FRAUD
Contents:
Scope
Key Points
Background
Promoting an Anti-Fraud Culture
Prevention and Detection
Systems of Control
Separation of Duties
Danger Signs
Reporting and Investigation
Annex 1: Scottish Executive Fraud Policy Statement
Annex 2: Scottish Executive Fraud Response Plan
Scope
1. This section gives guidance on the prevention, detection, reporting and handling of fraud. The guidance is equally applicable to all organisations subject to the requirements of the Scottish Public Finance Manual (SPFM), including constituent parts of the Scottish Administration and relevant bodies sponsored by the Scottish Executive.
Key Points
2. Organisations should develop a fraud policy statement in order to communicate their approach to fraud. A fraud response plan should also be drawn up to ensure that timely and effective action is taken in the event of a fraud.
3. All staff are concerned with the prevention and detection of fraud but the prime responsibility for designing, operating and reviewing control systems rests with the managers involved. Managers should consult finance and internal audit where new control procedures are being set up or significant changes to existing procedures are being proposed.
4. Procedures set up to prevent and detect fraud must be carefully followed and monitored. Many frauds are due to failure to comply with existing control systems.
5. Without adequate separation of duties, the effectiveness of other control measures is undermined. Where resources are limited and separation of duties is not possible, alternative management controls, e.g. supervisory checking, must be employed.
6. Organisations should put in place avenues for reporting suspicions of fraud. Staff should be encouraged to report such suspicions to their line managers, to the organisation's internal audit (or specialist fraud unit), or possibly to a hotline set up for the purpose.
Background
7. Fraud can be perpetrated by persons outside as well as inside an organisation and by collusion. The criminal act is the attempt to deceive and attempted fraud is therefore treated as seriously as accomplished fraud. The term "fraud" is used to describe such acts as deception, bribery, forgery, extortion, corruption, theft, conspiracy, embezzlement, misappropriation, false representation, concealment of material facts, and collusion. It is usually used to describe depriving someone of something by deceit, which might either be straight theft or misuse of funds or other resources, or more complicated crimes like false accounting and the supply of false information. Computer fraud is where information technology equipment has been used to manipulate programs or data dishonestly (e.g. by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system was a material factor in the perpetration of a fraud. Theft or fraudulent use of computer time and resources is included in this definition.
8. Accountable Officers are responsible for establishing and maintaining sound systems of internal control that support the achievement of the organisation's policies, aims and objectives. The systems of internal control are designed to respond to and manage the whole range of risks that an organisation faces. Managing the risk of fraud - both internal and external - should be seen in the context of the management of this wider range of risks. See the section of the SPFM on Risk Management.
Promoting an Anti-Fraud Culture
9. In addition to maintaining sound systems of internal control, organisations should also promote an anti-fraud culture. Organisations should therefore make a clear commitment to ethical business behaviour and develop a fraud policy statement in order to communicate their approach to fraud. A fraud response plan should also be drawn up to ensure that timely and effective action is taken in the event of a fraud. Such plans can also help minimise losses and increase the chances of a successful investigation. The fraud response plan should reflect the risk assessment undertaken; include guidance about when to contact the police; and should be reviewed annually.
10. Model wording for fraud policy statements and guidance on the coverage of fraud response plans within Government Departments can be found in the Treasury document Managing the Risk of Fraud - A Guide for Managers. The Scottish Executive's Fraud Policy Statement and Fraud Response Plan are reproduced, respectively, at Annex 1 and Annex 2.
Prevention and Detection
11. All staff are concerned with the prevention and detection of fraud but the prime responsibility for designing, operating and reviewing control systems rests with the managers involved. Overall responsibility for ensuring that such systems and procedures are in place rests with Accountable Officers but managers must take responsibility for setting up proper systems of control and for ensuring that there is strict compliance. Managers should consult finance and internal audit where new control procedures are being set up or significant changes to existing procedures are being proposed.
12. Appropriate preventive and detective controls should be put in place. Preventive controls are designed to limit the possibility of an undesirable outcome being realised whilst detective controls are designed to spot errors, omissions and fraud after the events have taken place. There are a range of controls - e.g. physical checks, reconciliations, supervisory checks, segregation and rotation of duties, and clear roles and responsibilities - which address risks, including that of fraud. Managers should consider, in consultation with finance and internal audit as appropriate, which controls are the most appropriate in their particular circumstances.
