the housing benefit matching service, allowed matches to be undertaken, I think monthly or bimonthly. That compared housing benefit data with employment, payroll or national insurance data, for example. Those matches were done frequently. During housing benefit investigations, it helped that we knew who was employed. Obviously, people pay national insurance and tax and so on. If the record showed that somebody was in employment and was claiming benefit, there was a relatively simple process. Obviously, they should not have been doing that, and we could do the housing benefit investigation based on that solid information.

However, we do not have legislation that allows us to compel financial institutions to talk to us. Could additional legislation be introduced by the Scottish Government to allow us to investigate matters and take them to the procurator fiscal, because we would then have hard evidence? At the moment, that avenue simply is not open to us.

It has been mentioned in evidence that there is a high volume of work for each investigation team and that things are very busy. Would legislative change through the Parliament increase your workload if you were referring cases to the procurator fiscal? Would new resource have to be put in place? Should that be provided nationally, given that it would be a national legislative change? Should the Scottish Government put resource into supporting that?

Resourcing will always be an issue. As we all know, public authorities are under increasing financial scrutiny.

There would be a knock-on effect. At the moment, if we were investigating somebody, we would consider the case and approach body A, body B and body C in order to obtain evidence. Additional authority would enable us to compel those organisations to give us information, instead of using the Data Protection Act 1998 as we do at the moment. We are already wasting time trying to get information. We have authority to ask for it, but a data holder can refuse to give it to us and we cannot compel them to do so.

If we had the authority to tell organisations that they must supply the information to us, that would allow us to proceed with investigations and make submissions to the procurator fiscal. That process would be slightly longer, but that feeds into the deterrent factor that Yvonne Douglas talked about. We would then be able to say, for example, that Aberdeen City Council had, in a given year, referred X people to the procurator fiscal, which resulted in fines, sentences and so on. We do not have that backing at the moment.

I refer to one of your previous answers, and the example of the Aberdeen exhibition and conference centre, which is also mentioned in your written submission. It is interesting because, given the financial environment for councils across Scotland and the depleting resource, councils are thinking of more innovative ways of delivering capital projects and so on. There are a number of them in Aberdeen that involve private partners. How helpful would it be if consideration were given to granting increased powers to Audit Scotland to request that information from the private sector?

I return to the example of the authorised officer’s powers under social security legislation. If we had a suspicion that a private company was employing some people who were claiming benefits, the authorisation existed to approach the company and ask it to supply a list of all its employees—their names, national insurance numbers, addresses and so on. When we received that information, we would match it with information from the benefits system, and anyone who was found to be working and claiming benefits would be the subject of an investigation. It is all public money.

I am certainly not saying that that is the case with the companies that are involved in the Aberdeen exhibition and conference centre project—that was just an example of a capital project. Given the substantial amounts of money that are involved—for example, £300 million for the conference centre—we should be able to say to companies that, if they want to bid for work from public or local authorities, they will have to provide us with assurances or data so that we can carry out checks to ensure that the organisation and the staff are not committing fraud against any local authority, and not necessarily just the authority for which they are working.

Strengthening the NFI legislation could allow Audit Scotland to take a bigger role in examining the major players. It has not been done before, so we do not know whether it would be worth while, but, as my colleagues have said, identifying more fraud would have a knock-on effect on resource and on the time that it takes for investigative bodies to carry out audits.

I have spoken to the other authorities. Is there a consensus on those considerations and proposed changes? Is there agreement among councils that there could be some welcome changes?

I support the appeal for further powers for our investigating officers, because that would make fraud much more difficult. In the NFI exercise, we are given a lot of batches from which some fraud may be identified. Once we have identified that fraud, we investigate whether someone is subletting their house or is on long-term sick leave and working elsewhere. We then contact the relevant people to get background information about the people who may be involved in the potential fraud—for example, whether they are living in the house that they say they are living in or can be linked with other properties.

Our investigators used to have very strong powers under the Social Security Administration Act 1992. Now, because they are no longer housing benefit investigators, they have only limited powers. They are able only to request information under the Data Protection Act 1998, as has been said, which ties their hands. I would support further powers.

In addition, a number of our investigations have been related to housing. As has been said, we have had a lot of houses back but we have not been able to prosecute anybody because we do not have legislation under which to do so, such as the Prevention of Social Housing Fraud Act 2013 that applies in England.

I feel that I have learned quite a bit already this morning, but I am a bit concerned that it appears that everyone is drowning in data. There may be potential fraudsters or criminals sitting at home who may benefit if you are more relaxed about things or if it seems as though there are resource issues. Is the initiative helping to reduce the risk of fraud and crime and to minimise errors, or might it create the conditions for fraudsters and criminals to be a bit more innovative and creative?

That is quite a difficult question. As I said earlier, the NFI process provides a council with a degree of assurance on the adequacy of its systems. As one or two of my colleagues have mentioned, the regulatory framework for investigating fraud has altered somewhat. I do not have a huge amount of detail on that; there might well be merit in looking at it again. From my perspective, the national fraud initiative process generates a large volume of data and gives indicators of fraud, so participation in it is welcome and useful.

Before the other witnesses respond, I would like to follow Ross Thomson’s example and declare an interest. Until a couple of weeks ago, I was an elected member of South Lanarkshire Council.

Please continue.

When it comes to fraud, our first line of defence is our own internal controls. That is what we place greatest reliance on, and the audit function examines and provides assurance on the effectiveness of those controls. The NFI provides additional data that enables us almost to double-check that the controls that should be in place are in place. None of the things that are identified through the NFI exercise should be happening, because our internal controls should prevent them from happening. The NFI can identify human error or fraud that has not been picked up by our internal controls.

I just want to make the point that our internal control environment is the first line of defence in deterring fraud, and it allows us to identify fraud at an early stage to prevent it from happening.

I want to pick up on a point that Brian Muldoon made earlier. You talked about the other routine work that you do. Are people who make complaints, or whistleblowers—whether they are members of the public or staff in the organisation—aware that there is a time lag? Do they get frustrated by the fact that the process takes a long time? We hear that there are thousands of data matches. People are picking up the phone and saying that they think that there might be an issue. If the public know that it will be a long time before something is looked at or before anyone gets back to them, they might wonder why they should bother. Is that a concern?

Yes, to be frank. Members of the public and staff come to us, tell us that they believe that something is not quite right and ask us to look at it, but we cannot go back to them and tell them what we have done or what the outcome is of their giving us information; we are simply not allowed to do that.

