Risk area #1

Social care fraud

Inherent risk

High

Residual risk

High

Risk description

Adult social care customers complete a financial assessment with the council to determine any financial contribution they must make towards their care. Losses can occur through deprivation or non-declaration of capital which can involve the transfer or disguise of property to avoid paying for residential or domestic care provision. Residential homes could also continue to claim for customers who are no longer in residence (eg after they pass away). In both adult and children’s social care, fraud can occur through the misuse of the Direct Payment scheme. For example, where monies allocated to meet a customer’s assessed needs are not used to procure support services. Losses in social care fraud cases can be substantial, especially if they are not detected at an early stage.

Risk controls

Applications for care funding are carefully assessed to ensure that recipients meet the eligibility criteria and that any financial contribution for care by the customer is correctly calculated. A range of monitoring and verification controls are operated by the council. This includes requiring customers in receipt of Direct Payments to have a separate bank account for managing these funds and complying with monitoring procedures to verify spending. In instances of misused Direct Payments, customers are moved to a commissioned service. If concerns are raised about the wellbeing of customers, then the council has a multi-agency safeguarding process which can highlight fraud. The residual risk of adult and children’s social care fraud is still considered to be high. This is due to the level of spend in this area, the scale of losses, and the speed at which they can be accrued. It is also a reflection of the difficulty all councils have in detecting assets when people are determined to keep them hidden.

Priorities for internal audit / counter fraud

Veritau has established relationships with senior management and officers responsible for the provision of social care; concerns of fraud are regularly reported to the counter fraud team (CFT) for investigation. Internal audit (IA) periodically conducts audits into Direct Payment process, financial assessments, and commissioning, and contract management. The CFT regularly provides fraud awareness to council employees with responsibilities for assessment and payments. Veritau will make an e-learning module on Adult Social Care fraud available for council employees in 2026/27.

Risk area #2

Creditor fraud

Inherent risk

High

Residual risk

High

Risk description

Over the course of several years attempts to commit fraud against the creditor payment systems of public and private sector organisations has increased in terms of volume and sophistication. The mandatory publication of payment data makes councils particularly vulnerable to attack. Attacks are often the work of organised criminal groups who operate from abroad. Individual losses due to fraud can be extremely large (more than £1 million). The likelihood of recovery is low once a fraud has been successfully committed. The most common issue is mandate fraud (payment diversion fraud) where fraudsters impersonate legitimate suppliers and attempt to divert payments by requesting changes in bank details. Other types of fraud include whaling, where senior members of the council are targeted and impersonated to obtain fraudulent payments. There have been increased instances nationally and regionally of hackers gaining direct access to the email accounts of suppliers and using them to attempt to commit mandate fraud. These attempts can be very difficult to detect and prevent.

Risk controls

The council has strong controls in place to identify fraudulent attempts to divert payments from genuine suppliers and to validate any requests to change supplier details. Segregation of duties exist between the ordering, invoicing and payments processes. The residual risk of creditor fraud is still considered to be high due to potentially high levels of loss and the frequency of attacks. The council relies on its own employees, and those of its suppliers, to follow processes which prevent this type of fraud from occurring. However good processes can be undermined by human error which is a factor in many successful mandate fraud attacks.

Priorities for internal audit / counter fraud

Veritau provide support and advice to finance officers responsible for the payment of suppliers. IA regularly perform audits of ordering and creditor payment processes, eg segregation of duties and controls to prevent mandate fraud. An audit is planned for 2026/27 that will evaluate controls designed to prevent mandate fraud. Increased awareness provides a greater chance to stop fraudulent attempts before losses occur. All instances of attempted creditor related fraud are reported to the CFT who then report to relevant agencies, such as the National Cyber Security Centre. The CFT regularly shares intelligence alerts relating to attempted fraud occurring nationally with relevant council officers to help prevent losses. As part of any investigation of fraud in this area, the CFT will advise on improvements that can help strengthen controls. Training to officers involved in the management of payments to creditors regularly takes place.

