Public Audit Committee

Meeting date: Wednesday, December 21, 2011

Official Report 433KB pdf

---

Section 22 Report

---

“The 2010/11 audit of the National Library of Scotland”

The next item is a section 22 report on the National Library of Scotland. The issue has been hanging for some time because specific implications meant that we were not able to consider it. Members may remember the section 22 report that followed the 2009-10 audit of the National Library, which we were not able to consider because of sub judice issues. I hope that the Auditor General will now illuminate the committee on what has been happening.

I am pleased to say that I have a relatively simple story to tell. As the convener suggests, I produced a short report last year on the accounts of the National Library of Scotland, but because of sub judice issues, it was not possible to say a great deal about it.

In the report, I noted that the auditor had qualified the opinion on the accounts because of financial irregularities, but we could not go much further than that. The irregularities related to a fraud at the library. The matter has been concluded, so I have been able to produce a further report on the library’s accounts for 2010-11. I can therefore give committee members a little more detail.

The key points are relatively straightforward, which I hope will help with committee members’ understanding. The library’s former chief information officer has been convicted of fraud. Earlier this year, he pled guilty to misappropriating some £500,000 of public funds, which he did through the misuse of a corporate credit card and by awarding contracts to a company that he owned. He received a custodial sentence of two years. The library has taken action to recover the money, and I understand that, to date, it has recovered approximately £150,000.

The fraud was identified when the library was preparing to introduce a new finance system. I understand that the new system is now fully operational and that it includes stronger procedures for controlling procurement, especially in relation to the authorisation of purchase orders and invoices.

The library was keen to ensure that it had taken all the steps that it could take to deal with the fraud and to strengthen its procedures. It therefore commissioned an independent person of standing—a well-known and eminent accountant in Scotland—to provide an independent assessment of the action taken and to identify any further areas for improvement. The assessor’s report provided a general assurance on the steps that the library has taken, and on its new finance system. It also made some further recommendations on improvements to the governance arrangements. The library has accepted those recommendations and it is now implementing them.

I realise that there were and perhaps still are sensitivities around the issue. It is commendable that action has been taken and that some moneys have been recovered.

No system can guarantee 100 per cent that no one will ever be able to defraud it, so the key question is whether a system is sufficiently strong to enable the early identification of problems and prevent situations such as the one that we are considering from arising. Action has been taken at the National Library to put in place new systems, and we can welcome that. People are wise after the event, but could and should anything have been done at the outset to prevent such a significant sum of money from being misappropriated? It is clear that there were weaknesses and that improvements have been made, but was there a failure to pay sufficient attention to ensuring that the system was capable of picking up fraud?

Bob Leishman is closer to the detail than I am, so he might be able to help you.

An issue that came out of the independent assessor’s report was the culture in the library. The balance between procedures and trust had perhaps got out of kilter; the people who were implementing the system were trusting each other more than they should have done, and cross-checking was not of a sufficient standard. The procedure and the papers were there, but people were not necessarily asking the right questions before they signed things off. The assessor made it clear that that culture must change.

I hazard a guess that such a culture exists elsewhere in the public sector, particularly in a small country such as Scotland, where there are small networks of people who went to university together, came into certain areas of employment together, socialise together and so on. Can we be sure that the culture that you describe does not exist elsewhere in Government circles or agencies?

We could never give a 100 per cent assurance on something like that. I would like to think that, through the audit process, we are constantly learning about the need for vigilance. Auditors are getting better at looking at bodies’ overall governance and styles of operation, but it is difficult to be specific because such things are not quantifiable, which is where audit is at its most effective.

Have the independent assessor’s comments been fed back to the permanent secretary, and have you had an assurance that he is ensuring that the message is passed on to all departments and agencies for which he is responsible?

I do not think that we have information on that, do we, Bob?

We know that the Scottish Government is aware of the situation at the National Library and the independent assessor’s report, but we have no details on what it has done on that.

Will you ask for an assurance that careful consideration has been given to the recommendations and that the message is being relayed to bodies for which the permanent secretary is responsible? Perhaps that is something that the committee needs to do.

