Fraud-proofing local policies A guide for Local Counter Fraud Specialists

Transcription

1 Version 1 April 2011 Fraud-proofing local policies A guide for Local Counter Fraud Specialists Tackling fraud and managing security NHS Protect 2011

2 Contents 1 Introduction What is fraud-proofing? Roles and responsibilities for fraud-proofing... 2 Role of the LCFS in fraud-proofing local policies... 2 Role of NHS Protect in policy-making... 3 Role of NHS Protect in information gathering and fraud prevention... 3 Role of NHS Protect in quality assurance A step-by-step guide to fraud-proofing... 4 STEP 1 Identify fraud risks... 4 STEP 2 Identify what fraud prevention measures already exist... 5 STEP 3 Identify and put in place further anti-fraud solutions... 6 STEP 4 Review and evaluate the effectiveness of fraud-proofing measures... 7 Appendix 1: Types of policies, procedures and guidelines that can be fraud-proofed... 9 Appendix 2: Case example optometry domiciliary visits Appendix 3: Fraud-proofing quick reference guide Appendix 4: Policy review template... 13

3 1 Introduction 1.1 This document provides information and guidance to assist Local Counter Fraud Specialists (LCFSs) in making recommendations for fraud-proofing of local policies at their NHS bodies. It has been designed to act as a guide to the measures that can be applied when fraud-proofing. LCFSs should adapt the recommended procedures to reflect their specific organisational needs. 1.2 An NHS body should not rely on the internal or external audit department to carry out the role of fraud-proofing; LCFSs are the local fraud experts and are the best qualified and equipped to take on this role. 1.3 This guidance is focused on anti-fraud activities; however, some of the measures described in this document may also be useful for reducing the risk of corruption and bribery. 2 What is fraud-proofing? 2.1 Fraud-proofing is the process of minimising the opportunity for fraud to occur, through the identification of potential risks or loopholes in policies, and the implementation of measures to increase their resistance to fraudulent activities. 2.2 Fraud-proofing involves recommending, advising, developing and influencing changes to the organisation s policies and procedures to create an environment where fraud is reduced to an absolute minimum, so as to ensure that funds are available for their ultimate purpose: patient care. A commitment to fraud-proofing avoids the potential for a policy or procedure to be misinterpreted or for fraudsters to use lack of clarity as a defence. It is also an opportunity to deter fraud as well as abuse that falls short of actual fraud. 2.3 Fraud-proofing can be carried out as part of a review of existing policies and documented procedures, such as the Standing Financial Instructions (SFI) and Standing Orders (SO), to ensure that they reflect NHS Protect requirements. 2.4 The benefits of appropriate fraud-proofing include: mitigating risk in identified high-risk areas ensuring a full record of accountability through a recognised process following a clear methodology and rationale identifying and recording clear outcomes. 2.5 There is no such thing as a completely fraud-proof policy, but these measures help maintain robust systems, so that if fraud is attempted, it is more likely to fail. Likewise, if fraud has been detected, adequate fraud-proofing ensures that any necessary changes to systems and procedures take place immediately to prevent similar incidents from happening in the future. 2.6 It should also be noted that although the processes and structure which affect an LCFS s work vary by organisation, the principles of fraud-proofing remain the same. 1

