Risk area #1

Social care fraud

Inherent risk

High

Residual risk

High

Risk description

Adult social care customers complete a financial assessment with the Council to determine any financial contribution they must make towards their care. Losses can occur through deprivation or non-declaration of capital which can involve the transfer or disguise of property during the financial assessment process. Residential homes could also continue to claim for customers who are no longer in residence (eg after they pass away). In both adult and children’s social care, fraud can occur through the misuse of the Direct Payment scheme. For example, where monies allocated to meet a customer’s assessed needs are not used to procure support services. Losses in social care fraud cases can be substantial, especially if they are not detected at an early stage.

Risk controls

Applications for care funding are carefully assessed to ensure that recipients meet the eligibility criteria and that any financial contribution for care by the customer is correctly calculated. A range of monitoring and verification controls are operated by the Council. This includes requiring customers in receipt of Direct Payments to have a separate bank account for managing these funds and complying with monitoring procedures to verify spending. In instances of misused Direct Payments, customers are moved to a commissioned service. The residual risk of adult and children’s social care fraud is still considered to be high. This is due to the level of spend in this area, the scale of losses, and the speed at which they can be accrued. It is also a reflection of the difficulty all councils have in detecting assets when people are determined to keep them hidden.

Priorities for internal audit / counter fraud

Veritau works with senior management and officers responsible for the provision of social care; concerns of fraud are regularly reported to the counter fraud team (CFT) for investigation. Internal audit (IA) periodically conducts audits into financial assessments and direct payments processes. The CFT delivers a rolling programme of fraud awareness training to employees with responsibilities for assessment and payments. Investigation of fraud in this area provides a deterrent to those considering committing it and can assist the Council to recover losses through the court system. Legislative change in 2025 now allows the National Fraud Initiative to reintroduce adult social care data matches. These will highlight Direct Payment and residential care packages in payment where external records register customers as deceased. The matches will be reviewed by council officers – with support from Veritau – to identify incorrect payments and potentially fraudulent activity.

Risk area #2

Creditor fraud

Inherent risk

High

Residual risk

High

Risk description

Attempts to commit fraud against the creditor payment systems of public and private sector organisations has increased in terms of volume and sophistication in recent years. The mandatory publication of payment data makes councils particularly vulnerable to attack. Attacks are often the work of organised criminal groups who may operate within the UK or from abroad. Individual losses due to fraud can be extremely large (in excess of £1 million) and the likelihood of recovery is low once a fraud has been successfully committed. The most common issue is mandate fraud (payment diversion fraud) where fraudsters impersonate legitimate suppliers and attempt to divert payments by requesting changes in bank details. Other types of fraud include whaling, where senior members of the Council are targeted and impersonated in order to obtain fraudulent payments. There have been increased instances nationally of hackers gaining direct access to email accounts of suppliers and using these to attempt to commit mandate fraud. These attempts can be much more difficult to detect and prevent.

Risk controls

The Council has strong controls in place to identify fraudulent attempts to divert payments from genuine suppliers and an anti-fraud procedure to validate any requests to change supplier details. There is a robust payment run process which requires appropriate checks and authorisation. Segregation of duties exist between the ordering, invoicing and payments processes. The residual risk of creditor fraud is still considered to be high due to potentially high levels of loss and the frequency of attacks. The Council's reliance on its own employees, and those of its suppliers, to follow processes, and the potential of human error, are factors in many successful mandate fraud attacks.

Priorities for internal audit / counter fraud

The IA work programme routinely includes audits of key financial systems and processes. This includes main accounting, systems, creditor payments, and use of purchase cards. IA work has provided review and assurance for new systems implement at North Yorkshire Council following local government reorganisation. The biennial National Fraud Initiative exercise includes reports relating to potential duplicate payments and multiple creditor records for individual suppliers. The CFT delivers fraud awareness training to relevant officers. Increased awareness provides a greater chance to stop fraudulent attempts before losses occur. Finance officers who have concerns about supplier payments can contact the CFT and IA for support and advice. All instances of attempted creditor related fraud are reported to the CFT who then report to relevant agencies, such as the National Cyber Security Centre, as well as directly to the email provider from which false emails originated. The CFT regularly shares intelligence alerts relating to attempted fraud occurring nationally with relevant council officers to help prevent losses. As part of any investigation of attempted fraud in this area, the CFT will work with IA to provide advice on improvements that will strengthen controls.