I have no plans to do that. It might well be appropriate for the committee to seek such an assurance.

A key point that has emerged from the situation is that the fraud involved, at least in part, the person concerned setting up a company, which contracted with the National Library. I think that there has been a recent fraud along very similar lines at the Royal Mail in the north of England. Two ex-employees set up a company to deliver Christmas mail, received a large cheque and, I understand, vanished.

If we are to believe press reports from the past few years, such occurrences are increasingly common. Perhaps when audits of public bodies are taking place, auditors could be alert to the issue and consider the nature of service providers. I realise that it would be difficult for an auditor to pick up that a person was an ex-employee, for example, but they could consider quality and content, because when such a company or business is set up there are usually anomalies in its structure or in its relationship with the public body, which should alert anyone who had a normal inquisitive mind to a problem.

I absolutely take your point. We need to distinguish between the role of external audit and the role of internal audit. A strong, robust code of conduct is expected—required, indeed—in any public body, which applies to all employees and which covers such matters in principle. We also expect good risk management and strong governance, to ensure that the code is operated well, and an internal audit function that is fit for purpose and does the sort of detailed checking to which I think that you were referring. The role of the external auditor is to have an independent look at all that and take an assurance, where they can, that the systems and controls are fit for purpose.

There is no single answer. There is always the risk that someone who is behaving badly will find ways round a system. Nevertheless, it is right that we try to use the combined resources of internal and external audit to provide an assurance about the robustness of systems and standards of governance.

Given the economic situation, there is much more pressure on people than there has ever been, which perhaps pushes some people into doing the wrong thing and trying to take advantage of situations. Given that the type of fraud that we are talking about has become a big issue throughout the United Kingdom and elsewhere, we need to find a way of alerting people to the issue, so that they have it at the front of their minds.

I note that a new finance system at the National Library picked up the fraud. It worries me that if there had been no new system the fraud might have continued. Paragraph 16 of the “National Library of Scotland Annual Report and Accounts for the year ended 31 March 2011” says:

“Audit Scotland was appointed from 1st April 2006.”

Did nothing alert Audit Scotland to the existence of fraud between 2006 and 2010?

My understanding is that the fraud came to light only when the organisation was moving to introduce its new financial system. That is when the fraud was uncovered; it was concealed before that point.

Is it possible that the fraud could have gone back much further than 2006? Is it also possible that if it had not been for the new finance system the fraud could have continued, despite the audits that were carried out?

My answers will be rather indirect. On your first question, the unfortunate issue that we are talking about has been the subject of a full police inquiry and a prosecution in court, and I imagine that court proceedings addressed the issue of when the fraud was first perpetrated. I am not in a position to give you an absolute assurance about events before 2006, but I would be surprised if the combination of the prosecution and the court proceedings had not uncovered all that.

On the second question, about whether the fraud would have been discovered if the new financial system had not been introduced, the answer can only be speculative. It is clear that a view was taken that the systems that the National Library had been operating in an earlier period were not fit for purpose. In theory, I suppose that the fraud could have continued, but that is entirely speculative, because we have no way of knowing that.

My point is really that in four years of audit by Audit Scotland, it was not picked up. It was only picked up when the new system came in; that is my concern.

11:45

As you can imagine, now that we have the full story, I am asking a question or two in Audit Scotland about the background. I want to be assured that Audit Scotland did an adequate and reasonable job as the external auditor in providing that overview of the system, and I want to see whether we can learn anything. As I was trying to say in answer to Mr Beattie’s question, it is for the management of an organisation to put control systems in place. We cannot second-guess management in everything. Nevertheless, it is entirely reasonable for you and me to ask whether the oversight of the control environment was adequate at the time.

I fully understand what you are saying. Your response to Mary Scanlon’s question suggests that there were some failures in the audit process. There is no point in speculating on whether there were weaknesses in the external process or failures in the internal process. However, while you are looking at whether anything could have been done by the external auditors, will you also make recommendations to the management and through the permanent secretary about how internal audit functions are constructed and operated?

