Public sector employee fraud

Currently, public sector fraud is a challenging and costly issue, with the Government Counter Fraud Function estimating fraud and error in public spending to be £33 to £59 billion.

Fraud is not confined to external criminality. There is nothing new in employees stealing from their own employers, either working alone or with others.

The main drivers of internal theft haven’t changed over time either, with greed and debt remaining dominant. Other motives include a desire to seek revenge on an employer, or coercion by a third-party.

According to The Centre for Financial Reporting Forum, public sector employee fraud: ‘can range from small-scale abuse of travel expenses to large-scale frauds involving high-value contracts and breaches of controls that could have serious and material consequences.’

Whatever the motivation or the scale, this criminal offence is a breach of trust and is not a faceless crime. In public sector circles at the very least it diverts valuable resources from frontline service delivery. It can also impact those working closely with the perpetrator who may have considered them a trusted friend and colleague. 

Austerity impacts

The challenges of imposed austerity 14 years ago increased the opportunity for fraud to be committed as certain areas of activity became subject to less frequent audits, with relaxing of controls. Take schools as an example, at RMP we have seen a small but discernible increase over time in the number of schools affected by theft. Also, while there may not be a direct correlation, we know in some councils the frequency of audits have moved from annual to triannual.

One of the largest claims (seven digits) we ever received involved a collusion in a primary school by senior staff members, which had been taking place over several years. The fraud was extended to include employee family members as part of a fraud ring. The fraud only came to light when the school’s bank brought a relatively low value transaction to the council’s attention over a purchase for something a school would not be expected to buy; in this case a fashion accessory.

Social engineering

A feature of more recent years has been the adaptation of ‘social engineering’ (SE), or more specifically the use of deception to manipulate an individual into sharing or divulging confidential information then used for fraudulent purposes.

Social engineering can take many forms but the main use in our experience is to dupe a council employee into thinking a contractor has changed banking details and the ‘new’ details should be used for all future payments. Often the fraudster may be in email dialogue with the council official over many weeks to gain trust before subtly changing one letter in an email to take the conversation into the fraudster’s domain. After several email exchanges the fraudsters can turn the conversation to a change in banking arrangements.

Such frauds are sophisticated: one RMP client incurred a loss of more than £1million. On this occasion thankfully most of the lost funds were recovered. However, the skills and techniques of fraudsters should never be underestimated.

All organisations can help prevent and detect internal fraud. Key risk management steps include:

1. All changes to supplier bank details should also be confirmed by telephone with the supplier by someone who knows the confirmer, using only the contact number previously provided by the supplier.
2. Bank statements should be independently reconciled by employees not authorised to deposit or withdraw funds, issue funds transfer instructions, or dispatch funds to customers.
3. All supporting documents should always be validated before authorising payments.
4. Changes to supplier bank details should be detailed in written advice to the supplier, with changes implemented only after the supplier has either verified or challenged the change.
5. The first payment to a new supplier bank account should be capped at a modest sum with confirmation of receipt from the supplier obtained before further payments are made to the account.
6. Senior management approval should always be sought before the change is processed. Such approval should only be given after review of the underlying request and the record of its verification.
7. An exception report should always automatically be generated showing all changes to the standing data of suppliers. This needs to be critically reviewed by an individual independent and unconnected to the process.

Insurance

Ultimately if a fraud occurs a claim can be made on an insurance policy. A sensibly drafted insurance policy can provide the necessary protection the policyholder needs, but it needs verifying with your insurer.

In the event of a claim it is most likely insurers will appoint a forensic accountant. Also, within reason and if possible, insurers will recover the claims payment from the guilty party assets. This is subject to not leaving the innocent family members of the guilty party homeless or destitute.