When a member of the public phones up the hotline to tell us that Joe Bloggs is doing A, B or C, all that we can do is say, “Thank you very much. We will have a look at that.” It frequently happens that, several weeks later, the same person will phone up and say, “I told you about Joe Bloggs. You haven’t done anything about it.” We will have looked at the matter but, under data protection policies, are not allowed to go back to the person to give them any information.

From a customer’s point of view, it looks as though the investigative team has not done anything, but we will have done something. That has to be measured against the amount of information that we have been given. We have to ask how long it would take us to pursue something, and whether it would be better to put resources towards the national fraud initiative or other initiatives that we are constantly working on.

There is no easy answer. We have to take a risk-based approach, which involves asking how much time it will take us to look at an inquiry and what the outcome is likely to be. We might have to say that we will not deal with a particular inquiry because we have 20 other cases that are higher priority. That is how we operate. I accept that it might, from a customer’s point of view, look as though we are not doing anything and that fraud is being allowed to continue, but we do look at inquiries and assess them as best we can.

Do you all accept that, if this initiative is to work—if it is to minimise and tackle fraud—you need to have buy-in from the wider public and the confidence of knowing that people feel that there is a process that will work and be effective? In each of your authorities, how do you try to promote awareness of the initiative and its successes? How do you market it and show that there are some positive outcomes?

10:00  

In Aberdeen, we report our findings to the audit, risk and scrutiny committee. For cases of particular interest that have gone through the criminal justice system, we issue appropriate press releases. Over and above that, when we put results into the national fraud initiative database, we upload anything that we may have taken to court or anything from cases in which there has been a sentence or somebody has been fined—whatever the sanction is. We then leave it to Audit Scotland to publicise that information.

Before I started this job, I had never heard of the national fraud initiative. That is probably quite common. Whenever a new privacy notice comes out, there is the occasional headline in the papers about big data and people snooping but, if people knew that we were able to take data from one organisation and match it with data from another organisation, that would be a really helpful deterrent.

I do not think that Midlothian Council advertises the fact that it takes part in the national fraud initiative, apart from the fact that every form that people have to fill in has a privacy statement on it saying that we will share their data with Audit Scotland for the purposes of the prevention and detection of fraud. However, that is in small print at the bottom of the forms. It would be worth while to publicise the initiative further. As Brian Muldoon said, whenever we have a successful case we publicise it, but that is not very frequent.

When we did the last exercise, we placed an article in the local newspaper and put something about the national fraud initiative on our website. In Midlothian, we also produce an annual corporate fraud report in which we report on all the fraud work that we have done and the savings that have been made as a result. A big part of that work for our council at the moment is the recovery of council houses. The information goes to all our various committees and is in public documents.

I agree with Heather Mohieddeen that we need to focus on the preventative side and get the message out there that we are actively doing this work to prevent fraud from happening in the first place.

When you have been able to promote a successful outcome, has that in any way triggered other inquiries from people saying, “I can see a pattern here”? Does it trigger anything for people?

On our website, we have a reporting mechanism whereby people can report any allegations anonymously. Every year, we put an article in the tenants’ newsletter, and that communication line sometimes triggers a bit more response. In addition, we have provided internal training sessions for our staff to raise awareness of fraud, which have led to quite a lot of referrals from our own housing staff. It is about getting the message out there and creating awareness that we have this resource.

We can also do local data matching that complements the NFI. We do some matches in Midlothian that are not part of the NFI but that have been quite fruitful—for example, we have matched joint tenants to single person discounts. It is about thinking of other ways in which we can match data to highlight potential frauds.

What does South Lanarkshire Council do to promote awareness of the NFI and build public confidence?

At the start of every exercise, we advise the public on our website that we are about to start the exercise. We explain what we are doing and all the matches that we do. In the past, we have put notices in “The Reporter”, which is the local publication that South Lanarkshire Council sends to each household. We promote the exercise widely among our staff, producing bulletins for employees and management and putting messages on payslips when we are about to start the NFI. There is always a statement on things such as benefits forms advising people that their details can be matched.

We prepare a report on the results of the NFI exercise that goes to the risk and audit scrutiny forum. That tells the council members the results of the investigations that we have carried out and where we have identified error, and it is a public document. We tend not to publicise the results on our intranet or in public newspapers—it is really just through the forum.

We engage in a wee bit of publicity at the beginning, to comply with the fair processing notices. That is heavily weighted towards benefits claimants and employees, but we put some information on the internet as well, to advise the public that we are carrying out the exercise.

Do you feel that you have enough resources in your team to keep up with the volume of work?

In internal audit, we co-ordinate the exercise—we do not do many of the investigations unless we have put something in our audit plan, and we allocate time for the NFI every year in our audit plan. We produce a cost benefit analysis at the end to make sure that the amount of time and resources that are being spent on it does not outweigh the benefits that we are getting. We review that for every exercise and, so far, we have identified more error than fraud within the council. We are gaining more through identifying error and taking corrective action than we are spending on resources, so there is a benefit at the moment.

Okay. Does Atholl Scott want to add anything in response to that set of questions?

No. Our processes are relatively similar.

In the Audit Scotland report, there are a number of tips on how to work more efficiently. Concern was raised that many participants are not using the latest software enhancements. When you were all talking about resources and the volume of work, I wondered what each of your authorities does to make sure that staff are keeping up to date with the new features on the web app. How do you ensure best practice? Do you speak to people in your respective councils to exchange good practice and learn from one another?

In Aberdeen, the investigative team has a dedicated area on the council’s intranet that relates to the national fraud initiative and how the matches should be carried out. The national fraud initiative website is also very good and includes training material that gives staff clear guidelines as to how they should be doing the matches. From that point of view, we do the best that we can to make sure that staff are aware of the latest matches that are available.

As one of my colleagues said, we get updates throughout the year from Audit Scotland. However, my team is not always fully able to resource those updates. Sometimes, we rely on information that came in at the beginning of the year—for example, the last data match was received in January. Although it is updated, we do not always have the time to see what the most up-to-date data is. We are working on that.

When you say that you are working on that, is it a matter of trying to get more resources for that particular task? Is the problem that you do not have enough people?

Some local authorities have a dedicated investigative resource who will do the majority of the national fraud initiative work, but other local authorities do not have that and tend to put that work out to staff who look for fraud and errors. With a massive fraud team, things can be looked at a lot quicker but, as I said, having that team in place has cost implications for local authorities.

All local authorities are members of the Scottish local authority investigators group, which meets once every six months or quarterly, and the managers and staff who attend those meetings share good practice. We find out the latest techniques for detecting fraud, what problems people are coming across and what problems are recurring. In that forum and in the online forums that are accessed through the knowledge hub, we share good practice so that we can deal with issues quickly.