Risk area #3

Cybercrime

Inherent risk

High

Residual risk

High

Risk description

Cybercrime is a continually evolving area where criminals are constantly refining their techniques in order to overcome controls, obtain unauthorised access and information, and frustrate systems. In 2025, the government reported that approximate 612,000 UK business and 61,000 charities identified cyber breaches or attacks over a 12 month period. The potential for cybercrime is heightened by the availability of online tools and AI-driven attacks. As cybercrime can be perpetrated remotely, attacks can come from within the UK or overseas. Some cybercrime is motivated by profit, however some is designed purely to disrupt services. Types of cybercrime experienced by local authorities include ransomware, phishing, whaling, hacking, and denial of service attacks. Attacks can lead to loss of funds or systems access/data which could impact service delivery. There have been a number of high-profile cyber-attacks on public and private sector organisations in recent years. Attacks stemming from the hacking of software or ICT service providers have become more prevalent. These are known as supply chain attacks and are used by hackers to target the end users of the software created by the organisations targeted.

Risk controls

The Council has skilled ICT employees whose expertise is used to help mitigate the threat of cybercrime. The ICT department has processes to review threat levels and controls (eg password requirements for employees). The ICT department uses filters to block communications from known fraudulent servers and will encourage employees to raise concerns about any communications they do receive that may be part of an attempt to circumvent cybersecurity controls. The Council also maintains a disaster recovery plan that complies with relevant ISO standards to manage any potential incident. Despite strong controls being in place, cybercrime remains a high residual risk for the Council. Council systems could be exposed by as yet unknown weaknesses in software. Suppliers of software or IT services could also be compromised which may allow criminals access to council systems believed to be secure. The residual risk of cybercrime also remains high due to the constantly evolving methods employed by fraudsters which requires regular review of controls.

Priorities for internal audit / counter fraud

IA routinely include ICT audits in the annual work programme. Cybersecurity is an ongoing priority for IA work, with IT asset management and disaster recovery being the recent focus of audit work. Raising awareness with employees can be crucial in helping to prevent successful cyberattacks. The CFT works with ICT to support activities on raising awareness amongst employees. A campaign to mark cybersecurity awareness month is undertaken annually. ICT can access free resources from the National Cyber Security Centre to help develop and maintain their cyber defence strategy.

Risk area #4

Council tax and business rate frauds

Inherent risk

High

Residual risk

Medium

Risk description

Fraud in this area often involves individuals providing incorrect information about residence or occupation of homes and commercial properties. In some cases, false documents such as tenancy agreements or leases may be created and submitted to the Council. As the largest source of the Council’s income, appropriate billing for liabilities is essential to funding services. Council tax discount fraud is a common occurrence with a CIFAS survey in 2022 finding that 10% of UK adults said they knew someone who had recently committed single person discount fraud. In addition, 8% of people thought falsely claiming a single person discount was a reasonable thing to do. The 2025 National Anti Fraud Network Counter Fraud Survey noted an increase in the volume of medium to low value fraud cases. The cumulative effect of fraud in this area can represent a large loss to the Council. Business rates fraud can involve falsely claiming discounts that a business is not entitled to, eg small business rate relief. Reports of business rate fraud are less prevalent than Council Tax fraud but can lead to higher losses in individual cases.

Risk controls

The Council reviews all applications for discounts and exemptions to help ensure that only valid applications are accepted. This includes requiring relevant information be provided on application forms, and visits to properties are undertaken where needed, to verify information. Reviews are undertaken of single person discounts to ensure that those receiving a discount remain eligible to do so. The Council also routinely takes part in the National Fraud Initiative (NFI). The exercise allows councils to cross check records that may highlight households with occupants not declared for council tax purposes (ie people registered to vote at properties where they are not registered for council tax).

Priorities for internal audit / counter fraud

The CFT delivers fraud awareness training to employees in the revenues team about frauds affecting Council Tax and Business Rates. IA regularly review the administration of Council Tax and Business Rates as one of the Council’s key financial systems. The counter fraud team provides a deterrent to fraud in this area through the investigation of potential offences which can, in serious cases, lead to prosecution. CFT will also provide support through compliance work that encourages occupiers to provide details of relevant changes to the Council.