Systems of Control
13. Systems with proper controls lessen the opportunity for fraud. Managers with responsibility for awarding contracts (including minor contracts), making payments, authorising grants and the like must ensure that they have well understood procedures for authorising contracts and other approvals. It is important that:
- staff dealing with these procedures are familiar with them;
- payment procedures include a check that the purchase, grant or whatever has been properly authorised;
- there is adequate separation of duties; and
- accounting and other records, such as cash balances, bank balances, physical stock counts, are reconciled with the actual position.
14. The degree of control within a system should be proportional to the risks involved, the consequences of failure and the resource costs of eliminating or reducing these factors. Procedures set up to prevent and detect fraud must be carefully followed and monitored. Important considerations therefore are the sections of the SPFM on Checking Financial Transactions and on Risk Management.
15. Many frauds are due to failure to comply with existing control systems. Both internal and external auditors have a role in carrying out independent reviews of systems and the adequacy of controls in place, though managers have the prime responsibility for ensuring their systems are sound and that they are operating as intended. In practice, therefore it is good initial systems design coupled with subsequent supervisory checking and monitoring and alertness to the risks and pointers to fraud that are the principal means of detection.
16. Guidance to managers on the risks which they face and on the procedures they should adopt to avoid fraud or financial irregularity is included in the Treasury document Managing the Risk of Fraud - A Guide for Managers. Key factors in the design of systems and controls will be the nature of the activity, the risks involved and any history of fraudulent activity, whether internal or external.
Separation of Duties
17. Allocating responsibility for too many functions to one person can constitute a high risk and should be avoided wherever possible. For example, a person who is responsible for ordering, receiving and authorising payments for goods or services is in a good position to misappropriate such items for personal gain, without a high risk of detection. The risk of fraud can be reduced by ensuring proper separation of duties in sensitive areas so that, for example, more than one person has of necessity to be involved in every transaction.
18. In any accounting system, the separation of key functions forms an integral part of systems control and is essential to minimise the potential scope for irregularity by staff acting on their own. The need for proper separation of duties applies as much to grant systems as it does to procurement procedures where, ideally, different members of staff should be responsible for requisitioning, ordering and receiving goods and authorising payment. In addition, supervisory checks by managers, both routine and surprise, form an essential part of internal control procedures, and good management practice entails keeping records of such checks, and the results, in all cases. Without adequate separation of duties, the effectiveness of other control measures is undermined. Where resources are limited and separation of duties is not possible, alternative management controls, e.g. supervisory checking, must be employed.
Danger Signs
19. Managers and staff must always be alert to the risk of fraud, other forms of theft, and corruption. Danger signs of internal fraud include evidence of excessive spending by staff engaged in cash/contract work, inappropriate relationships with suppliers, reluctance of staff to take leave, requests for unusual patterns of overtime and where there seems undue possessiveness of records. Junior staff should resist any pressure from line managers to circumvent internal controls or to over-ride control mechanisms. Such action could be indicative of fraudulent activity and should be reported - see below.
Reporting and Investigation
20. Organisations should put in place avenues for reporting suspicions of fraud. Staff should be encouraged to report such suspicions to their line managers, to the organisation's internal audit (or specialist fraud unit), or possibly to a hotline set up for the purpose. In developing their fraud reporting arrangements, organisations should take into account the Public Interest Disclosure Act 1998, which provides remedies for workers who are dismissed or subject to detriment for making qualifying disclosures. Reporting arrangements should be set out in detail in the organisation's fraud policy statement - the Scottish Executive Fraud Policy Statement is at Annex 1.
21. Organisations are responsible for undertaking thorough investigations where there is suspected fraud and for taking the appropriate legal and/or disciplinary action in all cases where that would be justified. Appropriate disciplinary action should also be taken where supervisory or management failures have occurred. Fraud investigation is a specialised area of expertise, and organisations should ensure that those tasked with any investigation have received appropriate training, including that relating to the gathering of evidence. Investigations should consider any control failures and make recommendations on systems and procedures to minimise the risk of a recurrence. Legal advice should be taken where necessary.
22. All discovered cases of actual or attempted fraud should be reported to the organisation's Audit Committee - see the section of the SPFM on Audit Committees. External auditors will be made aware of such cases via the reports to Audit Committees but consideration should be given on a case by case basis to notifying the external auditors immediately that the fraud comes to light.
23. Cases of fraud in bodies sponsored by or allied to the Scottish Executive should also be reported to the sponsor or parent Department.
Back to top
Page Published/ Updated on: 30th August 2004