Risk area #3

Cybercrime

Inherent risk

High

Residual risk

High

Risk description

Cybercrime is a continually evolving area where criminals refine their techniques in order to overcome controls, obtain unauthorised access and information, and frustrate systems. In 2025, the government reported that approximately 612,000 UK business and 61,000 charities identified cyber breaches or attacks over a 12 month period. The potential for cybercrime is heightened by the availability of online tools and AI-driven attacks. As cybercrime can be perpetrated remotely, attacks can come from within the UK or overseas. Some cybercrime is motivated by profit, however some is designed purely to disrupt services. Types of cybercrime experienced by local authorities include ransomware, phishing, whaling, hacking, and denial of service attacks. Attacks can lead to loss of funds or systems access/data which could impact service delivery. There have been several high-profile cyber-attacks on public and private sector organisations in recent years. Attacks stemming from the hacking of software or ICT service providers have become more prevalent. These are known as supply chain attacks and are used by hackers to target the end users of the software created by the organisations targeted.

Risk controls

The council employs highly skilled ICT employees whose expertise is used to help mitigate the threat of cybercrime. The ICT department has processes to review threat levels and controls (eg password requirements for employees) on a routine basis. It carries out weekly automated vulnerability scanning, as well as annual penetration testing performed by an accredited third-party organisation. The ICT department also uses filters to block communications from known fraudulent servers and will encourage employees to raise concerns about any communications they do receive that may be part of an attempt to circumvent cybersecurity controls. Despite strong controls being in place, cybercrime remains a high residual risk for the council. The potential for cybercrime is heightened by the availability of online tools. Council systems could be exposed by yet unknown weaknesses in software. Suppliers of software or IT services could also be compromised which might allow criminals access to council systems believed to be secure. The residual risk of cybercrime remains high due to the constantly evolving methods employed by fraudsters which requires regular review of controls.

Priorities for internal audit / counter fraud

Cybersecurity is an ongoing priority for IA work and is overseen and delivered by CISA (Certified Information System Auditor) accredited auditors. Planned audits in 2026/27 cover cloud based and 3rd party security, cybersecurity, user awareness, and database & application security. Raising awareness with employees can be crucial in helping to prevent successful cyberattacks. The CFT work with ICT to support activities that raise awareness amongst employees. A campaign to mark cybersecurity awareness month is undertaken annually.

Risk area #4

Council tax and business rate frauds

Inherent risk

High

Residual risk

Medium

Risk description

Council tax discount fraud can be a common occurrence. CIFAS conducted a survey in 2022 in which 10% of UK adults said they knew someone who had recently committed single person discount fraud. In addition, 8% of people thought falsely claiming a single person discount was a reasonable thing to do. Individual cases of fraud in this area are of relatively low value but cumulatively can represent a large loss to the council. Business rates fraud involves people falsely claiming discounts that a business is not entitled to, eg small business rate relief. Reports of business rate fraud are less common than council tax fraud but can lead to higher losses in individual cases.

Risk controls

The council employs a number of methods to help ensure only valid applications are accepted. This includes requiring relevant information be provided on application forms and undertaking visits to properties where needed to verify information. The council routinely takes part in the National Fraud Initiative (NFI). The exercise allows councils to cross check for potential instances of fraud in multiple locations (eg multiple claims for single person discount by one individual). The council regularly undertakes additional data matching exercises designed to identify where multiple people are living in a property, but a single person discount is being claimed. The CFT provide a deterrent to fraud in this area through the investigation of potential offences which can, in serious cases, lead to prosecution.

Priorities for internal audit / counter fraud

Council tax and business rates are one of the council’s key financial systems and as such are routinely examined by IA – an audit is planned in 2026/27. The CFT operate a compliance scheme which ensures that low-value fraud in this area that would not normally warrant a criminal investigation is addressed through contact with the public.