If anyone wants to add anything to that, briefly, that would be fine. I am conscious of the time but I have one more question. Other organisations are relied on to play their part and respond quickly to inquiries. In your experience, can the process be quite slow when you are trying to get information from other organisations? Do you sometimes struggle to deal with inquiries promptly?

On the NFI website, there is a facility that allows us to share comments with other councils when a match is being investigated. Delays can happen through that because the samples of matches that are being investigated might not necessarily be the same. We have to keep going in and ensuring that comments have been answered, and the matter may have to be followed up, but that is not such a big issue.

The main delays probably come from the DWP side. We do not have any benefits investigators left in South Lanarkshire Council—they all transferred over—and our employees can take things only so far. When they decide that something looks like fraud rather than error, all the information is passed over to the DWP and that is where the delay can occur, because it needs to carry out its own investigation to confirm to us whether there has been fraud. Our main delays come from the DWP rather than from any other organisations.

In South Lanarkshire, rather than wait for the fraud to be confirmed, we record those things as overpayments as soon as we identify them as such. We take steps to recover the money and take corrective action, but the website will not be updated to say whether there has been fraud or an error until the DWP has confirmed that.

That is probably where the main delays are. It is a matter of keeping track of the investigation that has been passed over to the DWP to ensure that we can close it down on our side. The other delays are easy to cope with, as they involve contacting other authorities, which can be done through the website.

Is that your experience of the website, Mr Scott?

Yes. I was going to mirror what has just been said. The website has a facility whereby we can share information with the other side of the match, and it has the contact details of the various officers who are responsible for the different types of match, whether they are housing or benefits matches or whatever. There is an email contact and a sharing facility. We tend to share the comment or question through the secure facility and, if we do not receive a response within a couple of weeks, we will email the person outwith the NFI process to say that we referred a question to them in relation to the NFI and ask them to check the website. The detailed information is therefore kept secure, but we still have contact details if we need to get in touch with other bodies. We do not have a big issue with that.

10:15  

Forgive me—I am not familiar with the website—but is it possible for things to be missed? It sounds as though the website relies on a lot of human input rather than the computer telling you everything. Could things easily be forgotten or missed? Do you get constant alerts and reminders?

I might be misleading you a wee bit through lack of detail. I will refer to the comparison that I made earlier between Moray Council and Highland Council. If Moray Council had an employee working as a supply teacher two days a week and the Highland Council entry suggested that the same person was working five days a week for Highland Council, we would use the system to send a request for the status of that employee to be confirmed. We would hope that—going back to the point that Brian Muldoon made—Highland Council would get back to us, saying that the employee had previously worked full time but had moved to a part-time contract. That would satisfy us that the two part-time contracts were okay.

It is possible to share information with every other body that participates through an internal mechanism in the NFI system.

Every time that you visit the NFI website, a message comes up to tell you that there are shared comments that you have not read, and you can focus on those and deal with them. There is a flag, but only when you are in the system; you do not get constant reminders to check when you are not in the system.

Could the situation be improved?

During the investigation cycle, you are in and out of that system very often, so I do not think that any change is needed.

I would like to follow the interesting thread that Monica Lennon was pursuing. I presume that you can decide for yourselves what direction of travel to pursue in relation to potential fraud and that you are not driven by the data matches that are presented to you. For example, if a perpetrator is exposed in one particular year, I presume that you follow that person in subsequent years rather than waiting for the random data set to be given to you so that you can use it as a checklist. Is that right? Do you carry on checking someone who has been found to be a perpetrator?

No, we do not watch somebody, so to speak. However, if information came in on somebody one year and we did not get around to reviewing that data match, it will show up in the next year’s data match. I will give a little context. We got about 4,000 data matches but, out of that, Audit Scotland recommended just over 1,200—if memory serves—as high priority, and those are the ones that we focus on first. Some of the matches that we have not got around to looking at—because, as we discussed earlier, the process can take a year—will appear in the next NFI report. However, at that point there will be a new set of matches that are recommended as high priority. We do not have the resources to watch one particular person.

What I mean is, if a person is exposed as defrauding the system in some way or other, surely to goodness you would check what that person is doing the next year. Do you not do that?

That match might not appear next time.

I know, but that is what I mean. It is not in a matching set of data that you are given, but you would have intelligence about a certain behaviour that leads to fraud. In that case, do you not check that person in the second and third years?

If there is a case that we discover, we would deal with it at the time. If for example the case involves someone who was sub-letting a house, we would remove the house from them and deal with that incident.

We do some profile matching, but not necessarily through the NFI system. For example, we would look at what the latest reports are that might indicate whether males or females of a particular age are likely to commit fraud. We do things like that, but that is outwith the NFI.

What about you guys in Moray and South Lanarkshire. Do you follow up repeat offenders?

We are trying not to have repeat offenders. That is the point that we are trying to make. If they show up, and we have investigated and found that they have committed fraud, we stop at that point.

How do you know it is not happening again with the same person?

We hope that we have taken the house off them, or that they have had the sanction, or that we have dismissed them if they are an employee. If we have dismissed an employee because of fraud, that will be on the record, so if they try to come back we will see that.

In internal audit, our job is also to look at why it happened in the first place. We have improvement plans that follow the NFI exercise, to try to understand why our internal controls allowed a fraud to happen. Part of our job involves making recommendations and suggesting improvements to stop fraud happening, so even if the same individual were to go through the process again and try to defraud us a second time, the action is meant to strengthen our internal controls to stop them being able to do that. We do that rather than tracking an individual. We are trying to strengthen our systems all the time so that we can fraud proof them, for want of a better phrase.

That is interesting. Can I ask again about the role of HMRC? Both Elaine Greaves and Yvonne Douglas mentioned in their submissions that it would be useful if HMRC was included in the scope of the NFI. I see from one of your submissions that HMRC provides some data. I think that you were probably getting at the idea that it might be able to provide a whole host of data, but you then suggested that that might take us out of the sphere of public interest. Can you clarify what you mean by that? Have you lost or had to close down particular lines of inquiry because you were not able to access HMRC data, or did you request it and have your request denied? Why do you say that HMRC should be included?

We have never formally approached HMRC for data, so we have not been turned down as such. However, in the examples that we have given from other on-going investigations, one of the issues was a conflict of interests for one of our employees. We were flagging up the fact that, if we had that information, we would be able to match payroll data, so HMRC would be able to say, “We have information that the following employees who work for South Lanarkshire Council are also in pay-as-you-earn employment for someone else.” That would allow us to manage our procedures, particularly in high-risk areas where people might be contracting on behalf of the council.

