Skip to main content

Language: English / Gàidhlig

Loading…
Chamber and committees

Public Audit Committee

Meeting date: Thursday, September 26, 2024


Contents


“National Fraud Initiative in Scotland 2024”

The Convener

Our main item of business this morning is consideration of the report “National Fraud Initiative in Scotland 2024”. I welcome our witnesses, who join us in the committee room. We have John Cornett, executive director of audit services, Audit Scotland; and Tim Bridle, audit manager, Audit Scotland. We have some questions to put to you about the report but, before we get to that, I invite you to make a short opening statement.

John Cornett (Audit Scotland)

Thank you very much, convener. The report in front of us is our summary report from the national fraud initiative. The exercise was started in 2022-23. It runs every two years, as we work through the cycle of completing the work and then completing the report.

The report is a high-level briefing document that sets out the outcomes from the exercise and provides a summary of the auditor assessments of the delivery arrangements both for the exercise itself and for individual bodies to respond to the data matches that come out of the exercise.

The exercise is undertaken statutorily under powers that are contained in the Criminal Justice and Licensing (Scotland) Act 2010 and the Public Finance and Accountability (Scotland) Act 2000. However, it is a UK-wide data-matching exercise, which takes place across all four nations in the UK, and it covers a range of areas, including council tax, housing benefits and public sector pensions, to name a few.

Members will see from the report that the outcomes have increased from the £14.9 million that was reported in 2022 to the £21.5 million that has been reported as part of this exercise. There have been increased outcomes on a cash basis across most of the areas that are covered by the report, but it is important to highlight that there are some areas where outcomes have declined, particularly, for example, in single-person discounts for council tax. There is an increase in the outcomes due to a change in the methodologies since the previous exercise was undertaken.

Local auditors follow up on NFI governance arrangements at the individual bodies that we audit and give a view as to the adequacy of those arrangements, and most auditors have concluded that the arrangements have remained sound during the period that was covered by the 2022-23 exercise. However, fewer bodies have been assessed as having fully satisfactory arrangements than in previous exercises, and auditors have concluded that some bodies could do more to follow up data matches more effectively and robustly.

We continue to work with the Cabinet Office, which leads on the exercise nationally, the Scottish Government and other participating bodies to ensure that fraud is detected, prevented and deterred through the NFI exercise.

That is all that I want to say by way of an opening statement. Tim and I are more than happy to take any questions and explore any of the issues in the report in more detail.

The Convener

Thank you for setting out that introductory statement and some of the main issues that are contained in the report. We are going to get into quite a bit more detail during the next hour or so. I begin by inviting James Dornan to put some questions to you.

James Dornan (Glasgow Cathcart) (SNP)

Good morning to the witnesses. The report states that 127 public bodies participated in the 2022-23 NFI exercise, compared with 132 public bodies in 2021. Do you know why there has been a slight reduction in the number of public bodies taking part?

John Cornett

The number of bodies that participate varies depending on the bodies that are mandated; not all bodies are mandated. Some bodies voluntarily participate, and we extend the exercise to include those voluntary bodies that participate. However, they can change their mind and can join and drop out as time progresses. Tim, do you know more of the detail on that?

Tim Bridle (Audit Scotland)

There are also different ways to count things. In the previous exercise, we had counted some pension funds as bodies. Technically, they are not bodies, so we have not done that this time. Two or three pension funds that were included previously have not been counted as separate bodies this time.

Why would you include them in one report and not in another?

Tim Bridle

I guess that it is about what constitutes a body. A pension fund is not a separate legal entity in its own right—it is not a corporate body as such but a fund that is administered by a body—so we have not counted them this time.

I am a bit confused by that. If you counted something on one occasion, why would you think that you did not need to involve the same sort of bodies the next time?

John Cornett

The data is still included, because it has been collected and matched through the exercise. We just have not identified that organisation as a separate individual body this time. It is not the case that the data has been excluded, so there is not a reduction in the value of the data that has been matched; it is just a difference in how we have counted the number of organisations that participate.

James Dornan

Okay. To what extent do you consider that all public bodies and private organisations that are in receipt of public money should participate in the NFI, in line with the recommendations that were made by our predecessor committee in parliamentary session 5?

John Cornett

That is a challenging question. Fundamentally, the issue is the extent to which the powers under statute encompass different organisations. You could construct an argument that the powers under statute apply to public sector bodies, and, therefore, we encourage as many public sector bodies as possible to participate. If you are looking to extend that to those bodies that are contracted by public sector bodies to provide services, the element that arises is that some of the data will be captured but the ability to apply the requirements of the act will be reduced as it works through. At that point, participation becomes voluntary rather than being mandated.

James Dornan

I can see the argument with regard to the difficulty in including somebody who has been contracted to do work with public moneys. However, for example, no universities have volunteered in the 2024-25 NFI. Why would that be the case? They are publicly funded.

John Cornett

We are working with colleges and universities to encourage further participation. It is a voluntary exercise for universities. One of the challenges is to understand and mitigate the potential conflict with general data protection regulation requirements, and some bodies have concerns about how GDPR applies. We have worked through that conversation, and we are liaising with the Cabinet Office to get clarity on GDPR in order to provide bodies with assurances about how the data may be used as part of the exercise.

Who decides that it is okay for universities to choose whether to volunteer to participate? As public bodies that are paid for by public funds, why should they not be part of this exercise?

John Cornett

Fundamentally, it comes down to individual bodies whether they want to participate, and we have no power to mandate participation.

You talked earlier about mandated and voluntary organisations, so I take it that there are some mandated organisations.

John Cornett

Yes, most public bodies participate because the requirements of the act apply to those—

I suppose that that is the question that I am asking: why are universities not part of the mandated group?

John Cornett

Universities do not fall within our public audit regime, so we do not audit them.

James Dornan

Okay. In that case, their participation is voluntary.

We note that, although you are working with several interested housing associations, it is unclear how many will participate. How many have volunteered to participate in the next exercise?

John Cornett

My answer will be similar to my previous one. The issue with the housing associations has been about the need for clarity on how GDPR applies and whether there is a conflict between our NFI requirements and how GDPR applies to the housing associations’ position. We are working with the Cabinet Office to get clarity on that and hope to be able to move the issue forward quite quickly.

Just for my knowledge as much as anything else, can you tell me how GDPR impacts on your seeing whether fraud has taken place?

John Cornett

The exercise that we go through is not a fraud exercise; it is a data-matching exercise, which might highlight an error or fraud. It is bodies’ data that we are using, not our own, so we have to pay due care and attention to how we use the data that we collect from them. Individual bodies have concerns over whether providing such data puts them in breach of GDPR, and we are looking to get clarity on how that might apply. As I have said, we are working with the Cabinet Office on that.

Tim, do you have more detail on that?

Tim Bridle

I think that that is a fair summary, to be honest. The fundamental difference is that, for a mandated body, this is a public task and it does not really have any choice about it. The gateways that are involved in United Kingdom GDPR compliance are different for a mandated body.