Risk area #5

Council tax support fraud

Inherent risk

High

Residual risk

Medium

Risk description

Council Tax Support (CTS) is a council funded reduction in liability for council tax. It is resourced through council funds. Fraud and error in this area is of relatively low value on a case-by-case basis but cumulatively fraud in this area could amount to a substantial loss. CTS fraud can involve applicants failing to correctly declare their assets, income, or household composition. Those receiving support are also required to notify relevant authorities when they have a change in circumstances that may affect their entitlement to support. Most CTS claims are linked to state benefits (eg Universal Credit) which are administered by the Department for Work and Pensions (DWP).

Risk controls

The council undertakes eligibility checks on those who apply for support. Officers manage the assessment of new and ongoing claims for CTS to identify potential issues. The DWP use data from HMRC on claimants’ incomes which is then passed through to council systems which mitigates the risk of claimants not updating the council with income details. There are established lines of communication with the DWP where claims for support are linked to externally funded benefits. The council routinely takes part in the National Fraud Initiative (NFI) which highlights potentially fraudulent claims. The CFT provide a deterrent to fraud in this area through the investigation of potential offences which can, in serious cases, lead to prosecution. The CFT jointly works with the DWP to investigate fraud when it affects both organisations. This can help achieve better results for the council where state benefits are involved. If fraud cannot be addressed by the council directly it will be reported to the DWP.

Priorities for internal audit / counter fraud

The CFT will continue to raise awareness of fraud with teams involved in processing claims for CTS as well as seeking opportunities to raise awareness with the public about the mechanisms for reporting fraud. IA have a planned audit in this area for 2026/27.

Risk area #6

Housing related fraud

Inherent risk

High

Residual risk

Medium

Risk description

Council properties represent a significant asset to the council. Housing fraud can deprive the council of these assets through false applications for Right to Buy. Tenants who sublet or falsely obtain council properties remove a property from a person or family in true need of housing and can negatively affect the council financially when people are in temporary accommodation and are waiting for a suitable property to become available.

Risk controls

The council has strong controls in place to prevent false applications for housing. The housing department engages with tenants regularly to ensure properties are not being misused. Eligibility checks are made before council owned properties are let. The CFT work with council colleagues to conduct checks, eg identity and money laundering, on all applications for Right to Buy. The CFT provide a deterrent to fraud in this area through the investigation of any suspected subletting of council properties using powers under the Prevention of Social Housing Fraud Act. Offenders face criminal prosecution and repossession of their council properties.

Priorities for internal audit / counter fraud

The CFT will continue to raise awareness of fraud with teams involved in applications for council housing and the management of housing stock. The investigation of reports of the subletting of council properties are treated as a priority.

Risk area #7

Procurement fraud

Inherent risk

High

Residual risk

Medium

Risk description

Procurement fraud, by its nature, is difficult to detect but can result in large scale loss of public funds over long periods of time. Businesses that collude to stifle competition and fix or inflate prices are referred to as a cartel. The Competition and Markets Authority (CMA) estimates that having a cartel within a supply chain can raise prices by 30% or more. Procurement fraud can also take the form of mischarging, undertaking substandard work, and diverting goods or services. In 2020 CIPFA reported losses of £1.5m for local authorities, due to procurement fraud. It found that 8% of fraud detected in this area involved ‘insider fraud’.

Risk controls

The council has established Contract Procedure Rules. The rules are reviewed regularly and require a competitive process for significant procurements through an e-tender system. A team of procurement professionals provide guidance and advice to ensure procurement processes are carried out correctly. The Contract Procedure Rules also set out the requirements for declarations of interests to be made. Contract monitoring helps to detect and deter potential fraud.

Priorities for internal audit / counter fraud

Continued vigilance by relevant employees is key to identifying and tackling procurement fraud. IA and the CFT monitor and share guidance on fraud detection issued by the Competition and Markets Authority and other relevant bodies. In 2026/27 IA will audit the council’s compliance with new procurement legislation introduced last year as well as contract management processes. The CFT provides regular training to the procurement team.