We do some work with HMRC through real-time information, which helps us with benefits overpayments, because it flags up where people have not declared additional income. We use that information and that relationship is in place, but we thought that it could be extended into other spheres where it could be useful in our wider audit work for the authority.

Elaine Greaves also mentioned HMRC. What would be the advantage of bringing HMRC within the scope of the NFI?

It would provide more data. For example, at present we are never party to the type of information that would show that someone who is claiming benefits with Midlothian Council is highlighted by HMRC as receiving a salary from a private company. Another thing that could be considered is a link with the Driver and Vehicle Licensing Agency, which holds public information that could be useful in the exercise.

Have you approached HMRC for that information?

No.

Our thought was that it would be useful to bring those extra data sets into the NFI mix, so that the NFI is checking Midlothian Council’s employment records against South Lanarkshire Council’s employment records. We could also be matching against HMRC’s records, because it has records for everyone’s employment, and that would be useful.

At present, there is no legal gateway for local authorities to approach HMRC to request information. That was done under the social security side when we were dealing with housing benefit investigations.

Everybody seems to be saying that it would be a useful extension to the initiative if HMRC was within its scope and there was a legal gateway for requesting the information that councils seek.

I want to go back to the answer that Yvonne Douglas gave on the costs versus the outcomes and benefits of the national fraud initiative. I think that she mentioned a figure of £91,000 that had been recovered. Was that for a year?

Yes. That was in relation to the 2014 NFI exercise. We reported to our members on the Audit Scotland report, but we added the South Lanarkshire context to give our members the data relating to our authority.

So, in South Lanarkshire in that year, £91,000 was recovered as a result of anti-fraud activity.

The figure of £91,000 was identified as an outcome. The recovery process started thereafter.

Do you know the recovery figure?

I do not have the specific recovery figure, but I am fairly confident that it will not be 100 per cent, because we simply will not pursue some cases because of an individual’s age or their particular circumstances. However, as a policy, we seek to recover all overpayments, whether they are a result of error or fraud.

Based on previous years, what percentage would you expect to recover, roughly?

I do not have that figure to hand.

Do you not have even a ballpark figure? Is it 50 per cent or 75 per cent?

The problem with recovery is that the majority of our fraud and error cases come from housing benefit. Recovering that money takes time, as it is done through reduced benefits. Recovery for that period will still be on-going. It could take two years, because we can only recover a certain amount at a time from someone who is on benefits. Where there is a duplicate payment and a creditor, that will be recovered immediately and in full. With benefits, which as I say make up the majority of our fraud and error cases, it takes time to recover that money.

What are the costs of recovery? Are sheriff officers used to recover some of the debts?

They can be. We have a debt recovery process in place in the council, which goes through the stages of a first reminder and a second reminder and eventually sheriff officers, if they are required.

Yvonne Douglas said that it is impossible to quantify the deterrent effect of the work, and I totally understand that. However, what is the cost to the council of your department and the people involved in the activity getting to that figure of £91,000 in that year?

In the report that I mentioned, we said that the employee costs were approximately £27,000. That was based on the salary costs of the individuals who were involved in the exercise. Therefore, we were able to demonstrate a difference. However, the point that we were pulling out in the report was that the differences are becoming more marginal as the outcomes reduce.

So, even without taking into account the deterrent impact, you recovered three times the cost of actually carrying out the exercise.

Yes. We could still demonstrate a clear benefit to the council that exceeded the cost. We are expected to provide that assurance as part of the exercise.

This is a more general question, but how much of that would have been recovered without the national fraud initiative? Looking back to the years when you did not have the NFI, would you have recovered that money anyway, would half of it have been recovered, or could you have recovered it only if you had been involved in the NFI? What is the added value or additionality of the national fraud initiative?

I do not have that analysis. An element of it would have been recovered, but the majority would not have been, particularly in relation to duplicate payments. If somebody has been paid twice and that has not been identified through normal monitoring processes, it is highly unlikely that that will be picked up at a later stage. Only the NFI exercise picks up duplicate payments.

With benefits, which is where we identify most of the outcomes, because people’s circumstances are constantly under review, there is a chance that we might previously have identified issues, but the NFI gives added value. The NFI exercise probably accounted for the significant part of that sum.

10:30  

So, from your point of view, there is real added value in the NFI exercise.

Yes.

My final questions are on the scope of the NFI. Obviously, we all want to minimise fraud throughout the public sector, but the particular focus of the NFI is on housing benefit and related activity. Do you have colleagues who look at fraud more widely? For example, there have been recent fraud allegations in councils resulting from activities related to illegitimate use of framework contracts. The national fraud initiative does not really cover that. Would there be value in extending the scope of the national fraud initiative to cover other aspects of fraud and not just fraud involving people who are recipients of housing benefit?

Yes. With your example of framework contracts, careful thought would need to be given to what matches would be made that would identify fraud in that area.

A good example from recent experience would be a framework contract for school roofing being used to provide school doors and a range of other activity. Clearly, that would at least lead you to investigate why that happened.

Yes. For most authorities, that would form part of their annual audit plan rather than data matching. At the end of the day, to do that matching, we would probably use a contract register and high-level detail from invoices, but that would not give us the information that somebody was working under a framework for a particular type of work but delivering something different. That kind of information would come from a more detailed audit in which people look at a process and pull out a sample of projects to compare what we contracted for and what we received. I am not sure that the NFI at a high level would be able to match and identify those specific issues.

An internal audit report in one council suggested that malpractice had been going on for 15 years until an anonymous letter was received, but nobody in audit—external, internal or whatever—had identified it. That suggests to me that the auditing of those contracts is wholly inadequate for identifying potential fraud. To be fair, that is outwith your responsibility at the moment.

It is certainly not particularly related to the NFI exercise, but it is a challenge for local authorities in their internal audit work to ensure that we target our resources in the correct areas and in areas of high risk. We are learning all the time about where the risk lies and we reassess where our work needs to be focused. Procurement is becoming a greater area of focus for local authorities.

That is great. Thank you.

I thank our witnesses for attending. I suspend the meeting briefly to allow a changeover of witnesses.

10:33 Meeting suspended.  

10:37 On resuming—  

I welcome our second panel: Russell Frith, assistant auditor general, Audit Scotland; Darren Shillington, senior data matching manager, Cabinet Office; Neil Gray, director, Northern Ireland Audit Office; Anthony Barrett, assistant auditor general for Wales; and David Rees, governance manager, Wales Audit Office. Thank you for responding to our call for evidence, and for travelling from across the UK to be with us this morning; it is very much appreciated.