4 3 Roles and responsibilities for fraud-proofing 3.1 Role of the LCFS in fraud-proofing local policies In accordance with Secretary of State Directions to NHS Bodies on Counter Fraud Measures 2004, standard commissioning contracts (in the case of foundation trusts) and the NHS Counter Fraud and Corruption Manual, LCFSs have a responsibility to deter, prevent and detect instances of fraud within their local NHS organisations. Part of this work involves fraud-proofing local policies, procedures and claim forms used throughout the NHS body and implementing sound measures to prevent fraud from occurring Controls that LCFSs could consider as part of the review process include: physical and supervisory checks ensuring that all systems that have been implemented to design out fraud remain effective and practical financial reconciliations in order to identify any irregularities in transacted services segregation and rotation of duties apportioned according to an estimation of the sensitivity and likelihood of fraud occurring in that area and the potential impact clear statements of roles and responsibilities that include the correct fraud and corruption reporting lines Undertaking a proactive fraud-proofing exercise should be appropriate and justified. It is critical that the LCFS adopts a risk-based approach to fraud-proofing of policies and procedures. Through liaison with local stakeholders, LCFSs should become aware of any areas of weakness identified by internal auditors, by departmental risk registers, or through investigations. This will help identify which policies should be prioritised for further fraud-proofing. Information regarding national areas of risk may also be provided by NHS Protect based on national proactive exercises (NPEs), reviews of fraud cases, referrals by LCFSs on the FIRST system, and risk measurement exercises If possible, the LCFS should participate in the development of local policies and procedures during the NHS body s formal review and consultation, in order to ensure that proper consideration is given to fraud risks. It is often easier to influence a change at this stage, rather than after a policy has been ratified Policies such as the Counter Fraud and Corruption Policy and the Whistleblowing Policy may require a review to ensure that they are written in accordance with the guidance provided by NHS Protect and the Secretary of State Directions. This revision is likely to involve checking the contact details of the LCFS and stipulating that the LCFS and the director of finance are the primary contacts in relation to suspicions of fraud. Other policies that are not directly related to anti-fraud arrangements may be fraud-proofed in line with the considerations identified in section When fraud risks or system weaknesses are identified which might have broader (regional or national) implications, LCFSs should refer these matters to NHS Protect for the potential development of policies or preventative remedies on a national scale Recommendations made by LCFSs for additional controls may in some cases slow down administrative processes and result in extra cost for health bodies. LCFSs should be prepared to justify the need for these controls by demonstrating that the 2

5 area is at a risk of fraud (information from NHS Protect such as details of highvalue national fraud investigations may assist in this) More detailed guidelines on the fraud-proofing process follow in section 4, and a list of local policies which may be fraud-proofed can be found at appendix Role of NHS Protect in policy-making NHS Protect develops, monitors and evaluates policy aimed at tackling fraud in the NHS. It works with national policymakers at the Department of Health (DH) and other stakeholders to: recommend fraud-proofing measures in existing and emerging health policy; address system weaknesses and loopholes highlighted by investigations to deter would-be-fraudsters; and issue guidance to LCFSs in NHS organisations across England and Wales for the prevention of fraud at a local level NHS Protect offers a broad service to DH and other stakeholders by advising policymakers on potential risks of fraud in the delivery of their policy, with recommendations made to minimise these risks. 3.3 Role of NHS Protect in information gathering and fraud prevention NHS Protect identifies areas of high fraud risk from NHS-wide risk measurement exercises, reviews of fraud cases, the referrals it receives from LCFSs on the FIRST system and other intelligence. It also conducts proactive work which engages LCFSs in examining local policies and compliance in these high-risk areas NHS Protect uses the information gathered from these activities to develop anti-fraud measures specifically for NHS organisations. These Fraud Prevention Instructions (available on the secure intranet) are aimed at facilitating and encouraging the use of fraud prevention systems and disseminating examples of good practice. The instructions are issued nationally to all directors of finance to be incorporated into the design of mainstream organisational processes. 3.4 Role of NHS Protect in quality assurance As part of annual qualitative assessments, NHS Protect assesses the anti-fraud work undertaken by NHS bodies on the basis of their annual declarations, which should include evidence of fraud-proofing. These assessments also take account of the number of system weaknesses reported on FIRST and compliance with Fraud Prevention Instructions NHS Protect s Key Framework of Duties document for LCFS (which outlines responsibilities in relation to NHS policy guidance) and The Chartered Institute of Public Finance and Accountancy (CIPFA) s strategy document Managing the Risk of Fraud provide significant guidance for LCFSs on establishing and strengthening internal controls when carrying out prevention and detection work. These documents can both be found in the Quality section of the NHS Protect secure intranet ( 3