It is a much more complex equation for a voluntary participating body. In inviting voluntary participation by registered social landlords on a pilot basis, we have found that the gateway is not the same and that things are more complicated. We are finding that to be a key challenge—and, to some extent, a barrier—for them, because they are not mandated bodies and therefore fall outwith our audit regime. That is the crux of the issue, really—they are not mandated.

I have a final question based on that response. For how long have you been trying to get this GDPR issue sorted?

Tim Bridle

Probably for the past nine months. We have been working with RSLs; we have spoken to the Information Commissioner’s Office in Scotland; and we have been liaising with the Cabinet Office on the legal advice, so it has been some time. It is a thorny issue. Ultimately, it might well be that housing associations are accountable to the Information Commissioner’s Office with regard to UK GDPR. It will be their decision; after all, this is happening on a voluntary basis, and it is for them to either accept or reject our assurances in terms of UK GDPR.

So it is a case of the dots not really being joined up, then.

Tim Bridle

I am not sure that I would go that far. What I would say is that it is a complex regulatory framework. As I have said, the situation for a mandated body is distinctly different from that for a voluntary participant. Different principles are involved. One involves a public task, and one has to do with legitimate interests and proportionality. It is quite different, as I understand it, but I should say that I am not a solicitor.

John Cornett

I think that this is not necessarily a question of joining up the dots. It is more about making sure that we get it right, and instead of making assumptions and presumptions in the exercise, I would rather delay it a little and get it right than rush it through.

James Dornan

My question was not really aimed at whether you were doing something right or wrong. The issue is that, under current circumstances, some public bodies are mandated to do this task, while others that access public funds are not. There are gaps that mean that one public body has to give this information, while another publicly funded organisation does not have to.

John Cornett

That is right.

Thanks very much.

Graham Simpson has a quick question.

Graham Simpson (Central Scotland) (Con)

I have a couple of questions, convener, if you do not mind.

I just want to get it clear in my head how this operates in practice. You have all these bodies taking part and sharing information about people, but how does it work? Is there a constant sharing of information, with computer systems talking to each other, and then at some point somebody will flash up on a screen as having done something wrong, or are people poring over documents, trying to join dots and pick up fraud?

09:15  

John Cornett

Tim Bridle is much closer to the detail of that than I am, so I will hand over to him in a moment. Fundamentally, though, this is a one-off exercise that takes place every two years. The bodies that participate provide a download of their data from various systems, whether it be from the payroll system, council tax, accounts payable or whatever. That download then goes to an external supplier that has a huge programme to crunch the numbers through a system for us. However, the organisations that participate are required to—and do—inform their staff that the data is going to be used in that way, so that the staff who work there know what is happening with data that they have supplied to their employer.

Tim, do you want to say a little bit more about the detail of the process?

Tim Bridle

I think that that was a fair synopsis, to be honest. It is all done on a web-based app with banking-level security, so all the participating bodies will upload the data to that. This time round, the date in question is 30 September, so for the next exercise, it will be the data as of 30 September—or the data for the six months, say, or the two or three years before that—that is submitted. That gives consistency in the periods that are being compared. As John Cornett has said, the computers and the algorithms produce match reports that go back to those bodies and can then be accessed via the web-based app. It is then for the bodies to prioritise those matches and follow things up in line with local priorities and risks.

Does the exercise identify individuals who have committed fraud?

Tim Bridle

No. It matches anomalies, which could indicate error or fraud. It is then a question of following up and investigating the matter at a local level to find out whether it is error or fraud—or a false match, if you like.

Does anyone get prosecuted as a result of this exercise?

Tim Bridle

Yes, sometimes.

Do you know how many?

Tim Bridle

Typically, the numbers are not big. I think that, last time round, there were four or five referrals. I do not have numbers for referrals, because investigations are on-going, but I am told that a couple of payroll cases, for example, will be referred to the procurator fiscal.

Some cases might well be followed up down south, too. Where we have a match between a payroll for a body in Scotland and a payroll for a body in England, it is for the bodies to decide which of them will follow up and pursue the fraud action. We have one that has been followed up in England, for example.

Are the four or five referrals that you mentioned in Scotland or across the UK?

Tim Bridle

They were just in Scotland.

I have to say that that does not sound like very many, given the scale of the exercise.

Tim Bridle

Yes, you are right. The equation has become more complex with backlogs and things hanging over from Covid, but traditionally the number has never been particularly high, so I am not sure that the figure this time round is unusual in that respect.

I am happy to leave it there for now, convener.

John Cornett

Can I come back on that question?

Yes, please do.

John Cornett

There are two ways of looking at the exercise, the first of which might be as a way of identifying anomalies and fraud and pursuing data matches. We could also look at it as an assurance exercise focusing on the level of data matches—and potentially the level of errors and fraud that are not being picked up—and therefore giving assurance on what is not wrong as opposed to what is wrong. There are two ways of looking at the exercise from that perspective.

The Convener

Okay. Thanks for that clarification.

Can I just clarify a couple of things with you, too? I have seen the number of participating bodies in this year’s exercise as being either 110 or 127. Which is the correct number?

Tim Bridle

As with all statistics, it depends on what you count. The Scottish Government submits data on behalf of quite a number of central Government bodies on its payroll and creditor systems. If you count those separately, it is the higher figure. If we are talking about bodies submitting data in their own name, it is the lower figure.

The Convener

Okay.

In response to one of James Dornan’s questions, you talked about the reduction in the number of bodies involved from 132 to 110 as being partly a reflection of pension schemes not taking part or the classification of pension schemes being changed. The Strathclyde local government pension scheme, for example, is worth £28 billion—it is one of the top 10 schemes out of all the pension schemes across the UK. Incidentally, the university superannuation scheme comes top of that league, I think. Are you saying that the Strathclyde pension scheme was previously in the exercise and is no longer in the exercise?

John Cornett

No, that is not what we are saying at all. The data is still in the exercise, but the Strathclyde pension fund is administered by Glasgow City Council, so we might have just counted the city council and the pension fund as one body in terms of the data submission. The data has not been excluded; it is just about how we have counted the number of bodies.

So that large municipal pension scheme is included in the exercise that you are carrying out—that is fine. Thanks, that is helpful. I invite Colin Beattie to put some questions to you next.

Colin Beattie (Midlothian North and Musselburgh) (SNP)

Thanks, convener. The 2022 report on the NFI talked about a Cabinet Office consultation on extending legal powers in relation to the purposes for which data matching was used. You are already covered under section 97 of the Criminal Justice and Licensing (Scotland) Act 2010 for prevention and detection of crime other than fraud and to assist in the apprehension and prosecution of offenders. Is Audit Scotland satisfied that it has the necessary legislative powers to undertake the NFI exercise effectively?

This committee, over a number of years, has expressed concerns about the number of public bodies that are in receipt of large sums of money but which do not participate and have determined not to voluntarily participate. Can you give us a little bit more information about what you need? We have asked you directly in the past, every time a report has come up, about what you would need in the way of legislative powers to extend the NFI more effectively in Scotland. To be honest, the responses have been pretty ambivalent.

John Cornett

I will put my hands on the table and say that I am not a lawyer, but my view is that we have sufficient statutory powers to proceed with the exercise in a way that gives us the most economic and efficient outcome.