In our extensive session earlier, did the first panel mention anything that stood out to you that you would like to speak about?

I am the person in Audit Scotland who has overseen the exercise since it started in about 2004, so it was quite pleasing to hear the comments from those who are at the sharp end of it. I recognise some of the points that the witnesses made about the volume of matches. The Cabinet Office team provides all the bodies that take part with software tools that enable them to filter and prioritise the matches, so that they can concentrate on those that are most likely to generate a result.

The councils talked about there being several thousand matches, which is right. However, the NFI is a relatively mechanical exercise. Take housing benefit as an example. Someone who has not shown any income on their housing benefit claim but who may be earning £200 a week would be a match. Another match would happen when a person has declared that they are earning £190 a week, but the payroll data shows that they earn £200 a week. At the gross level, the matches do not distinguish between a significant error or difference and a minor difference, so filter tools are provided to help councils and other participants to focus on those matches that are most likely to give a result.

To be clear, Audit Scotland does not expect councils to investigate every match. If they have started with the big ones and, for whatever reason, they are finding those to be legitimate, we do not expect them to do the small ones in the same match set.

Do the other panellists want to pick up on anything?

I echo Russell Frith’s comments. The challenge that we face lies in getting the balance between giving the authorities the matches, and the technology to allow them to identify those that meet their own criteria for investigation, and not overloading them and making it appear that there are too many matches so that they become overfaced.

A challenge and one of the drivers is how to improve the technology. We are looking at how we can improve it and the rate of return further. In the previous panel, the example was cited of £91,000 being recovered at a cost of £27,000. Cost benefit is a key focus for us, as well as looking at whether there are other external data sets, such as those from credit reference agencies and other sources of information, that we can bring in.

The councils mentioned that the data is published every two years, and that they get a batch of matches, which it takes quite a while to work through. We have looked at the application checking service, which was alluded to. That is to do with preventative controls—those that can be embedded into internal controls. We need to work with the councils and to give them the tools and technology to allow them effectively to target fraud.

That is very helpful. Mr Barrett?

I am sure that the committee will return to the cost and benefit issue, but on the cost of recovery and so on, one should not forget that the fraud, which could have continued for years without being identified, has been stopped. That element of the cost must be borne in mind, too.

Mr Gray, do you have anything to add?

No. I have nothing to add, convener.

Great. Thank you very much.

Given the time, you will forgive me if I fire out a couple of points. We heard about the timing and the frequency of the process, and Mr Shillington just picked up on the two-year cycle. Are the timing and the frequency different across the jurisdictions? If so, are there any lessons that we can learn from that?

If we are talking about the main exercise, the position is similar across the UK. Most of the exercise is undertaken every two years, as you have heard. Elements of it—the council tax single person discount match, for example—are undertaken annually in some parts of the UK, such as in England.

The councils touched on whether the data should be published more often, and on it being issued quarterly or yearly. To put the issue into context, 1,300 organisations provide about 8,000 datasets, with 300 million pieces of information. There are a lot of challenges with data quality, processing the data and going through a process that allows matches to be generated that are effective and valuable to the participants. There are also cost implications. Clearly, that can be looked at and the exercise could be done more regularly, but there is a risk to that and a balance must be struck. The power of the NFI is that it brings together intelligence from across the organisations.

We take the data in October and release the matches in January in order to try to capture as much information as we can. Therefore, when we release the matches in January, they are as complete as possible. Not all the data comes in on 1 October, as you can imagine. By the time of the December cut-off point, we have probably received about 90 per cent of the data, and we start the matching process. The timing also allows for data quality issues and so on to be looked at.

There are balances at play. An exercise could be undertaken more often, but it is about the risk versus the reward.

In an ideal world, would it be worth publishing the data more often? If the cost benefit was not a consideration, would you do that?

10:45  

We have a strategy that looks over the next five years at a journey that would allow us to look at the automation of data collection and let us do it more regularly, potentially in real time. We would certainly like to go in that direction, all things being equal.

I understand.

In your submission, you talk about decisions not to follow up the matches and state, “This means fraud continues.” The implication is that there is fraud and it is being missed; that is not the impression that I got from some of the witnesses earlier. Mr Barrett talked about the fraud being stopped; that statement, too, is predicated on fraud being there in the first place, which was also not my impression. Will you comment on that?

We are talking about a risk-based approach and balancing available resources to target fraud. The NFI is a source of referrals but there are other sources and there are frauds in there. The track record of the NFI exercise has proven that we find fraud across a wide range of areas.

Having said that, not every match indicates fraud. It might indicate anomalies that may represent fraud and which need further consideration. We would never suggest that all authorities need to follow up every match. It is about a balanced and targeted approach and authorities looking at their own environment, resource, awareness, internal controls and fraud risk appetite and targeting the matches that meet that.

We all have to accept that fraud against the public sector goes on. We will not detect 100 per cent of it, because we do not have the resources; we have to target the resources that we have.

The deterrent point is particularly important but I suspect that my colleague will ask about that, so I will stand down.

According to the Cabinet Office evidence, about £110 million has been saved in Scotland as a result of fraud being uncovered since the scheme was created. That is an average of £9 million per year in the 13 years for which the scheme has been run.

Extrapolating the evidence that we took from the first panel of witnesses, it appears that, because of the effectiveness of the national fraud initiative, the annual amounts that are being discovered as fraudulent are going down because of the deterrent impact, although that is immeasurable at the moment. The average is £9 million a year over 13 years, but would it be right to say that the figure has been a lot lower than the average in recent years while it was a lot higher in the early years simply because people were being caught who otherwise would not have been caught?

The profile of the areas in which the outcomes have been generated has changed since the exercise started. When it first started, housing benefit was the biggest value outcome from the exercise, followed by pensions being paid to deceased persons. The first exercise that was run picked up a significant number of pensions that were being paid to deceased persons. Each subsequent exercise has picked up only anything that happened in the previous two years, so that figure fell.

The value of the outcomes of the last exercise was £16.8 million, of which only £3 million was housing benefit; that is the lowest that it has been. However, a relatively new type of match is the council tax single person discount; that accounted for £5.6 million and, this time round, that was the largest amount.

As the NFI has developed, it has looked at different aspects of fraud and the relative proportion from each type has changed. I suspect that it will continue to change. For example, when the new social security powers are finally enacted in Scotland, I expect those payment streams to come within the NFI, and that might well form a new fruitful area.