External auditors such as Audit Scotland are at something of a disadvantage if the internal audit mechanisms are failing completely. What will you do to recommend improvements in that regard? Will you talk to the permanent secretary about implementing any such improvements across all areas of his responsibility?

The independent assessor’s report made a series of recommendations for further strengthening the control environment and governance in addition to full implementation of the new financial system. I would therefore be surprised if the external auditor takes the view that the systems that are now being operated are not fit for purpose. I intend to ask the question, however.

With regard to the permanent secretary, perhaps the committee will pursue that point if it feels that it is necessary. As Bob Leishman said, the senior civil service is aware of the fraud, which was perpetrated by one rogue individual, and we need to put the issue in that context.

Yes, I understand that. However, I am asking about systems and, as external auditors, Audit Scotland has a unique and somewhat privileged position in an area of expertise to be able to say what indicated, or possibly did not indicate, areas of potential weakness. I am concerned to make sure that lessons are being learned across the board.

The committee can make some recommendations if it decides to look at the issue but, from a professional perspective, we can never be too vigilant, and it is much more powerful if recommendations are made about tightening up procedures across the whole public domain for which the permanent secretary has responsibility.

I take the point that you are making.

I think that the convener has asked quite a few of my questions. Only one is left to me, and it is in relation to Mr Leishman’s comments about the atmosphere of trust that permeated the organisation and its management. You have explained that, but it brings us to the competence of the board and those who run the organisation. Are we content that the present management set-up is sufficient for the changes that may be introduced?

Again, our starting point is the independent assessor’s report, which examined the governance arrangements closely and made a number of recommendations to improve them—in particular, in relation to the way that the library’s audit committee worked. The board of trustees accepted those recommendations and my understanding is that they are being implemented. We will certainly follow that up through the annual audit in forthcoming years.

I will pursue the point about external and internal audit. I take your point about that, but I presume that there was no internal audit, in effect.

Yes, there was.

Well, it failed.

Over a period of time, internal and external auditors made comments about the procurement system.

They may have made comments, but the audit failed.

Recommendations were made, but the answer that always came back from the library was that it was getting a new finance system and that that would sort it out.

Public sector organisations say that all the time and spend hundreds of thousands of pounds of public money on such systems. The internal audit failed, did it not?

We are not in a position to say today whether the internal audit failed. You would need to leave me to look at that in more detail. We know that general comments were made about the need to upgrade the finance systems that operated in the National Library. However, in this case, a rogue individual sought personal gain.

Sure. I totally accept that, but such people exist in every walk of life, unfortunately. That is the world in which we live. My concern is that, as Mary Scanlon pointed out, the internal audit failed and the external audit did not pick that up.

I take the point that you are examining the matter and will come back to the committee on it but, as the parliamentary committee that is directly responsible for audit, we must be pretty confident that the external audit has a sufficiently robust relationship with the internal audit to ensure that such things do not happen.

I also take the point that, in this case, a rogue individual was responsible and that such things can happen. That is the fault of nobody around this table. However, is there not a concern that the relationship between the internal and external audit is a bit too cosy?

Do you mean in relation to this issue?

Yes.

I cannot comment on that in relation to this issue but I give you an absolute assurance that that is not the case in general.

Good.

I do not think that anyone, including the Auditor General, would say that audit is 100 per cent reliable and that it guarantees to pick up everything that goes on. In essence, it considers a snapshot in time of particular processes and activities and tends to give—or not give—a clean bill of health on systems, including systems for control, and processes.

However, as Tavish Scott says, we may always have rogues who are hellbent on defrauding the public sector for their personal gain. We would have expected the systems and processes to have flagged up the case earlier, but it is incumbent on all organisations, despite the fact that they embrace audit processes, continually to ask questions, particularly of senior officials—as I understand it, a senior official was the culprit in this case. Organisations must not be afraid to go beyond the systems and processes that might give a clean bill of health year after year and raise concerns about such matters.