Risk area #5

Council tax reduction fraud

Inherent risk

High

Residual risk

Medium

Risk description

Council Tax Reduction (CTR) is a council funded reduction in liability for Council Tax. It is resourced through council funds. Fraud and error in this area is of relatively low value on a case-by-case basis but cumulatively fraud in this area could amount to a substantial loss. CTR fraud can involve applicants failing to declare their total assets or income, or that other people – such as a partner – live with them. Those receiving support are also required to notify the Council when they have a change in circumstances that may affect their entitlement to support. Many CTR claims are linked to state benefits (eg Universal Credit) which are administered by the Department for Work and Pensions (DWP).

Risk controls

The Council undertakes eligibility checks on those who apply for support. Officers manage the assessment of new and ongoing claims for CTR to identify potential issues and request additional information and documentation from applicants where necessary. The Council will routinely take part in the National Fraud Initiative (NFI) which combines internal records with other local authority and government department data to highlight potentially fraudulent claims. Where DWP benefits are also in payment, the DWP use data on claimants’ incomes from HMRC which is then passed through to Council systems. This helps mitigate the risk of claimants not updating the Council with income details.

Priorities for internal audit / counter fraud

Concerns of fraud can be reported to the CFT by officers. The CFT provide a deterrent to fraud in this area through the investigation of potential fraud which can, in serious cases, lead to prosecution. The CFT will also seek opportunities to raise awareness with the public about the mechanisms for reporting fraud. If fraud cannot be addressed by the Council directly it will be reported to the DWP or relevant agency. CFT will continue to jointly work with the DWP to address cases affecting both parties.

Risk area #6

Housing related fraud

Inherent risk

High

Residual risk

Medium

Risk description

Those who provide incorrect information to obtain council housing, and tenants who sublet council properties remove a property from a person or family in true need of housing. This can negatively affect the Council financially when people are in temporary accommodation and are waiting for a suitable property to become available. Those who unlawfully sublet may do so to make a financial gain for themselves by charging subtenants more than the true rent. Council properties represent a significant asset to the Council. Fraudulent applications for Right to Buy deprive the Council of these assets and reduce affordable housing.

Risk controls

The Council has strong controls in place to prevent false applications for housing. The housing department engages with tenants regularly which can help identify potential misuse of properties. The CFT provide a deterrent to fraud in this area through the investigation of any suspected subletting of council properties using powers under the Prevention of Social Housing Fraud Act. Offenders face criminal prosecution and repossession of their council properties.

Priorities for internal audit / counter fraud

The CFT will continue to raise awareness of fraud with teams involved in applications for council housing and the management of housing stock. The investigation of reports of the subletting of council properties are treated as a high priority. The team will also support the Council in seeking Unlawful Profit Orders where council properties have been sublet for financial gain. If a tenant profits from subletting, the law allows the Council to apply to court for an unlawful profit order to recover monies. The CTF will support the Council in seeking unlawful profit orders by gathering and presenting relevant evidence. In 2026/27, the team will explore opportunities to support verification of Right to Buy applications.

Risk area #7

Procurement fraud

Inherent risk

High

Residual risk

Medium

Risk description

Procurement fraud, by its nature, is difficult to detect but can result in large scale loss of public funds over long periods of time. Businesses that collude to stifle competition, market-share, and fix or inflate prices are referred to as a cartel. The Competition and Markets Authority (CMA) estimates that having a cartel within a supply chain can raise prices by 30% or more. Procurement fraud can also take the form of mischarging, delivery of substandard work, and diverting goods or services. In 2020 CIPFA reported losses of £1.5m for local authorities, due to procurement fraud. It found that 8% of fraud detected in this area involved ‘insider fraud’.

Risk controls

The Council has established Contract Procedure Rules. The rules are reviewed regularly and have been updated to reflect new provisions in the Procurement Act 2023 that took effect in 2025. The Council maintains guidance for officers taking part in procurement exercises. This includes information on quotations, tendering, selecting providers, and considering best value. A team of procurement professionals provide guidance and advice to ensure procurement processes are carried out correctly. Contract monitoring arrangements help to detect and deter potential fraud.

Priorities for internal audit / counter fraud

Continued vigilance by relevant employees is key to identifying and tackling procurement fraud. CFT have delivered training to procurement officers highlighting the impact of the new Procurement Act provisions and countering fraud. IA and the CFT monitor and share guidance on fraud detection issued by the Competition and Markets Authority and other relevant bodies. Regional and national fraud alerts are also shared so that the Council can consider potential issues with suppliers and procurement arrangements.  IA regularly undertake procurement related work to help ensure processes are effective and being followed correctly.