6 4 A step-by-step guide to fraud-proofing 4.1 The steps described in this section should be taken by the LCFS when fraud-proofing local policies, procedures or claim forms. 4.2 A case study providing an example of the fraud-proofing process in practice can be found at appendix 2, and a quick reference guide is provided at appendix 3. A sample template which can be used to record the scope, findings, recommendations and actions taken during a fraud-proofing policy review is included at appendix STEP 1 Identify fraud risks As stated above, local fraud risks can be identified through liaison with internal stakeholders such as the health body s audit and risk committees. In accordance with the principles of CIPFA s Managing the Risk of Fraud document, the existence of local stakeholder arrangements is beneficial to facilitate fraud-proofing. For example, by engaging with Internal Audit on common areas of interest, system weaknesses can be identified. Similarly, liaison with the NHS body s risk manager may help to focus on areas identified in departmental risk registers Additionally, LCFSs should take into account information regarding national areas of risk which has been provided by NHS Protect based on proactive work, loss measurement and referrals of system weaknesses from other health bodies LCFSs should also scrutinise the relevant policy documents and procedures and ensure that they understand the system being examined. This can be achieved by speaking to staff about whether the policy is adhered to (and if not, why not), or by undertaking a walk through of the system Next, LCFSs should consider whether any of the following offences could occur as a result of system weaknesses or loopholes in those policies: abuse of position anti-competitive behaviour bankruptcy-related fraud bribery or corruption computer misuse conspiracy to defraud failure to disclose information false identity false representation making or supplying articles for use in fraud obtaining services dishonestly participation in fraudulent business (sole trader) possession of articles for use in fraud In particular, LCFSs should consider whether any of the following have been used or could be used against the health body, and whether revisions or amendments could be made to the policy to prevent use in the future: i. Fraudulent instruments: forged or counterfeited documents such as driving licences, invoices, receipts, claim forms, timesheets, expense forms, certificates or qualifications, training courses undertaken, birth, death and marriage 4

7 certificates, and forms of ID such as passports, National Insurance cards, NHS cards, etc. ii. iii. iv. Fraudulent statements: forged, counterfeited or false documents (as listed above, and including electronic documents) which are linked to a statement being made by an individual claiming false entitlement or representation. Fraudulent disbursements: forged payee name or endorsement of payments, reissuing of old outstanding cheques, fraudulent wire or account transfers, petty cash disbursements, false vendor payments, forged payroll cheques, payroll disbursements, expense report fraud, credit card processing, credits issued to accounts or paid in cash. Asset misappropriation: the misuse of assets belonging to the trust or health body, such as hospital theatre operating equipment, laptops, furniture, linen, LCDs, documents and drugs. In relation to asset misappropriation, the LCFS s role is to develop and implement procedural controls which help to protect financial resources not physical security measures, which are the responsibility of Local Security Management Specialists (LSMSs). 4.4 STEP 2 Identify what fraud prevention measures already exist The next step is to consider whether suitable fraud prevention controls already exist or need to be incorporated within the policy. NHS Protect recommends that the following four areas be considered when fraud-proofing: Are clear rules and procedures in place? Producing and disseminating a set of clear rules or guidance to underpin the simplest or most complex policy reduces ambiguity and helps to minimise mistakes Wherever a claim for payment or exemption is made, systems should be designed to require original evidence to support the claim. For example, this could be receipts for expense claims or a counter-signature on a timesheet for agency staff. Providing evidence to back up a claim or exemption will help validate any payment and make monitoring more effective Systems should be as simple and clear to use as possible, and actions to defraud the NHS body made as difficult as possible, requiring a deliberate action rather than simply omission. Policies and procedures should clearly indicate what is and is not acceptable. Is there sufficient accountability? Ideally, staff should be asked to sign a declaration (e.g. on timesheets and expense claims) stating that they are aware of and understand the relevant rules and policies. A declaration should also confirm that the details someone has provided in an application or claim are correct, that they are aware of the consequences if they have provided false information, and that they permit the sharing of relevant details in the claim or application to enable effective verification and monitoring to take place. This also makes it more difficult for lack of knowledge to be used as a defence when someone is suspected of defrauding the health body A clear and comprehensive declaration will help to deter some who may be tempted to defraud, and it will assist with an investigation in ensuring that the person is accountable for their actions. It will also ensure any legal issues regarding the verification and monitoring arrangements are dealt with properly. This will also help to 5