Risk area #8

Internal fraud

Inherent risk

Medium

Residual risk

Medium

Risk description

Fraud committed by employees is a risk to all organisations. Internal fraud within councils occurs infrequently and usually results in low levels of loss. However, if fraud or corruption occurred at a senior level there is the potential for a greater level of financial loss and reputational damage to the council. There are a range of potential employee frauds including theft, corruption, falsifying timesheets and expense claims, abusing flexitime or annual leave systems, undertaking alternative work while sick, or working for a third party on council time. Some employees have access to equipment and material that may be misused for private purposes. Payroll related fraud can involve the setting up of 'ghost' employees to obtain salary payments. A new criminal offence came into force in 2025, Failure to Prevent Fraud, which holds large organisations like the council accountable for fraud committed by employees, contractors, suppliers that is designed to benefit the council.

Risk controls

The council has up to date whistleblowing, counter fraud policies, and anti-bribery policies. Campaigns are held annually to promote the policies and to remind staff how to report any concerns. Veritau provide e-learning training on whistleblowing to council employees and managers. The council has checks and balances in place to prevent individual members of staff being able to circumvent financial controls, eg deviation reports are produced and checked for expense claims that can highlight potential issues with claims, segregation of duties are applied in council processes. Management controls are also in place surrounding flexitime, annual leave and sickness absence.

Priorities for internal audit / counter fraud

Veritau regularly liaises with senior management on internal fraud issues. Instances of internal fraud are analysed by both IA and CFT to determine if control weaknesses exist and can be addressed. The CFT provides training to all staff on whistleblowing and how to report concerns. Any suspicion of fraud or corruption is treated as a priority investigation. Where appropriate IA and CFT work together to investigate suspected fraud. Serious cases of fraud will be reported to the police. Disciplinary action taken by the council relating to internal fraud issues is often supported by the CFT. IA undertake work to ensure that appropriate checks and balances are in place to help prevent and detect internal fraud and corruption. Veritau is raising awareness of Failure to Prevent Fraud and training is being provided to employees.

Risk area #9

Recruitment fraud

Inherent risk

Medium

Residual risk

Medium

Risk description

Recruitment fraud can affect all organisations. Applicants can provide false or misleading information to gain employment such as bogus employment history and qualifications or providing false identification documents to demonstrate the right to work in the UK. There is danger for the council if recruitment fraud leads to the wrong people occupying positions of trust and responsibility or not having the appropriate professional accreditation for their post. In addition, there have been reports nationally of ‘polygamous working’ fraud, where an employee, usually in a temporary position, works for several different organisations at the same time.

Risk controls

The council has controls in place to mitigate the risk of fraud in this area. DBS checks are undertaken for certain roles as necessary. Additional checks are made on applications for roles involving children and vulnerable adults. References are taken from previous employers and there are processes to ensure qualifications provided are genuine. Right to work checks are completed in line with statutory guidance. The National Fraud Initiative undertakes payroll data matches to identify employees who are working for multiple organisations at the same time.

Priorities for internal audit / counter fraud

Where there is a suspicion that someone has provided false information to gain employment, CFT will be consulted on possible criminal action in tandem with any disciplinary action that may be taken. Applicants making false claims about their right to work in the UK or holding professional accreditations will be reported to the relevant agency or professional body, where appropriate. The CFT routinely share details of identities found to be used in polygamous working with HR to prevent and detect potential issues. IA reviewed council recruitment and selection processes in 2025/26 and gave them reasonable assurance.

Risk area #10

Theft of assets

Inherent risk

Medium

Residual risk

Low

Risk description

The theft of assets can cause financial loss and reputational damage. It can also negatively impact on employee morale and disrupt the delivery of services. The council own a large amount of portable, desirable physical assets such as ICT equipment, vehicles, and tools that are at higher risk of theft.