I recognise that not all public bodies are mandated to participate, but that does not prevent us from working with those that are not to encourage participation and to grow the database of bodies that submit information. As it stands, we are content to operate within the powers that we have. That enables us to move forward in a way that gives us access to the bodies that we would want to engage with and to explore how best to pursue that engagement and obtain the data.

In the past, Audit Scotland has expressed concern about having access to ALEOs. I understand that some ALEOs at least are now being caught up in the exercise. Where are we on that?

John Cornett

Tim Bridle knows more of the detail around that, but a growing number of ALEOs are participating in the exercise. We are starting to see that the parent organisation is not necessarily requiring but strongly encouraging those ALEOs to participate, on the grounds that all of the staff and all of the services are fundamentally linked to the parent organisation. There is a recognition of the amount of money that is being pushed through ALEOs, in terms of both income and expenditure, and there is a growing desire by the parent bodies for ALEOs to participate.

Tim Bridle

Roughly half of all councils include the data for their ALEOs. It tends to come down a little bit to administrative arrangements. When an ALEO’s payroll and creditor payment systems sit with the council, the council has tended to include that data. When we request a council’s payroll data, the council will include the payrolls for its ALEOs, for example. Therefore, we capture data on about half of the council ALEOs.

Those bodies are, effectively, voluntary participants. We do not appoint their auditors, so we cannot mandate the inclusion of ALEOs. Ultimately, whether they volunteer to participate comes down to administrative arrangements, convenience for the parent body and the relationship between the parent body and the ALEO.

The fact is that those ALEOs are in receipt of substantial sums of public funds, but you have no powers to mandate their participation. Is that not a shortfall in your legislative powers?

John Cornett

It comes back to Tim Bridle’s point that a lot of ALEOs share the same systems and processes as the parent body. Therefore, where that system works and where it is easy to submit the data, most parent bodies do submit it. What we have not done, but perhaps need to think about, is to quantify not just the number of ALEOs that participate, but the value of transactions that go through the ALEOs. It might well be that the number that participate represents the bulk of the transactions that pass through ALEOs, and those that do not participate are smaller bodies. However, we do not have that analysis, so perhaps we need to think about how we move forward with that.

With regard to expenditure that is useful to the NFI exercise, which significant areas are excluded or are poorly participating?

John Cornett

Tim, do you have a view on that?

Tim Bridle

Unfortunately, I do not have that level of recall. With regard to wider public sector bodies, we have been liaising with universities and RSLs, which are big employers, and payroll data expenditure is one of the key data sets. Going beyond that is perhaps more problematic. I do not have the analysis of wider public sector bodies that might be worth approaching and encouraging to participate at this stage. We started with the housing associations and universities as being the most likely to benefit and to add value to the exercise.

Colin Beattie

It is a bit disappointing that, although we have been raising the matter as a committee for quite a few years now, we have never had a solid response from Audit Scotland on whether it needs more powers to be able to enforce and mandate public bodies to participate in this important exercise. You say that you have enough powers, but you have not actually analysed the market out there to determine gaps that you would need to fill, which might need more powers. You said that only half of the ALEOs are taking part, so it seems that there are a lot of gaps. Either you are not using your present powers to the level that you should be, or you do not have the powers to do that and, therefore, you need your hand strengthened.

John Cornett

We do not have the power to mandate participation for those bodies for which we are not responsible for appointing the auditors. As Tim Bridle said, that excludes ALEOs, universities and registered social landlords. There is an opportunity to pursue participation on a voluntary basis, which we do, and there is a growing level of participation. Once we have clarified the position and the assurances around the GDPR requirements, we are confident of being able to engage with registered social landlords and the universities to bring those bodies within the remit of the NFI exercise.

We continue to work with local authorities around ALEOs, and there is a growing sense of the need to include ALEOs in the exercise. My preference at the moment would be to continue with our current approach, with a view to expediting that reasonably quickly in order to get fuller participation.

Fundamentally, from our perspective, it is not just about the number of bodies but how we can engage with them to get them to participate, and I am confident that the approach that we are taking will result in growth in participation levels.

09:30  

Colin Beattie

If there are no changes, can you say more about what is happening with the Cabinet Office with regard to delivering improved outcomes? Presumably, you have been working on that for a couple of years, so where are we on that?

John Cornett

The Cabinet Office has a methodology that it applies universally across the UK, but that is tweaked in Scotland because there are slightly different arrangements and structures in place, so it is not a one-size-fits-all approach. The Cabinet Office works with us and other public audit agencies very closely to refine and develop the methodology, with a view not only to increase the level of accuracy of the data that is collected and how it is analysed, but to extend the methodology to other areas, as appropriate. It is that exercise that we are negotiating with the Cabinet Office on in relation to the inclusion of registered social landlords and universities.

Colin Beattie

The proof of the pudding is in the eating. There is an increase in NFI savings and outcomes from £14.9 million to £21.5 million. That is not a lot when you look at the exercise overall, but it has increased. Supposedly, that is partly because of the recovery from Covid-19. You also referred to some changes in methodologies. Can you expand on the changes that have led to that increase?

John Cornett

I will hand over to Tim Bridle in a moment. Fundamentally, the change in the methodology is about assessing the notional values that are identified through the exercise. The exercise identifies data matches at a particular point in time. It also risk assesses those data matches to identify those that are more likely to be fraud and those that are more likely to be errors in the matches or errors in the way that the data is collected.

However, the methodology itself is trying to answer the question of “What if?” In other words, if the error or the fraud had not been detected, what value of fraud or value of error would accumulate if it were allowed to continue? Therefore, it tries to look into the future aspect of the “What if?” question of what would accumulate. It also tries to better identify the cost of the error and the cost of the fraud by being more sophisticated in its analysis. That is what has fundamentally driven the growth in most of the value of the identified outcomes. Tim, you deal with this closely, so I will ask for your understanding of it.

Tim Bridle

With regard to individual methodologies and the methodologies around the estimates generally, the Cabinet Office has governance arrangements in place, and a process is gone through. We have always followed the Cabinet Office methodologies for calculations and accepted its approach. In essence, there are forward savings periods, and there are other methodologies for quantifying notional outcomes, as we have called them in the report. We have tried to identify more clearly the different areas of saving and the types of outcome in exhibits 1 and 2 in the report.

Colin Beattie

Many of the participating bodies submit only payroll and creditors data sets for matching. Obviously, that limits the outcomes that can be achieved. Maybe you can indicate which public bodies are submitting only that sort of data. Does that mean that there is scope for some public bodies to submit more data sets? If so, what are they, and why are they not doing that?

John Cornett

For public bodies, the majority of expenditure goes through the payroll system or through the accounts payable system—the creditors payment system. Generally speaking, for public bodies, payroll accounts for anywhere between 75 per cent and 85 per cent of total expenditure. In essence, from our perspective, those are the two core systems. If we can get the data for those systems, we will cover most of the public sector expenditure that goes through those bodies.

Councils have slightly different systems that are, fundamentally, income based, so we could do data matches around council tax but also other income systems, depending on the organisation. However, fundamentally, the majority of expenditure is through payroll and creditor payments.