The nature of the problem is obviously changing over time. You suggest that housing benefit fraud has been going down and was down to £3 million in the latest figures. Is that right?

Yes.

How does that compare with the housing benefit figures for the earlier years?

Offhand, I am not certain but I would have said that they were at least double that.

Having done a lot of evaluation in a previous life, I fully understand the difficulty of trying to guesstimate, let alone estimate, the deterrent impact of such schemes. However, is it not time to consider the deterrent impact? A proxy for it might be the number of repeat offenders. If the number of repeat offenders is going down, that would suggest by proxy that the deterrent effect was operating effectively. I realise that it is difficult to be precise about such things, but do you have any evidence at all about the deterrent effect?

I do not think that we do in Scotland. I do not know whether any of my colleagues do.

No. Each NFI exercise is taken as a stand-alone exercise. The statutory powers that we have and the code that we work under require us to start again for each exercise. As the previous witnesses mentioned, we are able to take previous comments. If a match generates again because the person is still in receipt of benefits and still working, say, we are able to show them the outcome of the investigation last time but, because of the restrictions about what we can and cannot keep, we do not have such intelligence over time.

So you cannot tell who is a repeat offender.

No.

Is that not a loophole in the law?

It may be. You may want to consider that. We consider known fraud data and intelligence from other areas. We use the Amberhill data, which concerns stolen and fraudulent identities, and we are just doing some pilot work with Cifas on known fraudsters in the private sector to see whether that known fraud intelligence can add value. In England, the Cabinet Office is also considering sharing known fraud intelligence across utilities, the mobile sector, local authorities and the private banking sector. Work is going on to consider whether we should expand that.

Several years ago, when I was Minister for Housing and Communities, I visited the City of Edinburgh Council. It did an exercise that examined people who had registered as owners of private rented property. I remember the council telling me that that exercise had uncovered a lot of social security and housing benefit fraud. A percentage of the people who owned the private rented houses were involved with the tenants in the fraud. Is that kind of exercise being repeated throughout Scotland and the country?

I do not know the extent to which that is being repeated throughout Scotland but, as you heard from one of the earlier witnesses, the recovery of council housing stock has been one of the more recent successes of the NFI. Some of those cases linked through to the private sector but I am not sure whether it concerned private rented property in the same area.

We have 32 local authorities in Scotland. If a council such as the City of Edinburgh Council has a proven track record in using its private rented sector registration system to uncover fraud effectively—that was not the primary purpose of its exercise, but it was one of its silver linings—is there a way of spreading that good practice across all 32 authorities?

There certainly should be because there are numerous forums of local authority practitioners in various areas, including internal audit and fraud prevention.

Is the Scottish Government not benchmarking performance on that between the 32 local authorities? If the City of Edinburgh Council is doing that effectively, it should show up in the statistics. Are you not considering how you can proactively spread good practice throughout system?

Audit Scotland tries to do that when we become aware of good practice, but I do not think that we have looked at that area in recent years.

Should you not be looking at it?

Perhaps we should. I will take that point back to my colleagues.

There could be quite a return on that.

One of the ladies from Midlothian Council who was on the earlier panel said that if the national fraud initiative was better advertised and there was more awareness of its existence and, indeed, effectiveness, the deterrent effect would probably be substantially enhanced. Might it be worth while picking up that suggestion and looking at different ways of advertising the NFI and targeting that advertising at potential offenders? There must be a profile of the people who are most likely to offend—there usually is. Would it be worth looking at that suggestion, or even piloting it, to see whether it could be effective?

I certainly think that it is worth considering. We encourage councils to publicise the exercise before it takes place—some of the previous panel referred to that—and, in particular, to get any of their successes into the local press, for example. We publish the report on each exercise and we have brought the report to this committee and its predecessor committees, in part deliberately to raise its profile. In some of the earlier exercises—

Nobody listens to us. You need to advertise it.

In some of the previous exercises, we have also attracted interest from broadcast media, so we have appeared in various news programmes.

Yes, but that is an opportunistic approach. Is there not a need for a more proactive, comprehensive and targeted advertising strategy? Could that at least be piloted to see whether it had an impact on the figures?

It is certainly worth considering.

Is that something that you will take up?

We will look at it.

Good. Thank you.

I will stick broadly to the questions that I asked the previous panel, but first I have a particular question for Russell Frith. When you previously gave oral evidence to the committee, I asked you whether there are penalties for bodies that do not participate, or whatever. You said:

“No, not in the legislation.”—[Official Report, Public Audit and Post-legislative Scrutiny Committee, 1 December 2016; c 39.]

However, in its written submission, Audit Scotland states:

“The legislation already mandates participation and provides for fines on conviction for bodies that do not provide information.”

Were we talking about two different things?

No, we were not. I had forgotten about the provision in the legislation, which is, indeed, there. However, as I think I emphasised in my previous answer and in the written submission, our philosophy has been to try to encourage participation because we think that better outcomes result from willing and active participation. As some of the previous panel said, it is not just the provision of data that makes the exercise effective but how we follow through on the matches. Yes—there is mandation in the legislation for bodies to provide data, but not mandation to use it effectively.

Okay. I will come back to what I spoke to the other panel about. I am interested in the real-time pre-transaction checking. Does anybody actually do that?

I can answer that, after which colleagues from Wales might want to come in. Yes, is the simple answer to Mr Beattie’s question. It is not a mandatory initiative; it is a piece of work that we have launched alongside the NFI—a matched product—that allows the same checks to be done in real time. The point, as was discussed in the previous evidence session, is that when an application is put in, the NFI is able to check against the data that it already holds and to provide information on that individual. That enables identification of potentially fraudulent applications and those that are consistent with any information that we have.

11:00  

We talked a lot about resources earlier. One of the key points of the service is that it allows resources to be better targeted. We can—rather than saying that we need a lot more resources to do a lot more checking—use it to risk-screen applications for those that are likely to be fraudulent. The service has been rolled out across the UK: 50 or 60 local authorities and other participants are using it. I will bring in my colleagues from Wales to talk about it.

Darren Shillington referred earlier to the two-yearly exercise as “the main” NFI “exercise”. To a certain extent, I take issue with that. The two-yearly exercise produces a number of matches, and investigating those matches is very resource intensive. It would be far better—this is the way we would like to go—to move towards picking up fraud before it actually occurs. If we do that, those frauds are not in the system, and no recovery actions and detailed investigations are needed. That is what the new tool that has been introduced in the past 18 months to two years is designed to do. Public bodies that give grants and benefits and provide services are able to check in real time for anomalies that could be due to fraud and can, as a result, avoid making those awards.