8 deter abuse that falls short of actual fraud. Declarations must be present for both the claimant and the authoriser Appropriate roles and responsibilities should be clearly defined. In addition, consideration should be given to whether the responsibility for authorisation is at the correct level Of course, some systems and processes will not easily lend themselves to declarations on forms for each transaction, so consideration needs to be given to contractual terms for individuals or companies and to retaining a proper audit trail of instructions and acknowledgements of those instructions. What monitoring arrangements exist? Any system involving payment of money, claims or granting of exemptions from charges is at risk from fraud or error, so effective monitoring needs to take place in order to detect any fraud that has occurred. An organisation s policies and procedures should be tested periodically for effectiveness and compliance. For example, these checks could validate a claim or payment against original documents and evidence to support the transaction. A robust monitoring system will ensure an appropriate percentage of checks are undertaken, which may be from a random sample or targeted at the highest risks The monitoring system should have a process to refer any suspicions of fraud to the LCFS, director of finance or NHS Protect via the NHS Fraud and Corruption Reporting Line or the internet ( Any anomalies found through monitoring should be used to inform revisions of the policy or procedure. Are sanctions in place? Even with clear rules, accountability and monitoring in place, instances of fraud can still occur. Where fraud is not prevented or deterred and the monitoring identifies a potential fraud, appropriate sanctions will need to be considered if an investigation results in fraud being found. These may include disciplinary proceedings conducted by the health body, or criminal or civil proceedings to recover any losses following an investigation by an Accredited Counter Fraud Specialist When developing a policy, consideration may also be given to including a sanction specifically for fraud affecting that system or procedure, e.g., removing the offender from a particular scheme at the trust Sanctions have the added effect of acting as a deterrent to would-be fraudsters because they represent real consequences should the fraud be proven. In order to publicise the system of sanctions available to the NHS body, the policy itself might be cross-referenced to the disciplinary policy or explicitly state the sanctions which would be considered in case of contravention. 4.5 STEP 3 Identify and put in place further anti-fraud solutions If any of the controls described above are missing or need to be more robust, LCFSs should consider whether any of the following controls or anti-fraud processes can be put in place and are practical 1 : 1 This list is not exhaustive; it has been compiled following feedback from LCFSs. 6

9 Safeguarding assets Separation of duties Reconciliation of records Pre- and post-payment verification Monitoring by managers Spot-checking of output Scheme of delegation cheques Allocated roles Reporting Internal liaison Written procedures Data sharing Authorising IT access controls Budgetary controls Stocktaking Audit trails Examination of documentation Examination of cancelled Independent verification Job and vendor rotation Supervision Record-keeping Information security LCFSs should take into account any additional guidance on identifying anti-fraud controls in specific areas which may be issued by NHS Protect Once the appropriate controls have been identified, the LCFS should recommend amendments to the existing policy to include them. Consideration should also be given to removing controls that are not necessary or beneficial. If a decision is made to adopt the recommendations, the revised policy should be finalised and ratified by the appropriate committee If a revised policy is to operate effectively, the new arrangements must be embedded in the NHS body s structure and activity. The process of embedding new preventative measures, which is referenced in the document Embedding Local Counter Fraud Arrangements Organisational Footprint (available to LCFSs on the secure intranet), can occur via induction courses, staff training and publicity of the revised policies. Furthermore, the LCFS should enlist the support of directors, managers and staff to ensure that these controls are put into practice If the LCFS s recommendations are not implemented by the NHS body, this should be reported to NHS Protect so that national action can be considered, if appropriate. 4.6 STEP 4 Review and evaluate the effectiveness of fraud-proofing measures Anti-fraud controls that are successfully implemented in a trust or health body s policies are not necessarily fail-safe. The final step in the process is to review the effectiveness of fraud-proofing efforts by considering the following points: Do the new controls meet the anti-fraud needs of the NHS body with respect to a specific policy or policies, i.e. reducing fraud to a minimum? Do they inhibit the smooth operation of the trust s procedures? Are they workable? Are there sufficient levels of awareness and compliance by managers and staff? 7

10 Do managers and staff understand and agree with the purpose of the anti-fraud controls? As part of their proactive workplans, LCFSs should conduct periodic reviews aimed at assessing the usefulness of existing and newly implemented anti-fraud measures. These might include proactive detection exercises in areas which have recently undergone fraud-proofing exercises to check whether there has been a marked decrease in detected fraud since the anti-fraud measures were introduced. Any identified problem areas should inform the fraud-proofing process on a continual basis and determine whether additional risks call for further anti-fraud controls or policy revision LCFSs should also consider using staff surveys and other forms of feedback (for example, following presentations and Fraud Awareness Month activities) to evaluate the level of awareness of anti-fraud controls and how it can be enhanced By demonstrating clear outcomes from fraud-proofing, the organisation will identify the potential for further work across other areas of anti-fraud action. Evidence of outcomes i.e. the benefit or change that the activity has had in mitigating the risk should be accurately recorded and reported as part of the end-of-year qualitative assessment declaration. Organisations that can demonstrate these outcomes will achieve higher ratings in their assessments, and robust fraud-proofing will contribute greatly to the organisation s effective arrangements In addition, the outcomes or findings which are reported to NHS Protect may be applicable more broadly and therefore instructive to other NHS bodies with similar areas of risk. 8