Given the size of the public sector spend, if the payroll is 85 per cent of the budget, 15 per cent is still an awful lot of money, which we are missing out on being included in the NFI.

John Cornett

Most of that will go through the accounts payable system. You can divide expenditure in most public bodies into pay and non-pay, and virtually everything that is non-pay will go through the accounts payable or the creditors system.

What other data sets could be included?

John Cornett

We look at some specific data sets, such as blue badge schemes and how those are used. We also look at whether pensions have continued to be paid after someone is deceased, and, as I said, we look at council tax—the revenue of council tax and single person discount. Those are the key data sets that we look at.

Tim Bridle

We explore opportunities for new data sets all the time. This time, we rolled out adult concessionary bus travel, for example, which we matched across Scotland for the first time. That is an example of where we are looking to grow the exercise through more diverse data sets. In the past, we have done pilot exercises with the NHS Counter Fraud Authority, looking at prescriptions data. We have done that as a one-off exercise, and we are exploring repeating that exercise. We have also done pilot exercises with benefits data sets from Social Security Scotland. We have an on-going relationship and are looking to do another pilot next year. Therefore, we look for new data sets, and we encourage bodies to come forward with ideas and suggestions and to try new things with data sets.

Colin Beattie

You spoke about risk assessing the different data sets. Some of these bodies are submitting only payroll and creditors data sets. You mentioned council tax among other data sets that could be provided. Surely that area would carry a high risk due to the potential for fraud. Should that not be mandated as a data set to be included?

Tim Bridle

I am sorry. I was saying that those data sets are included.

So, bodies are providing that data.

Tim Bridle

They are providing council tax data, yes.

Therefore, it is not just payroll and creditor data sets.

Tim Bridle

No, but it depends on the organisation. As you appreciate, not every public sector body is involved in council tax. That is specifically local authorities—

Councils.

Tim Bridle

Yes.

So, 100 per cent of those provide that data.

Tim Bridle

Yes.

John Cornett

It is probably also important to recognise that the NFI is not the only counter-fraud exercise. Tim Bridle alluded to the work that is undertaken by the NHS Counter Fraud Authority, which does a lot of work that is similar to the NFI, and other counter-fraud arrangements and other counter-fraud data matching exercises take place in different organisations, primarily at organisation level but sometimes across organisations, too. This exercise is probably more all-encompassing than others, but it is just one exercise and one tool in a suite of tools that different organisations use. Please do not see it as the only thing that happens—there are other exercises.

The Convener

Thanks. That is a useful clarification. We are going to get into some of the specific match areas, but first I have a couple of questions on the broader impact of the initiative. In exhibit 3 in the report, you talk about the wider benefits of the national fraud initiative. You list that it can

“Act as a deterrent to potential fraudsters ... provide assurance that systems are operating well”

and

“identify where system improvements are required”.

Can you tell us more about that? What evidence do you have to support your claims in the report?

John Cornett

I will run through those individually. On the initiative acting as a deterrent, there is no direct evidence trail behind that. There is an element about publicity, in that being open and transparent and telling people about the exercise will deter people. It might not necessarily deter people from committing fraud, but it can prompt people to think about the accuracy of the data that they have submitted or whether they need to update their data or information due to a change in circumstances. It prompts a thought process. That is fundamentally what we mean when we talk about the process being a deterrent: it is about encouraging people to think about the information that has been submitted.

The initiative provides assurance around systems and processes, because it identifies weaknesses that might exist at the local level. If an organisation gets a high number of data matches in a particular area, that prompts the organisation to look more closely and to pursue the issue and follow it through. That is followed up by the local auditor and is generally reported on by them through their normal processes.

The initiative also provides assurance where systems are working well. Put simply, the absence of data matches gives assurance that controls are operating effectively.

To what extent do you see the exercise as being one of catching fraud versus one of preventing fraud?

John Cornett

There is an interesting balance. The challenge is that it is difficult to say, from the data, what is fraud and what is error, because all that we have is a data match that could be either. My view is that the process is much more about the prevention agenda and that, fundamentally, prevention is better than cure. It is about preventing fraud from occurring and, as I said, it is about preventing people from making mistakes and about forcing people to think about data that they have submitted and whether it is up to date and accurate or needs to be changed. I think that the initiative works best on the prevention side.

Who decided to call it the national fraud initiative?

John Cornett

I am looking at Tim Bridle. That probably came about more than 20 years ago. The exercise was started by the Audit Commission in England, primarily as a data matching exercise, which it still is. I do not know who took that decision, but I think that the name was designed to increase and heighten awareness of the exercise and the issue.

The Convener

And to add an element of menace, no doubt.

I will move on to another part of the report, which struck me as being quite an important piece of analysis that you have presented to us. In exhibit 4, you track the performance of various bodies over the past five years in taking action, or having the ability to take action, where errors or fraud are identified.

What is especially striking is the decline in satisfactory performance, particularly in local government and the national health service. Five years ago, the satisfactory performance rate in local government—which I presume relates to how its systems are working—was at around 80 per cent, but it is now down to 60 per cent. In the NHS, broadly speaking, five years ago, it was at 95 per cent, but it is now at 80 per cent. There has been considerable slippage there, has there not? Will you explain a bit more about what lies behind that?

John Cornett

Fundamentally, two issues lie behind that. One is about capacity and the ability to respond to the exercise—in particular, to follow up data matches. The second issue, which is linked, is fundamentally about capability. The exercise requires a specific skill set to follow up and pursue data matches to their end point. Organisations that we work with are struggling to service that in a way that we would rate as satisfactory.

Please do not take that as an indication that organisations are doing nothing: all organisations are doing something. The way that we have set it out is that there are distinctions between the abilities and actions of different organisations, but nobody is doing nothing. Tim, can you add a bit more to that?

09:45  

Tim Bridle

Fundamentally, that is it. We are hearing that resources are a limiting factor. Coming out of Covid, we expected participation to improve, but that has not been the picture that we have seen from the main players. As you identified, convener, councils and the NHS are key significant players for the NFI, but we have seen a decline in the assessments from auditors.

The Convener

To what extent is that a resource issue? We are dealing with an environment in which the financial pressures on the health service and health boards are intensifying, and the financial pressures on local councils and across local government are getting greater. Is the reason for the decline that they are unable to find the resources to follow up some of the work?

John Cornett

Yes, that is fundamentally the case. It is about availability of resources to follow the work up and, at the same time, to pursue the other work that needs to be done as part of people’s normal day jobs. It becomes a question about that challenge and striking that balance.

The Convener

Is the exercise not self-financing? In other words, if I employ three people to follow the work up, on salaries of £50,000 or £60,000 each, will I not get that money back because the work that they do will bring in revenue that was paid out in error or because of fraudulent claims?

John Cornett

That will not happen in all cases, convener.

Do bodies undertake such a cost benefit assessment?

John Cornett

They do, but they do so to varying degrees. That relates to our earlier conversation about the need to invest in deterrence, because that does not happen by itself or by accident. There is a need to take positive action. There is an unknown element, in that, if I have deterred somebody from committing fraud, I will never know how much fraud I have prevented. It is a balance. The spending is an investment, but we never really know what the return on that investment is.