Risk controls

Specific registers of physical assets (eg capital items, property, and ICT equipment) are maintained. The council operates CCTV systems covering key premises and locations where high value items are stored. Entrances to council buildings are regulated and controlled via different access methods. The council employs a specialist security team to safeguard its premises, employees, and assets. The security team respond to incidents of theft through increased patrols and recommending improvements to processes. The council's whistleblowing arrangements provide an outlet for reporting concerns of theft. Thefts are reported to the police and Veritau.

Priorities for internal audit / counter fraud

Instances of theft will be investigated by CFT where appropriate. IA have a planned audit looking into security arrangements at West Offices and Hazel Court.

Risk area #11

Treasury management

Inherent risk

Medium

Residual risk

Low

Risk description

Treasury Management involves the management and safeguarding of the council’s cash flow, its banking, and money market and capital market transactions. The impact of fraud in this area could be significant.

Risk controls

Treasury Management systems are subject to a range of internal controls, legislation, and codes of practice which protect council funds. Only pre-approved employees can undertake transactions in this area and they work within pre-set limits.

Priorities for internal audit / counter fraud

IA conduct periodic work in this area to ensure controls are strong and fit for purpose.

Risk area #12

Grant schemes

Inherent risk

Medium

Residual risk

Low

Risk description

The council takes on the responsibility for disbursing government funded grant schemes to residents, businesses, and other organisations. Fraud in this area can include applicants supplying incorrect information to obtain grant payments or grant funded works (for example where grant funds are paid to a third-party supplier). Suppliers undertaking work may overcharge or not complete work to agreed standards. The council can become liable for recovery of any incorrectly paid government funding. This can create a loss to the council and may affect access to future grant schemes.

Risk controls

The council will complete any required fraud management plan which will consider fraud risks, and mechanisms for preventing and detecting fraud. When awarding payments or agreeing works, the council (or their contractor) will complete checks to confirm applicants’ eligibility.

Priorities for internal audit / counter fraud

The CFT and IA support the development of fraud management plans, and associated controls, where required. CFT will undertake investigation in cases of suspected fraud. IA regularly undertake certification work on grant funded schemes. A new scheme, the Crisis and Resilience Fund, will be introduced in April 2026. Veritau will support the council to prevent fraud against the scheme and protect funds meant for vulnerable people.

Risk area #13

Blue badge & parking fraud

Inherent risk

Low

Residual risk

Low

Risk description

Blue Badge fraud carries low financial risk to the authority but can affect the quality of life for disabled residents and visitors. There is a risk of reputational damage to the council if abuse of this scheme is not addressed. Other types of parking fraud also occur, including the misuse of residential parking permits by the owners of short term holiday lets to avoid commercial parking charges. Electronic payments by members of the public for use of council car parks can be diverted by criminals using false QR codes.

Risk controls

Measures are in place to control the issue of blue badges, to ensure that only eligible applicants receive badges. Checks are made to ensure that commercial businesses don’t inappropriately access residential parking permits. The council participates in the National Fraud Initiative which flags badges issued to deceased users, and badge holders who have obtained a blue badge from more than one authority, enabling their recovery to prevent misuse. The CFT and Parking Enforcement work closely together to identify, deter and investigate parking fraud. Proactive days of action are undertaken by both teams to raise awareness and act as a deterrent to blue badge misuse. Warnings are issued to people who misuse parking permits and blue badges. Serious cases of both types of fraud are considered for prosecution. Council car parks are monitored to detect and deter efforts to divert electronic payments.

Priorities for internal audit / counter fraud

The CFT routinely investigate fraud in this area as well as undertaking days of action to combat blue badge fraud. The team will work with the parking department to investigate and stop the use of false QR codes in council car parks to divert payments. IA plan to audit the application process and consider eligibility policies in 2026/27.