11 Appendix 1: Types of policies, procedures and guidelines that can be fraud-proofed 2 Accounts Receivable Asset register/capital charge monitoring Authorised signatories Budgetary control procedures Cash/cheque receiving and handling Car parking charges Charitable funds Code of Conduct Confidentiality Controlled stationery CRB/Disclosures Declaration of interests Disciplinary Finance monthly closure Freedom of Information Holiday/special leave Hospitality Information governance Information security Interpreters Invoicing Lease car scheme Lone workers Losses and compensation Mobile computing and remote access Patients property Patient-identifiable information Patients travelling expenses Payments to primary care contractors Petty cash Pre-/post-employment checks Private practice/fee paying-work Procurement Recruitment Relocation expenses Secondary employment Sickness absence Sponsorship Staff travel and expenses Standards of Business Conduct SFIs/Standing Orders Suspension Temporary workers Tenders Timesheets Training Value Added Tax Whistleblowing 2 This list is not exhaustive; it has been compiled following feedback from LCFSs. 9

12 Appendix 2: Case example 3 optometry domiciliary visits The LCFS for an NHS PCT conducted a review of procedures guiding payments for optometry domiciliary visits, which are managed by the Exeter computer system. Existing procedure Fraud risks and anti-fraud controls After an optometrist has been approved by the PCT, he or she is given a unique contractor code which is used to keep track of claims. The optometrist must notify the trust s Contractor Services three weeks in advance if a domiciliary visit is to include more than three patients, and 48 hours in advance if it will include fewer than three. (These regulations are stipulated by the Department of Health.) For each patient tested, the optometrist submits a GOS6 form, which acts as a claim for payment. Information including the date of the visit, date of notification and patient s details is entered on the Exeter system. The optometrist receives a higher payment for the first patient seen on a domiciliary visit, a reduced amount for the second patient, and a flat fee for any additional patients. However, a first-patient fee can be claimed for each time that equipment has to be moved more than 20 metres in order to carry out the examination. The following were identified as fraud risks due to system weaknesses. At the time of the review, only the first four had already been addressed by one or more anti-fraud controls. STEP 2 STEP 1 Risk: That unauthorised optometrists (or other contractors) could try to claim payments Control: Each approved optometrist is given a contractor code without which no payments can be issued. This helps prevent any unauthorised contractors from claiming payments. Risk: That optometrists might create ghost patients Control: GOS6 claim forms are checked for the signature of the patient and date of the visit, which are matched to the notification information before a payment is authorised. Information entered on the Exeter system includes the date of the visit, date the notification was received, and patient details (such as address and date of birth), to be cross-referenced with GP records. Risk: That optometrists might submit duplicate claims for payment Control: If a duplicate claim is made, the system identifies this and a warning is issued. (However, a data input clerk can override this.) Risk: That optometrists might perform unnecessary tests in order to obtain additional payment Control: If an optometrist makes an additional claim for the same patient in less than six months, Contractor Services requests an explanation of why a further test was required. Risk: The duplicate payments can be authorised by staff other than managers without checks No existing control 3 Information contributed by RSM Tenon, local counter fraud service provider to NHS North East Essex. 10