The Convener

Okay. I think that you described it earlier as something that we should view as a one-off exercise or a point-in-time exercise, but I presume that you have—I think that you mention this in the report—an on-going relationship with the bodies that you work with on the national fraud initiative. Can you tell us a little more about the dynamics of that, how it works and what you are doing to monitor the impact of the activity that you undertake in the exercise?

John Cornett

There are two elements to that, convener. You might be aware that, as part of our normal audit process, we not only undertake an audit of the financial statements, but work using a wider scope to look at the arrangements and processes that are in place in the individual body. Part of that work looks at governance arrangements, control arrangements and the arrangements for preventing and detecting fraud. There is an assessment of the body’s on-going work and its arrangements, controls and processes. We look at those as part of our normal work. Every two years, when the NFI work comes through, we then look at and assess how the organisation has followed up the data matches, how it has participated in the exercise, and the governance and control processes that it has put in place around the exercise. That is summarised in exhibit 4.

You will be aware that most, if not all, public bodies have an internal audit function. Part of its work will be to look at arrangements that exist in the organisation to detect and prevent fraud. Again, we review the work of internal audit on a regular basis as part of the audit that we undertake. In the NHS, we also have NHS counter fraud services. Although we do not review its work, we will come to a view on how health boards are working with it on the work that it undertakes. Work to tackle fraud therefore arises in our normal work on a regular basis.

The Convener

Thanks for that.

We now want to spend a bit of time on some of the specific areas that you drill down into in the report. To get us under way on that, I invite Graeme Simpson to put some questions to you.

Graham Simpson

Before I do so, convener, I would just like to follow up the convener’s line of questioning, which sparked a thought in me. I suppose that it goes back to what I was asking earlier. What is the point of, or—I should say—benefit to a public body of being part of this exercise? What do they get from it?

John Cornett

That brings us back to exhibit 3 in the report, which the convener highlighted. It is to do with the deterrents, the assurance that controls are in place and areas for improvement that are identified. To go back to our conversation about scarce resources and utilisation of resources, I think that the exercise provides an indication of where those resources could be deployed to have most effect and give the biggest outcome. It provides a range of multiple benefits to organisations.

Would you say that it is pointing organisations in the right direction with regard to how to identify individuals who might be committing fraud, or how to prevent fraud happening?

John Cornett

I think that it does both. It points organisations in the direction of individuals who would be named through the exercise. It also highlights the types of fraud that are being committed, which enables organisations to re-evaluate whether they have appropriate controls and processes in place to prevent such fraud. Finally, it enables organisations to highlight that they will actively pursue fraud or error, with a view to taking it through to its logical conclusion, whether that be an improvement in systems or, as you alluded to earlier, the eventual prosecution of individuals.

Has there ever been a cost benefit analysis of the national fraud initiative?

Tim Bridle

Yes. We are required to keep the costs and benefits under review. It is a tricky issue, because much of the time that is spent following up matches is not overtime, if you like—it is normally part of someone’s job. Someone in, say, the creditors payment team within the payroll section would be charged with reviewing and following up matches as appropriate, so costs are not always additional and time is not always coded to the exercise.

We have never really been able to get a total or marginal cost on a scientific basis, but I think that the scale of the savings that we identify is significant. Most of the bodies that have attended the practitioner events that we have organised have been asked, “Do you think the benefits still outweigh the costs?” and even bodies that have not identified savings have mentioned the assurance aspect and the deterrent effect. Resoundingly, their answer is “Yes—we think the benefits outweigh the costs.”

That is a little bit anecdotal, so please do not ask me what the total cost would be, but I guess that the point is that in most cases the costs are not additional. The work will be part of someone’s day job, which is why we have the challenge with resources. Some bodies have corporate fraud officers and there is also the NHS counter fraud service, which gets involved in investigations for the health service and some central Government bodies.

Do you not have a total cost for the exercise?

Tim Bridle

No, because bodies simply do not code time to the exercise. Time sheets are not done to the degree of granularity that would allow us to identify a total quantum of cost. As I have said, though, if they were not doing the NFI, they would be doing something else. It is therefore not overtime, generally speaking—participation is not an additional cost to a body.

I am a bit surprised by that, to be honest. I would have thought that with such an exercise, you would know how much it cost and what its value was.

Tim Bridle

We are dependent on participating bodies’ information systems for that, and they simply do not record the costs.

Is that something that should be considered going forward?

John Cornett

We can consider taking that forward.

Graham Simpson

Okay. The convener wants me to ask about specific areas, and I am quite happy to do that.

If we look at payroll, there has been an issue with including—or not including—immigration data. I noted that it had not been included in two years—2018-19 and 2020-21. You had some comments on that. What would be the value of including that sort of data?

Tim Bridle

Typically, the immigration data would identify when a person is working illegally. In 2016-17, most of the matches would have been immigration data matches, in all honesty. However, following Windrush, the Home Office decided to pull that data set and match and we have not matched it since. It will not be part of the 2024-25 exercise, either.

So, that is because of the Home Office.

Tim Bridle

Yes.

Will the Home Office just not share the information?

Tim Bridle

Yes. I do not know the ins and outs of the discussion, but I understand that that happened following Windrush.

Graham Simpson

Audit Scotland has commented previously that immigration data could, for example, help to identify students who are getting funding from the Student Awards Agency for Scotland when they are not entitled to it. That is quite important, is it not?

John Cornett

It is, but we are only able to work with the data that we are provided with and it requires participating bodies, particularly central Government bodies, to submit that sort of data.

Has anyone pushed the Home Office on this?

John Cornett

We certainly have not. I do not know whether—

You have not?

John Cornett

No. I do not know whether the Cabinet Office has.

Graham Simpson

Right. It seems to be really important to have that information. Just to accept the situation—just to accept what the Home Office is saying—is maybe not the right approach. Maybe somebody should be going back to the Home Office to say, “This information is almost vital to this exercise, so could you provide it?” Can you test it again?

Tim Bridle

I am sure that there would have been a long and extensive discussion around the issue. The legislation in England is a little bit different, as well. The central Government departments, as I understand it, participate on a voluntary basis because of historical reasons around the legislative framework, so I do not think that the Cabinet Office is able to mandate Home Office involvement or submission of data. I guess that that is a policy issue at a higher level.

At the least, it could ask.

Tim Bridle

We can find out whether the Cabinet Office has asked. The Home Office was always a very rich source of data matching. I am sure that it would not have been given up lightly.

Graham Simpson

Okay. I will ask you about something else—the council tax reduction scheme. Before I ask you a specific question about that, do councils generally share information? Do they talk to each other? In Scotland, we now have a large number of councils that charge double council tax on a second home. That relies on people being honest about having a second home. It seems to me that it would be easier to discover that from councils speaking to one another—actually, across the UK. Does that happen?

John Cornett

It does. I know that councils speak to each other and share data. I do not think that the framework is so all-encompassing as to enable that to happen routinely across all councils, but it happens to a certain extent.