There is a human element to the case: people must have been suspicious of something going wrong. The amount of money that was involved was £500,000. I think that the National Library turns over £20 million, so that is a substantial part of its total turnover. It is a wee bit hard to understand how no one could notice that, apart from the chap who defrauded the organisation. I am pretty certain that, in any follow-up that he does, the Auditor General will have a close look at that.

However, the committee might strengthen the message that people should always feel empowered and protected to raise concerns that they have that go beyond the systems and processes that their organisations might have adopted.

Willie Coffey makes an interesting point about whether we should look at a more robust and widely known whistleblowing system so that, where there are concerns, people are encouraged to report issues without worrying that their personal career is at stake. The committee might want to reflect on that. The more information that comes out, the better able internal and external auditors, the police and other authorities are to do their jobs. It might be worth reflecting on whether we could have a state-of-the-art whistleblowing system in which people are encouraged to report and are supported in that. As part of Audit Scotland’s responsibilities, has it ever encouraged public agencies to have good and effective whistleblowing systems?

Yes. Under the Public Interest Disclosure Act 1998, Audit Scotland is one of the bodies to which individuals are directed if they have something that they want to pass on confidentially. A few years ago, we published booklets for employers and employees that set out the terms of the act and reminded them of the need to be vigilant and to pass on information where that is available. We are currently refreshing some of those leaflets, and I think that we expect to publish new ones in the next couple of months.

I go back to the responsibility of the permanent secretary as the head civil servant. It might be worth the committee asking the permanent secretary to ensure that the message is given out to ordinary staff from the top, through all the directorates and all the layers of management, that if they believe that something is going wrong, they should not feel afraid to raise the matter. If they have concerns or worries, they should be given specific information about the facilities to which Mr Leishman referred so that they can report them.

As Willie Coffey said, the National Library of Scotland is a relatively small organisation with a huge amount of money. If what happened there happened on a similar scale in some of the bigger organisations, we would be talking about huge sums. The more we can do to ensure that those who are intent on wrongdoing know that others might be on to them at an early stage, the better things will be for everyone.

Some very good points have been made. I would like to follow up on Mr Scott’s remarks. He was right to use the word “cosy” and to highlight the concerns and fears that exist. For somebody who is somewhat ignorant of the system, does a code of conduct exist for those who carry out external audits—for the relationship between external and internal auditors? They cannot be golf buddies, for example.

Yes. There is a very robust framework. There is a code of audit practice that I promulgate with the Accounts Commission across all public bodies in Scotland, which this committee has seen and supported.

Is it publicly available?

Yes, absolutely. It is on our website. I can give you a copy of it, if you wish.

That is grand. I will look for it on your website.

Obviously, every audit of a public body is different, but there must be core elements to every audit that you perform. I would have thought that consideration of the financial system would be fundamental and imperative in any audit that you perform, whether in the NHS, the legal system or the National Library of Scotland. Is that off the mark?

No. The financial controls should be regularly reviewed by auditors.

So you will report back to the committee on what went wrong in this case and why things such as concerns about the financial system were not flagged up.

I will undertake my own investigation and report back on its results.

Grand. Thanks.

12:00

Thank you very much, Mr Black. I realise that the issue is a sensitive one, both for individuals and for organisations. A number of useful comments have been made about the respective responsibilities of those concerned. I am sure that the committee will look forward to receiving another report once you have had the opportunity to undertake further work.

Before I move on to item 5 and close the public part of the meeting, I say to members and the Audit Scotland staff that I will be leaving the committee because of changes within the Labour Party in the Parliament. I am moving on to do other things.

I remember that, when I was asked to take on the convenership of the committee, my friend Margaret Jamieson said to me that I would enjoy it. I was not sure that I believed her because I did not know that much about what the committee had done, but I think she was right. I have thoroughly enjoyed the past four years. The committee has made a highly significant contribution to the life of the Scottish Parliament and to enabling the Parliament to discharge its responsibilities.