Is it an expensive service?

The Auditor General for Wales made the decision to provide the service to all NFI participants, and that is funded through the Welsh consolidated fund, although the extent to which it is used in Wales is variable. We would like public bodies to build it into their system controls. It is not a counterfraud tool as such, but is simply a process that bodies go through in deciding whether to grant an application. They may not even think of it as a counterfraud tool. We find that some of our participants are using the tool for some services but not for others. It will take time for the service to become fully embedded, but over time it should become the main NFI exercise. If it works effectively, it should reduce dramatically the number of matches in the two-yearly exercise.

The previous panel did not seem to be terribly enthusiastic about it.

To go back to the point about cost, the service costs money. There is a pay-as-you-go service, which works out at about £1 per check, or local authorities can pay £1,850 per year and do as many checks as they wish.

Maybe the difference is that, in England, the Cabinet Office re-charges local authorities directly for their NFI participation. They are used to paying for the NFI anyway, so the concept of paying for an additional service is not alien to them. In Scotland, the NFI is funded differently, and the main exercise is part of the audit fee, so authorities may not be used to paying an extra fee for the application checking service.

I also asked earlier about housing associations and ALEOs. Clearly, there should be great benefit in bringing housing associations into the NFI scheme. Has there been experience of that elsewhere? Has incorporation of housing associations into the scheme led to better results?

Our experience in England is very similar to that in Scotland, in that we do not get much participation and engagement by housing associations. There is some participation around the edges, and there have been some good cases in which housing associations have discovered and recovered a lot of properties. There are also cases in which local authorities incentivise housing associations to come on board and work with them; they may ask them to put their data in and help them to follow up the matches because to do so it is in their interests. There can be such a collaborative approach. However, the vast majority of housing association stock is not included in the NFI, which obviously has an impact on the effectiveness with which we can target social-housing fraud.

Clearly, there is a big gap. Is it intended that participation will be made mandatory for housing associations and, perhaps, ALEOs?

In England, we have committed to working with housing associations and the wider local authority arena to understand how we can target our efforts better on ways of helping the NFI. For example, with regard to the application checking service that we have just talked about, we have an example of an authority in London that has recovered 10 properties—or has prevented 10 applications from going through. It might be that the solution is a sort of real-time service for housing associations and local authorities. At the minute, we are collaborating with them in order to understand how we can develop a better product that will enable them to target their fraud-risk efforts effectively.

I think that Northern Ireland has experience of the matter, so I will bring in Mr Gray.

Northern Ireland does have such experience. We have brought in, on a voluntary basis, the two largest housing associations, which means that the majority of the social housing in Northern Ireland is now encapsulated in the NFI. We did that for the first time in the last run. We have not, as yet, identified huge outcomes from that. However, it has shown up a number of data-quality issues in the information that is held by housing associations. When we have addressed those issues, their data will be a lot more valuable to the NFI, and I would expect them to start seeing outcomes from that.

Is there any experience of this in Wales?

Similarly, housing associations are not mandatory participants in Wales. We have a couple of housing associations that participate voluntarily. The Auditor General for Wales has made representations to the National Assembly for Wales around introducing or amending legislation to include, for example, housing associations and others as mandatory participants.

Would you make participation mandatory, or are you content to continue with voluntary arrangements? I am not clear what you are saying to us.

From the Wales Audit Office’s point of view, if they are mandatory participants, that will make things much more straightforward. Obviously, there are issues with data and data quality that have to be overcome in the first couple of years, but once those have been dealt with the process is much easier than it is when people participate voluntarily. Despite the fact that participating does not cost housing associations anything, and despite the awareness raising that we have done, we have not been as successful as we would like with regard to encouraging voluntary participation.

Is that a shared view?

Yes. As a traditional public auditor, I am keen on following the money. Where bodies are in receipt of public money, it is incumbent on them to participate in such schemes. That is good public policy.

With regard to the legislation itself, the fact that it is possible to mandate organisations to participate does not mean that they must be asked to participate. That is an important distinction. Some housing associations are extremely small, so the question of proportionality comes into it.

That is a helpful point to make.

I want to ask you a question that is similar to the question that I asked the previous panel. When a fraud is established in year 1, and there is the potential for that fraud to be attempted in years 2, 3, 4 and 5, why would that data not be part of the dataset for consideration in those years, in order to stamp out attempted repeat frauds by a person?

I can speak about that in general terms. We have started to examine the value of that sort of fraudster intelligence. As was alluded to earlier, we are looking at the work of Amberhill, which is about stolen and fraudulent identities, and we are just starting to work with Cifas, which has a database of known fraudsters in the private sector who have committed fraud against the banking and financial sectors. We are looking to see whether there is any value in that.

There has been some discussion around the creation of that sort of known-fraudster database. However, I unaware of any such database being retained by anybody that would be accessible in a way that could be brought into the NFI system. We are looking at working with others on a known-fraudster intelligence-sharing service, but I am not aware that there is a benefit-fraudster database that we could use to cross-match.

If the outcome is that a person is identified as having committed a fraud, is not it recorded in the data that there was a positive match and that it had led to a conviction or whatever? Is that fed back into the system so that there is a kind of red flag for that person for the next year?

We capture information in the way that Willie Coffey alludes to: participants can record outcomes and the status in the case-management system. They can classify a case as fraud or error, and they can tick “Prosecution” or not. Generally we do not know whether it was a successful prosecution, and a lot of the time the fraud classification is dependent on how the participant has defined fraud locally. We give guidance on what should be defined as fraud, which covers the balance of probability and so on, but there is local discretion as to how authorities want to record that.

We have considered whether we could take and use that information, but there are lots of challenges around what goes into the data pot, its robustness, and data-subject notifications. We would need to notify the individuals that they have been put on the database, and they would then need to have a right of appeal. We could explore the process, but I do not think that it is quite as simple as saying, “Right—we’re going to capture that data and use it.”

The data apart, we heard from our local authority colleagues that they do not systematically follow up on potential repeat offenders, but is anything preventing them from doing that if they have had a successful case? Are they required to operate only with the data set that they are presented with? It seems ridiculous that they can know that people are trying to commit frauds and have done so, but will ignore those people in subsequent years. Are they able to follow that up, from your understanding of the legislation?