It happens to a certain extent, but would second-home ownership be picked up in this exercise?

John Cornett

The data matches would pick that up—yes.

Graham Simpson

They would. Okay.

On the council tax reduction scheme—this is quite interesting—case numbers have reduced since 2020-21, but the savings have gone up. Do you know why that would be the case?

10:00  

Tim Bridle

No. It would come down to the incidence of individual cases, I guess, and how long those cases have been going on for. In essence, the numbers are driven by the council tax reduction that has been withdrawn, relative to those cases. It may well be that, during Covid, for example, there was not as much activity in that area and that cases could have been going on for longer.

Graham Simpson

I will ask about blue badges and concessionary travel, which I think are linked. The blue badge outcomes and case numbers have continued to rise. When we looked at that in 2022, it was suggested to us that that could have been a blip, due to the Covid-19 pandemic. Do you have any idea why the case numbers and the outcomes have continued to rise? We are talking about people who use blue badges when they should not.

Tim Bridle

The day-to-day administration of blue badges would ordinarily involve cancelling badges as information is picked up by the registrars via tell us once and other schemes. I do not think that you can extrapolate from the numbers of badges that are cancelled anything that relates to mortality rates, for example. The situation could just reflect the fact that some councils might be relying more heavily on the NFI to mop up and do their data cleansing, as it were. The day-to-day and week-to-week activity might have suffered during a period of great strain in the public sector—for example, during Covid. That is my take on it.

One or two more councils have recorded their outcomes on the web-based application for NFI. I do not think that we previously had 100 per cent compliance with regard to recording outcomes, and it is not 100 per cent this time around. We might be missing one or two councils that have simply not recorded the results of their activity on the system.

It has always gone on—there have always been people who use blue badges when they really ought not to. Do the figures suggest that it is rather too easy to get away with that?

John Cornett

It requires a degree of honesty on the part of the family of the deceased individual. There is an element that relates to local authorities using tell us once. Basically, you inform tell us once that someone is deceased and it relays that information to the relevant services to stop the various systems and prevent that sort of thing from happening. That is reliant on people using tell us once. To be candid, there is an extent to which the deceased person’s family’s first priority is not necessarily dealing with the blue badge, so we need to apply a degree of sensitivity. However, there is an option to encourage use of tell us once but also to remind people of their responsibilities with regard to the blue badge scheme. It is a sensitive area.

You have highlighted the growth in that area. It is also important to remember that the outcomes are notional. In simplistic terms, outcomes will increase if car parking charges increase, because the value associated with the use of the blue badge will also increase. A number of factors play into the area, but, fundamentally, the system relies on the honesty of individuals to make the declaration.

Graham Simpson

That brings me to adult concessionary bus travel, which has the same issue. You are right that, when somebody dies, people have a lot to deal with, and dealing with a blue badge or a bus pass is probably quite far down their list of priorities. However, the report says that 1,075 bus passes have been used after somebody died. That means that someone is using a dead person’s bus pass. That is not the same as just forgetting to tell somebody.

John Cornett

Yes, I agree.

I presume that that figure has been picked up in this exercise.

John Cornett

Yes.

Are there things that Transport Scotland could be doing to crack down on that, so that we do not have that level of fraud? It is fraud.

John Cornett

That goes back to the conversation that we had about the value of the exercise. Such things highlight where organisations—whether that is Transport Scotland or a local authority—need to take further action to prevent misuse of concessionary travel passes.

Again, it is incredibly difficult, in that the process relies on the honesty of individuals. To a certain extent, it involves relying on a bus driver to identify that the photograph on the pass does not necessarily match the individual who swiped it. A number of factors play into the situation.

The key point is that you are probably never going to eradicate that fraud. The best that you can do is to ensure that the controls and processes that are in place—and the use of the data that you have access to—are the best possible. In that way, if someone continues to use the concessionary travel pass, it can be stopped immediately or as soon as possible. Again, that relies on the ability to use different systems of accessing the data and the honesty of the individuals concerned. The short answer is, yes, there is always an opportunity to improve controls.

James Dornan wants to come in on the blue badge issue.

James Dornan

May I clarify that the blue badge issue is not really about fraud—because you have not proven any fraud—but more about the fact that passes have not been cancelled after someone’s death? There is no evidence to suggest that the badges continue to be used.

John Cornett

Yes, that is absolutely the issue. There have been some cases in which authorities have proven that the badges have continued to be used, but that would not necessarily be captured through the data-matching exercise. That is more about the cancellation of blue badges. Tim, have I got that right?

Tim Bridle

Yes, in essence, that is the methodology. At some stage, the multiplier that the Cabinet Office uses to put against the cancellation would have included an incidence-of-fraud-type element, so it is a proxy, ultimately. That would have been based on all sorts of things, such as levels of income, as John Cornett mentioned. Some evidence around incidence of fraud would also have been factored in.

I now ask the deputy convener to ask some questions.

Jamie Greene (West Scotland) (Con)

Thank you, convener, and good morning, gentlemen. I want to follow up a couple of areas in your report that are of interest to me, but I have an overarching question first, because I want to get my head around the process. Audit Scotland undertakes the work of the NFI in Scotland. Is that on behalf of the Public Sector Fraud Authority or are you contracted by the authority? What is your relationship to the body that oversees the UK-wide NFI?

Tim Bridle

The exercise is undertaken using Audit Scotland’s statutory powers, so, ultimately, it would not happen if it were not for Audit Scotland. However, the infrastructure and an element of the support arrangements are provided by the NFI team, which is the Cabinet Office/Public Sector Fraud Authority. I guess that we are a partner in the UK-wide exercise, but we are a key player and it would not happen without Audit Scotland’s statutory powers.

Does Audit Scotland charge fees for that work?

Tim Bridle

No, we actually get charged fees. The Cabinet Office is the main contractor with our data-matching provider, and we are charged for each of the bodies that participate in Scotland. That comes out of the Audit Scotland budget. I think that, historically, we were voted an allocation to cover the cost of the exercise. It is a little bit different from what happens down south, where the individual bodies that participate and benefit pay the fee direct. It is just a little bit more straightforward to meet the cost centrally.

I am trying to get my head around the flow. If you are, say, a Scottish local council, do you pay a fee to participate in the exercise?

Tim Bridle

No.

Jamie Greene

I will come on to an example in a second, particularly with regard to housing benefit, but what about any benefits that are recouped? Perhaps I should call them “savings”, given that that is what you are calling them—although I have to say that what you identify as savings seem to be what I would identify as the value of fraud. Nevertheless, we will call them savings for now. The potential upside of councils participating in the initiative is the identification of these so-called savings, but there is no cost or charge to them. Is that correct?

John Cornett

There is no cost in terms of a fee. There is a cost in terms of the resource and the time that it takes to follow up and investigate something, but no price is charged for participation.

Do any local authorities in Scotland not participate in the NFI?

John Cornett

No.

They all do.

John Cornett

They all do.

Jamie Greene

I presume, then, that the media article that I came across in my research ahead of today’s meeting was erroneous in claiming that Perth and Kinross Council is

“one of ... two UK local authorities which does not share ... electoral roll”

data

“with the National Fraud Initiative”.