That has been the case for two reasons. First, we have always been fortunate in having an exceptionally good mix of members, who have worked across political boundaries and barriers to try to get to the bottom of issues. I understand that, from time to time, there will be political tensions, different nuances and differences of emphasis—that is life—but, in general, members of all parties have made a significant contribution. In addition, we have been fortunate in having a number of members who have made a lively contribution because they have been prepared to speak out and to challenge, and the success of an audit committee depends on the willingness of its members to do that.

Fundamentally, as members have said time and again—not least when we acknowledged the specific contribution of Robert Black as Auditor General when he announced his retirement—we have been able to do our work only because of the support that we receive. We receive exceptionally good support from our clerking team—Jane Williams, Jason Nairn and Jennifer Bell are the present incumbents. The work that the clerks do is a part of the exercise that is sometimes overlooked, particularly when it comes to the preparation of reports. I will come back to the responsibilities of Audit Scotland and our reliance on its work, but it is left to our clerking team to make sense of the mish-mash and range of members’ opinions and comments. Over the years, we have been extremely fortunate to have produced some exceptionally good reports that have excited public attention. To realise the job that the clerking team has done over the years, it is necessary only to look at the quality of those reports, and I thank the clerks for their contribution because, in a sense, they are the unsung heroes in all of this.

As I indicated earlier, the work that we have done would not have been possible without the exceptionally good reports that we get from Audit Scotland, two examples of which we have had today. Those reports reflect the high level of professionalism, the high standards and the meticulous attention to detail of the organisation’s staff. Fundamentally, however, although they are full of facts and figures and detail that could be as dry as dust, what helps, above all, is the fact that they are presented and written in a highly understandable way, and that makes the life of the politicians so much easier.

I thank Robert Black and his team and ask them to pass on my thanks to all their staff for the support that I have received over the past four years. I wish my successor and the committee all the best in their endeavours. I hope that they can keep up the pressure and ensure that everybody does the job that they are supposed to do. So, thank you very much.

I do not know whether this is appropriate—perhaps others will want to say something, too—but I think that we should put on record the significant contribution that Hugh Henry has made to the committee. It is no accident that the committee is consistently nominated for awards. He has encouraged our Rottweiler instinct—sorry, but I could not think of a more appropriate term—and he certainly takes no hostages. As convener of this committee, he was nominated as politician of the year and was the first back bencher ever to have won that award. His success speaks for itself. I am sorry that it has been only a few weeks since I have been on the committee. I am very much the new girl, but I think that it is appropriate to put on record the significant contribution that he has made to auditing in Scotland and to the work of this committee in particular.

Thank you.

As the longest-serving member of the committee, I offer you my congratulations on your new appointment and I thank you for your stewardship of the committee over the past number of years. The word “rigour” comes to mind when I think of your determined effort on a number of occasions to hold the Government to account, as well as public bodies who come in front of the committee. You are to be commended for that. I am going to really miss your book of words, which begins with “astonishing” and goes on to “scandalous”—

And obfuscation.

You have used many other words. However, in your rigorous analysis when holding the Government to account you have been fair and courteous to those around the table, particularly when political issues have arisen. You have also been very fair and courteous in the manner in which you have dealt with issues as they have arisen. The Public Audit Committee has excelled itself in its scrutiny, and that is recognised not only within but outwith Scotland. For that reason, we have been visited by people from a number of Administrations, including from Kosovo and Macedonia, who were keen to see how Scotland holds its Government to account.

The contribution that you have made over your term of office has been pretty spectacular. You are to be congratulated on it. I wish you all the very best in your new appointment.

Thank you very much. It is always a pleasure to be able to add to the vocabulary of a man from Kilmarnock.

I share the views that have been expressed. I do not say that because we are taking a cross-party approach but because I genuinely mean it. It was a pleasure to work with you in the Government that we were previously part of. I have not been a member of the committee for as long as other members, but I share the views and opinions that my colleagues have expressed. I can only hope that you will continue to hold the Government to account in whatever new role and responsibilities you have. I note that when you became politician of the year, you had a very strong shortlist to overcome.

Thank you very much for those comments. We now move into private session.

12:08 Meeting continued in private until 12:13.