13 Risk: That optometrists might make false claims for higher fees due to equipment being moved No existing control Risk: That optometrists and home workers with authority to sign GOS6 forms on behalf of patients might collude in order to submit fraudulent claims No existing control Outcome of the review Additional recommended measures The LCFS found that, out of 48 GOS6 forms, 28 were not signed by the patient but by a representative of the residential home or someone claiming to be the patient s carer or guardian representative. In these cases, the declaration was incomplete, with only a name and job title included. Notifications for all visits had been submitted in the correct timeframe. Some claims had been amended since the original claim, but in all cases the optometrist appeared to have been paid correctly. However, because of the existing fraud risks that were not already addressed, the LCFS recommended the following additional measures: STEP 3 New control: The ability to override duplicate payment warnings should be available to managers only, so that checks can be undertaken to ensure that optometrists receive correct payments. New control: Where optometrists claim first-patient fees for a number of patients due to moving equipment, checks should be undertaken with residential homes to ensure moving of equipment occurred and was necessary. New control: Optometrists should be required in all instances to request the signature of the patient, rather than of a representative of the home, where possible. This would help verify that the patient actually underwent the eyesight test and prevent possible collusion between home workers and optometrists to obtain additional payments. In cases where a patient is unable to sign, the trust should insist on the full completion of the declaration. Implementation & subsequent reviews To ensure that these new anti-fraud measures were adopted by the PCT, the LCFS enlisted the support of managers and staff in particular, those with responsibility for the Exeter system and disbursement of payments explaining the benefits of the anti-fraud arrangements. STEP 4 In keeping with the annual plan for proactive anti-fraud work, the LCFS revisited the procedures guiding payments for optometry domiciliary visits the following year. Following the same steps described above, the LCFS evaluated the effectiveness of the recently implemented controls by comparing the outcome of this review with those of the previous one. Where there were still gaps allowing for the possibility of fraud, the LCFS was able to design additional controls. 11

14 Appendix 3: Fraud-proofing quick reference guide Before you start... Know what fraud-proofing is. Know what the role of the LCFS is in fraudproofing local policies. Step 1: Identify fraud risks Review curent policies for weaknesses or possible loopholes. Consider what instruments or statements could be used to commit fraud. Step 2: Consider what fraud prevention measures already exist Are there clear procedures in place? Is there clear accountability? What monitoring arrangements exist? Are sanctions in place? Step 3: Put in place additional fraud-proofing solutions Amend existing policy to include necessary controls. Ensure the controls are put in practice by engaging managers and staff. Step 4: Evaluate the effectiveness of fraud-proofing measures Periodic reviews of the new controls. Assess effectiveness. Evidence outcomes in mitigating risk. Identify further problem areas. 12

15 Appendix 4: Policy review template Name of organisation Name of the trust or NHS body Name of LCFS Name of the LCFS who conducted the review Review area Policy in place? Date/period of review Why is the review being conducted? The theme or area that the policy/procedure covers, e.g. Sickness and absence Yes / No Any legislation relevant to the policy/procedure Document number or reference Date of issue Review date INTRODUCTION Considerations for inclusion in this section are as follows: How did the review come about? E.g. as a result of being requested by a department, as the result of a local proactive exercise (LPE) or national proactive exercise (NPE), through conversations with staff, via work with Internal Audit, etc. Was it part of the year s workplan? Has a report been generated by the review? PURPOSE AND SCOPE Main risks, aims and remit of the review, including details of areas covered by the policy/procedure, and any information that it currently includes in relation to fraud, as well as the appendices that are attached to the policy/procedure and any specific notes that the LCFS feels are relevant for consideration, e.g. limitations on amendments that can be made. Actions taken Findings Recommendations/ amendments Information regarding actions taken in relation to the task, e.g. who was contacted, what meetings were attended. This section may include: details of which, if any, systems are in place to counteract the risks and how robust the systems are the level of awareness amongst staff of the systems in place any remaining areas of fraud risk. This section should include: any suggestions made regarding changes to the procedure or amendments to the text of the policy staff groups that will be affected outcome of the task. 13

16 Appendix 4: Policy review template REVIEW SUMMARY No. Part Para. ref. Reason for amendment Amended text Approved/ authorised 1. Suggested changes to the policy/procedure, and rationale The section(s) of text incorporating new controls Embedded arrangements Publicity: Steps taken to publicise the revised policy/procedure Presentations: How will staff be made aware of the identified risks in this area and the amendments made to the policy/procedure? Approved by: Designation: Approved by: Designation: Date policy finalised:.... Date policy ratified:... Post-implementation evaluation This section might, for example, include information about: staff awareness survey feedback on presentations queries as a result of publicity/sighting of policy. Signed... Local Counter Fraud Specialist Signed... Director of Finance Date. Date. 14