Is that true, or is the article incorrect?

Tim Bridle

No, that is correct. It participates in the exercise, but it has a separate arrangement for council tax single-person discounts. It does not use the NFI in that respect. I think that that is true for the two councils that you mentioned.

Okay. Would there be any reason why it would not? I am not picking on it—it is just that it has been flagged as the only council in Scotland that does not participate.

Tim Bridle

In the case of those two councils, their legal teams, after interpreting the legislation, concluded that they did not think it appropriate or legal to submit electoral register data. It is a long-running conversation that we revisit every time. Essentially, the situation is peculiar to those two councils, and it is not in line with our interpretation of the legislation.

Okay. Perhaps that is something that we can follow up with the Convention of Scottish Local Authorities, for example, as the body that assists and represents a number of local authorities in Scotland.

Tim Bridle

There would be a separate arrangement with a separate provider. For example, Perth and Kinross uses a third-party provider to do the canvass and follow-up work, and it chooses not to use the NFI.

Jamie Greene

I was particularly struck by the second of the key messages on page 3 of your report. Perhaps I can draw your attention to the last sentence of that and ask you to explain or clarify a little bit what it means and why you have said it. In summary, you say:

“Overall, it is not clear whether underlying levels of fraud have increased since 2020/21.”

That flags up a point of concern for me, but I will give you an opportunity to clarify what you mean by that.

John Cornett

This is predominantly a data-matching exercise. Simply because there has been a data match, that does not mean that there has been fraud. For example, if you identify that one individual is on two different payrolls for two different organisations, that can be entirely legitimate, because somebody can have two jobs. However, you then have a data match that is flagged to the exercise.

Another element of this is that different organisations will take a different view as to whether a particular event or data match is fraud, depending on the evidence available to them and depending on the work that they have undertaken to investigate the matter. The same event might well happen in two different organisations, but one might have sufficient evidence to meet the threshold of fraud, while the other might not. That does not mean that it was not fraud; it is just that you do not have the evidence to prove it.

This might sound a bit odd, but you end up in a situation in which determining whether something is fraud can become subjective and judgmental. Consequently, we are reluctant to label any increase in data matches as simply an increase in fraud. It could just be an increase in error, an improvement in the quality of the data or an increase in the number of data sets that are submitted. It is difficult to prove causality between an increase in data matches and an increase in the level of fraud.

10:15  

Jamie Greene

In that same paragraph, you say that savings—to use that term—have increased from around £15 million to more than £21 million in a short space of time. By default, there is an increase in the value of the activity, but that does not necessarily mean that there is an increase in fraudulent activity. It is just about the value.

John Cornett

Yes. That is absolutely right.

Jamie Greene

It is not always fraudulent activity that you flag up. For example, I presume that bodies that participate in the NFI submit data sets and your analysis flag up issues such as duplicate payments. The report says that around £750,000-worth of duplicate creditor payments were identified. Do you know how much of that was erroneous, or what number of payments were identified as duplicate matches of data but were actually valid? For example, as you say, you could buy a £2,000 laptop from a creditor and the next day do exactly the same thing again. That would perhaps be flagged as an erroneous payment and potential fraud, but it could be a valid payment made by a body. What work do you do thereafter to match or marry up the value in that data identification with what happened next or the follow-up activity?

John Cornett

We do not pursue it to that level of detail. There is a distinction between roles and responsibilities, and between accountability for the individual body and for the auditor. Fundamentally, it is for the individual body to pursue such issues and to identify whether something was a mistake or error, or fraud. That would be reported through the individual body’s processes and systems, and it is never flagged back through the NFI process.

Jamie Greene

I guess that where I am heading with all this is that what strikes me about the whole conversation this morning is that perhaps that is where there is a failing in the process. Dealing with that might help you to deal with the issue that you mention in your key messages and to move from saying that it is not clear whether fraud has increased to a position where you can take a more definitive view. Having done the work that identifies the savings and fed all that back to the bodies involved, you could let them do their thing in identifying what is fraud, what is valid and what is erroneous and where there are systems issues or manual issues, and then they could feed that back to you. You could then insert another section in future reports that says, “Having identified the savings, this is what we think the outcomes were.”

I appreciate that that would be an extra piece of work for you and that it might even be outside your statutory requirements, but would that extra piece of analysis give people more confidence in the value of the work that you do? Do you see where I am going?

John Cornett

Yes—I understand exactly where you are going. We would have to take that away and look at it to understand how the process might work and how burdensome it might be on individual bodies to provide that data back. However, we can certainly take that away and look at it.

Jamie Greene

That would be good—thank you.

I have two quick questions. Housing benefits and pensions are quite big pieces of work as part of the initiative. I perhaps did not understand some of the terminology, as there is a lot of jargon in the report. Talk me through what it means when we are told that the average individual value of overpayments for housing benefit rose from just over £2,000 to £6,500 in a short period. Is that to do with the value of payments or with the level of potential fraud?

I appreciate that, since 2018, there has been a marked shift from a bespoke housing benefit payment, for example, to universal credit, which has perhaps mopped up some of the more individual benefits. However, I could not quite get my head around the situation with housing benefit fraud, such as whether you have identified a rise or decline.

Tim Bridle

I do not think that we are able to identify an average value largely because we do not have the data from the Department for Work and Pensions. Most of the council benefits investigation staff transferred to the DWP eight or nine years ago, and they are now responsible for following up fraud cases. When councils get their housing benefit match reports back from the exercise, they identify whether they think that there is fraud. They refer that to the DWP, which follows it up and investigates. We include the savings, but they are not identified down to a council-by-council basis. We just get a total savings figure, and we do not get a case count figure. That is why we have not included an average value for housing benefit cases that were identified as error or fraud.

If fraudulent housing benefit claims are picked up through the work that you do, do you tell the DWP or the local authority about that?

Tim Bridle

The council is responsible for following up the matches, so it will receive a number of reports for housing benefits that are matched to various things. They tend to be classed as fraud, claimant error or local authority error. If there seems to be a fundamental issue and cases are classed as fraud, the council refers those to the DWP, which investigates and follows up. The DWP identifies an overpayment amount, which is then attributed to the Scottish pot of outcomes, but not to the council pot of outcomes. Ultimately, it is a saving for the DWP, which funds housing benefits.

To be clear, is it your understanding that there is no clawback from local authorities or, indeed, any payments to local authorities from the DWP?

Tim Bridle

The only saving to individual councils is where there is a follow-up of a claimant error and they recover that money locally, because that accrues to the council. However, the amounts involved are not significant; they are a small proportion of the total HB outcomes that we identify in the report.

Jamie Greene

Do you add value to the work that in-house fraud teams do? I presume that the DWP has a massive fraud team, as does His Majesty’s Revenue and Customs and other big bodies across the UK that manage large sums of money for large numbers of people. I presume that they have many people who sit in an office and look at fraud. What value does your small team add to any of that?

Tim Bridle

A large part of my role is to support not only the auditors but the practitioners. It is a dual role.

