Below is the speech I made in the May 2013 States’ meeting setting out the findings of the Public Accounts Committee’s review into the financial controls of the States of Guernsey in relation to Fraud.
When it was announced in July 2012 that the States of Guernsey had been defrauded of £2.6 million of taxpayers’ money, there was understandable shock and anger throughout the community. That such a fraud did occur only highlights the fact that we must have the necessary frameworks in place, to defend against this type of threat.
Whilst the public clearly have an interest in the details of the specific incident of fraud, (which is currently the subject of a police investigation), it was as important to find out whether there was an underlying problem that led to the States of Guernsey being exposed to this unacceptable risk of fraudulent activity. Ernst and Young were commissioned by the Public Accounts Committee to undertake that piece of work.
Ernst & Young review covered the following areas;
The appropriateness of the anti-fraud governance framework pre-May 2012
The reasonableness of Internal Audit Reports which were issued in May 2012, before the fraud, and August 2012, after the incident took place
The appropriateness of the anti-fraud governance framework subsequent to those recommendations and actions
Their own recommendations
The key findings of their report are;
First, that prior to May 2012, the anti-fraud governance framework was inappropriate.
As Ernst & Young state, ‘while there were elements of an anti-fraud governance framework, they were unco-ordinated, inconsistent and not embedded culturally.’
Second, that the Internal Audit Reports issued in May and August 2012 were not unreasonable.
Third, that at 17 December 2012, the date they completed their fieldwork, the anti-fraud governance framework remained inappropriate. This was due to a number of factors, including;
Some planned actions were dependent on the identification of a corporate fraud lead. Indeed a permanent Corporate Fraud lead is still to be appointed.
Some planned actions were dependent on the new SAP system going live on 1 January 2013; and
Other competing priorities, such as the Financial Transformation Programme
Fourth, that the work then in progress should improve the anti-fraud governance framework; and
Finally, additional actions were required to meet their baseline expectations.
A number of reports, spanning more than a decade, into the States’ financial controls and risk management regime (of which an effective anti-fraud governance framework is a vital part) have highlighted numerous inadequacies . This, despite the fact that Guernsey has one of the most regulated and highly respected financial services industries in the world.
One of those reports was published by the previous Public Accounts Committee in May 2012, just before the specific incident took place. The findings of the Committee’s report were confirmed by the States Internal Audit Unit report the same month, which stated, and I quote;
‘The States of Guernsey is in the bottom 5-10% of UK organisations in terms of counter-fraud maturity.’
There has been a persistent failure to develop a States-wide approach to risk and it has not been appropriately prioritised.
However, the incident of fraud in July 2012 has been a catalyst for change. It should be acknowledged that a significant amount of work has been undertaken in the months following the incident and credit should be given to the States’ Head of Assurance who is leading the implementation of the improvements.
Political ownership has also been evidenced in the creation of a temporary Risk Steering Group comprising the Chief Minister and Ministers of Treasury & Resources and Public Services.
There are also significant workstreams in progress, including;
the appointment of a supplier to develop and implement a Risk Framework and Policy;
the drafting of a Corporate Risk Register by the Head of Assurance in conjunction with the Executive Leadership Team;
the drafting of a Fraud Rule, Directive and Response Plan, which has been circulated for consultation; and
the development of a comprehensive authorisation policy which is currently being reviewed for feasibility and appropriateness
However, a permanent corporate fraud lead, a key recommendation of both Ernst & Young and the Internal Audit Unit, has yet to be appointed and, whilst a lot of positive moves have been made, they do not fulfil all of the recommendations in the Ernst & Young report.
The Public Accounts Committee fully concurs with the conclusion of Ernst & Young that; ‘the climate is right to ensure that there is a robust and fully embedded anti-fraud governance framework across the States. Anti-fraud must be owned by staff at all levels, but the change must be driven by the right tone from the top.
Throughout this review, it has become evident to the Committee that the ownership and accountability of risk management within the States of Guernsey is not entirely transparent.
In future there needs to be clarity of where responsibility and accountability rests for successfully implementing both the States’ Fraud Risk Management Improvement Plan and the recommendations made by Ernst & Young – at both a political and operational level.
Political ownership has been evidenced in the creation of a temporary Risk Steering Group but this momentum needs to continue.
The Treasury & Resources Department and the Policy Council (working via the Executive Leadership team and Risk Steering Group) must ensure that future planned actions are completed in a timely manner and that those charged with taking forward the workstreams have the necessary authority, resources and support to do so.
Currently, the responsibility lies with the Treasury and Resources Department and the Committee would like to be satisfied that this is a logical place for this to sit, or whether it should become the responsibility of Policy Council.
The Head of Assurance has taken the lead in managing the Corporate Risk Management improvement activity, including acting as the temporary Corporate Fraud Lead, whilst also in the role of Head of Internal Audit, responsible for reviewing the adequacy of the risk management regime. The Committee needs to be assured that any potential conflicts between the roles of Head of Internal Audit and Head of Assurance are managed appropriately.
In conclusion, the report from Ernst & Young confirms that, prior to May 2012, the States of Guernsey had an inadequate risk management framework in place. However, improvements have been made and progress is ongoing, but it is clear that, at this time, further work is required.
The Committee believes the States of Guernsey has taken some important steps in improving the States’ anti-fraud governance framework, but it is crucial that the States does not falter, as it has done historically, and delivers a consistent, formal, comprehensive and truly corporate approach to risk management.
There is a vital role for the Committee to play in monitoring the progress being made in the development of an appropriate risk management framework. In addition, it is well aware that the recent implementation of SAP and the Shared Transaction Service Centre (STSC) has had a major effect on the financial control environment within the States of Guernsey. The Committee is concerned that such a significant change has occurred prior to the development of an appropriate risk management framework and accordingly it has approved the commencement of Stage 2 of its Review of Financial Controls, focussing on those controls now in place.
Finally, as Members will be aware, the Committee has previously been advised that it would be inappropriate to undertake a review of the specific incident of fraud due to concerns that this might compromise the ongoing criminal investigation. I wish to advise that discussions are currently in place with the law officers and police authorities involved with the investigation with a view to commencing Stage 3 of its review into the specific incident of fraud as soon as possible