I suppose that a determined fraudster who is out to commit fraud will not be likely to use the same details next time; they are likely to change their identity and other factors in the application, so it will not be the case that Joe Bloggs will exactly match to the previous time. Probably, the better way to use the information—again, the previous panel talked about this—is to look at how frauds were perpetrated and to consider where internal controls can be strengthened to prevent similar incidents from going through the system in the future. As I said, a determined fraudster is unlikely to use the same details.

Russell Frith mentioned the single-person discount for the council tax. In your written submission, you state that 4,846 of those discounts were cancelled in a particular year. What is to prevent those people from trying it again in a second and third year?

There is nothing to prevent them from trying it again, but if they do that, they will be caught again in the next exercise—

They will be caught only if they are in the data set that is presented in the second year.

Yes, through the NFI—

However, they might not appear in the data set for year 2 or 3.

They should appear. If they are doing the same thing, they will appear again, because they will still match to the electoral roll for claiming the single-person discount.

I should say that we believe that the NFI is a valuable exercise, but it is only one part of a council’s or other body’s fraud prevention and detection arrangements. A member of the previous panel alluded to the fact that internal control is their first line of defence.

You will have heard several colleagues talking about the potential benefits of bringing HMRC within the scope of the NFI. I think that one of them said, “We don’t have a legal channel to require or request that information.” Is that the case? Could HMRC voluntarily provide data on request or would it require to be brought within the scope of the NFI scheme?

11:15  

The data matching powers in England—the same applies in the other parts of the UK—do allow voluntary participation. There have certainly been barriers to the sharing of Government data, and particular restrictions on Government departments have prevented it on certain occasions. The Digital Economy Act 2017 has just gone through the UK Parliament and part of its remit is to enhance and facilitate better data sharing.

I suspect that you would need to look at particular cases and the particular HMRC data that you wanted to target but those gateways are opening, if they are not already open. There is already data sharing between the DWP and HMRC around real-time income, which is cross-matched to housing benefits. The local authorities are getting that information cross-matched for the housing benefit element only and are getting those referrals that relate to them. Similarly, the DWP is getting the relevant referrals from that intelligence.

There would be benefits in bringing that into the NFI but one of the key benefits is housing benefit and that is being done through a different initiative. It is about making sure that we join up those initiatives and understand where the additional benefits lie.

We heard colleagues saying that they had not asked HMRC on a number of occasions. Had they asked, would they have been given the data or is data only handed over if it is a requirement of the legislative framework?

From my experience outside the NFI, I am aware of some local authorities interacting with HMRC. However, I am also aware of a difference of opinion about what they can and cannot get so I would not say that there is one standard approach. However, there are examples of it working.

Okay. Thanks for that.

Let us mop this up. Is it your considered view across all four areas that it should be possible to access HMRC data—yes or no? It is as simple as that. I am just looking for clarity from you.

It would be of tremendous value in preventing and detecting fraud, which is obviously what the NFI is all about, and it could offer other opportunities for data matching.

For example, if we had access to income data, by matching that against social security data, we could identify client individuals and groups of folk who perhaps were not claiming all the benefits that they were entitled to. That proposition has been made to me by members of the Northern Ireland Assembly. It is not just about preventing and detecting fraud. There is a wider social benefit.

I entirely agree that access to full HMRC data would significantly increase the benefit of the exercise.

Yes, we also agree that it would be beneficial.

I like unanimity of opinion. There is one final question from Monica Lennon.

In the previous panel session, I raised the issue of some organisations not using the software updates and perhaps not responding promptly to other organisations—we were getting at some of the resource and capacity issues.

Appendix 3 of the Audit Scotland report outlines the concerns and the source of those concerns is given as the Cabinet Office NFI team. Mr Shillington, do the concerns and patterns that you have identified relate to capacity and resources or is it more about skills and perhaps a lack of training in some of the teams?

I think that it is both. Some organisations have the intent but do not necessarily use the tool as effectively as they could to target the work that they do. Some do not have the capacity, so it is about targeting that capacity. There are also examples of some organisations that just do not have the intent to follow up the matches, so it is across the spectrum.

As I said, we are looking to provide the tool and the technology to allow participants to target their action and resources at the cases that meet their investigative requirements. The tool allows them to identify and prioritise the cases that meet their criteria for investigation. A lack of awareness and a lack of training sometimes mean that they are not aware of that. We certainly do not expect organisations to follow up on every match—that has never been the intention. It is a question of using the tool effectively.

From a central co-ordination angle, we look at management information, and if we spot poor practice we will try to stop it. If we identify ineffective use of the tool, we will intervene and encourage organisations to use it more effectively.

That is helpful. When it comes to people responding to that intervention appropriately, are you dependent on good will? You cannot compel people to use the software in a certain way.

No, we cannot. We can encourage people when we do not feel that they are using it effectively to maximise the benefits. When we think that they are using it ineffectively and their resources could be better targeted, we will try to help them. We will support them through that process.

Now that we are part of the Cabinet Office, the audit avenues that were open to us when we were part of the Audit Commission are no longer available to us.

I would like to add something from our experience in Wales. Mandatory participants are required to provide the data sets, but there is nothing mandatory about what happens with the matches. Ultimately, the only sanction that is available to us is publicity. In the past, we said to an organisation that was not investigating matches that we would name it in our annual report as the only organisation in Wales that had not investigated any matches. That spurred the organisation into looking at some of the matches, finding matches and recovering information.

Such naming and shaming—for want of a better phrase—is probably the only sanction that is available to us in persuading organisations to participate, other than talking to them about how they could further prioritise the matches.

In the absence of other questions from members, there is one last thing that I would like to clarify with Mr Frith. You mentioned the issue of electoral roll data. In your submission, you said:

“There are different legal views as to whether electoral law allows electronic copies of the register to be provided for data matching purposes.”

Would it be helpful if the committee clarified the extent of the power with the cabinet secretary when we have him before us?

Yes, it would be very useful to have his views.

So you do not think that you currently have that power.

We think that the power could be read into the legislation. A couple of authorities have come to a different view. If my understanding of the situation in England is right, every local authority there provides the equivalent data.

The electoral rolls are used mainly in relation to the single-person discounts. We accept that the NFI is not the only way in which that information can be obtained. For example, if a council employs a credit reference agency, it can get other data sets that can help it to identify single-person discount errors.

Thank you.

I thank all our witnesses, particularly those who have travelled far, for coming to our meeting. If there are any details that we wish to pursue with you, we will write to you. Once we have had an opportunity to reflect on the first panel’s evidence, we might come back to you with questions. We will take evidence from the Scottish Government on the NFI on 15 June.

I suspend the meeting briefly to allow the witnesses to leave.

11:23 Meeting suspended.  

11:24 On resuming—