Exhibit 5 in the report looks at the key determinants of effective delivery and shows a triangle of leadership, knowledge and resources. There is not much that we can do about resources. I can support key contacts from responsible bodies that are struggling a bit. If we have a new key contact, I can offer a higher level of support to bring them up to speed and improve local knowledge around what is an effective approach or a good use of time. In all honesty, I spend quite a bit of time doing that. We organise practitioner events as well. That is what we bring to the party—we supplement the support that the Cabinet Office provides. I like to say that we go a little further, because we organise focus groups, workshops and one-to-one support at a local level for key contacts and the practitioners who are following up certain match areas.

Jamie Greene

I have two slightly random questions. With the advancement of the ability to read and calculate data using artificial intelligence, have you seen much of a move towards AI over the past five years?

We have often talked about that side of audit and the potential benefits of using AI to speed up processes and improve the quality of analysis—of course, we have also talked about the potential for effectively putting nice, well-paid auditors out of work. Are there any potential advantages to the further use of AI in the work that you do with regard to identifying large amounts of data from nearly 120 public bodies, all of which submit data in different forms and formats, using different technologies?

John Cornett

I will give a typical auditor’s answer and say that it depends. There are a number of factors to consider. The system that we currently use is based on algorithms—it involves analysing data at high speed and making matches. The next step in relation to the use of AI is contingent on the basis that the system learns. If you are able to implement AI around that sort of data-matching exercise, theoretically the system should learn from the data matches that have been identified to re-target the analysis in a different way. We have not pursued that yet, and we are still investigating whether there is an added value from doing that, or whether the simple algorithm that is currently used provides the value that is needed. It is fair to say that the jury is still out, but the approach has not been discounted in terms of how the process might grow and evolve in the future.

To come back to some of the previous questions, the biggest issue involves the fact that AI would have the ability to fill data gaps with proxy data and therefore enable people to either think again about where they need to target their resources to investigate and follow up, or think again about the adequacy of controls and processes that are in place to target those areas that are most susceptible.

There is an area for development, but it is at an early stage at this point.

Do you think that the industry is a bit behind the curve in that respect? Other people are already making extensive use of AI in their business processes.

John Cornett

The challenge is that AI is moving on and developing at such a pace that, had we taken the decision to invest in AI in this area 12 months ago, for example, it would probably already be out of date. There is a question about when is the right time to invest, and, fundamentally, I do not think that we are there yet. The approach to AI has not fully developed in a way that allows us to invest in that technology now and future proof it for 12 months, 18 months or two years down the line.

Jamie Greene

I am sure that, when the Auditor General comes knocking on the Scottish Commission for Public Audit’s door for more money, that will be part of his pitch.

I have one final question. Are you doing anything in relation to Covid-related fraud? Obviously, there has been a lot of noise around the potential scale, volume and value of many different aspects of Covid spending, particularly around the work of HMRC in relation to loans, grants and so on, but there may be other bodies that you do work for that have been affected by Covid fraud, to use that phrase.

John Cornett

We have not done anything in that regard, and the NFI exercise does not include any specific element that is purely Covid-related. However, the issue is built into the existing data matches. For example, if organisations have paid out Covid-related grants, those will generally have gone through the accounts payable system—the creditor system—so the data would be included in that data set. Similarly, if there are issues around funding that was available to cover payroll costs during Covid, that would come through the data matches from payroll.

We have not identified Covid-related payments specifically, but they are inherent in the data sets that we have.

The Convener

It is useful that we have finished up on that point this morning, because I was going to ask a broader question that relates to it. A lot of the emphasis in the discussion that we have had this morning has been on individual citizens defrauding the state, but there are also instances of corporations potentially defrauding the state, whether in relation to personal protective equipment or something else.

When we previously took evidence on the national fraud initiative, in September 2022, we were told of instances where people had passed away in care homes but the council was not notified, so it continued to pay fees for those people. Is that still being monitored?

10:30  

John Cornett

It is picked up through the data-matching exercise, and we are also aware that a lot of authorities have put stringent controls in place whereby they are notified of deceased individuals by care homes. We know that arrangements and controls have been strengthened, and the issue is inherent in the data set that we use.

Tim Bridle

That is true. We used to take a specific data set on care home and personal care payments, although we have not taken that for the past couple of exercises because of a technicality—shall we say?—as an unintended consequence of legislation. We hope to be able to reinstate that data set for matching purposes, but we are waiting for a legislative reform order. That is the route that has been taken at Westminster, which will amend the offending legislation to make it okay for us.

It is a technical thing, but it meant that we were unable to return the information to councils. The councils were submitting the data set and we could match it, but the legislation said that we could return it only to an NHS body and not to the councils. That was an oversight and an unintended consequence of the legislation. We hope to resume doing that as soon as the reform order goes through.

The Convener

I have a final question. When we discussed the adult concessionary bus travel arrangements earlier, Graham Simpson said that more than 1,000 people have used the bus passes of people who are deceased. For the record, it is fair to say that that was out of 99,600 people. In other words, 99 per cent of the population are entirely honest. Let us get some perspective on that.

However, I wonder about the extent to which you monitor the bus operators, because there are interesting considerations around whether the journeys that are charged for are the journeys that people have actually taken or whether there is a mismatch. For example, when you get off the bus, you are supposed to swipe your card to say, “This is the stop that I’m getting off at.” If you do not do that, what is the default position? Is it that the bus operator charges for a longer journey? I wonder whether that falls within the remit of the national fraud initiative or whether it is looked at somewhere else.

John Cornett

I do not think that it is included in the NFI. Tim, do you want to comment on that?

Tim Bridle

As I understand it, that analysis is undertaken by Transport Scotland. The work that we are discussing could dovetail with that in some way, depending on patterns of usage of passes, for example, but it is not part of the NFI matching. We simply do a sort of mortality screening, if you like, which matches live bus passes with records of deceased persons, and we flag up that data set. The follow-up investigation is then done by Transport Scotland.

I was going to say that we will draw proceedings to a close on that jolly note, but James Dornan has a final question to put to you.

James Dornan

It is based on something that Jamie Greene talked about. Please correct me if I am wrong—I might have got it wrong, because I did not think that you did this—but I think you said that, on housing benefit and in one or two other cases, you match the data sets and, where you identify fraud, you tell the DWP about the discrepancies.

John Cornett

No. It is the same process. We identify the data match, but the DWP provides the classification of whether there is fraud, claimant error or local authority error. We provide the data, but it is the DWP that provides the classification.

Depending on the classification of the data that you send, an investigation by the DWP will then be triggered.

John Cornett

Yes.

Okay—thank you.

The Convener

Thank you very much indeed for providing us with evidence this morning. It has been a very useful session. We are legislators, and at some points we strayed into areas where legislation might need to be amended, so there are certain things that we will need to consider—as well as, perhaps, things that you will consider as a result of this morning’s session.

I thank you both for your time and contributions this morning. You have given us a few things to think about, and your evidence allows us to compare the exercise with the previous one, two years ago, and consider whether we want to suggest some areas that could be covered that are currently not, or some bodies that really ought to be part of the initiative but are currently not.

I now move the committee into private session.

10:35 Meeting continued in private until 11:25.