Risk area #8

Theft of assets

Inherent risk

High

Residual risk

Medium

Risk description

The Council owns a large amount of portable, desirable physical assets such as ICT equipment, vehicles, and tools that are at higher risk of theft. The theft of assets can cause financial loss, impact service delivery, and erode public confidence in the Council. It can also negatively impact on employee morale.

Risk controls

The Council maintains asset registers to support accountability and audit trails for equipment. Asset tagging methods are also used to deter theft and aid recovery. The Council operates CCTV systems covering key premises and locations where high value items are stored. Access to council buildings is regulated and controlled via different access methods. The Council's whistleblowing arrangements provide an outlet for officers and contractors to report concerns of theft or misuse of equipment.

Priorities for internal audit / counter fraud

Thefts are reported to the police and Veritau. Instances of theft are investigated by CFT where appropriate. IA work includes review of potential control weakness relating to security of assets. This includes conducting sweeps of Council premises.

Risk area #9

Internal fraud

Inherent risk

Medium

Residual risk

Medium

Risk description

Fraud committed by employees is a risk to all organisations. Internal fraud within councils usually results in low levels of loss. However, if fraud or corruption occurred at a senior level there is the potential for a greater level of financial loss and reputational damage to the council. There are a range of potential employee frauds including theft, corruption, falsifying timesheets and expense claims, abusing flexitime or annual leave systems, undertaking alternative work while sick, or working for a third party on council time. Some employees have access to equipment and material that may be misused for private purposes. Payroll related fraud can involve the setting up of 'ghost' employees in order to obtain salary payments. A new criminal offence came into force in 2025, Failure to Prevent Fraud, which holds large organisations like the Council accountable for fraud committed by employees, contractors, suppliers that is designed to benefit the authority.

Risk controls

The Council has checks and balances to prevent individual employees being able to circumvent financial controls, eg deviation reports to identify issues, and segregation of duties are applied in Council processes. Controls are in place surrounding flexitime, annual leave and sickness absence. The Council has up to date whistleblowing and an anti-fraud, bribery and corruption policies, and an employee code of conduct. Veritau promote these policies and to remind employees how to report any concerns through awareness campaigns. CFT provide e-learning training on whistleblowing for employees and managers. The Council regularly participates in the National Fraud Initiative. Data matches include checks on payroll records for potential issues.

Priorities for internal audit / counter fraud

Veritau liaises with senior management on internal fraud issues. Where internal fraud arises, IA and the CFT will review the circumstances to determine if there are underlying control weaknesses that can be addressed. CFT provide training to, and work closely with, HR officers on internal fraud and whistleblowing issues. CFT investigate any suspicions of fraud or corruption. Serious cases of fraud will be reported to the police. In some instances, it may be necessary to report individuals to their professional bodies. CFT can support any disciplinary action taken by the Council relating to internal fraud issues. Veritau will continue to raise awareness of Failure to Prevent Fraud responsibilities.

Risk area #10

Recruitment fraud

Inherent risk

Medium

Residual risk

Medium

Risk description

Applicants can provide false or misleading information in order to gain employment. This may include providing a fictitious employment history and qualifications or providing false identification documents. Inappropriate appointments could lead to the wrong people occupying positions of trust and responsibility, officers not having the appropriate professional accreditation for their post, safeguarding risks, and service failures. There have been a rising number of reports nationally of ‘polygamous working’ fraud, where an employee, usually in a temporary position, works for a number of different organisations at the same time.

Risk controls

The Council has controls in place to mitigate the risk of fraud in this area. It undertakes pre-employment checking, including DBS checks where necessary such as roles involving children and vulnerable adults. References are taken from previous employers, and the Council are able to review qualifications and professional accreditations. The National Fraud Initiative undertakes payroll data matches to identify employees who are working for multiple organisations at the same time.

Priorities for internal audit / counter fraud

Where there is a suspicion that someone has provided false information to gain employment, the CFT will be consulted on possible criminal action in tandem with any disciplinary action that may be taken. Applicants making false claims about their right to work in the UK or holding professional accreditations will be reported to the relevant agency or professional body, where appropriate. The CFT routinely share intelligence on identities found to be used in polygamous working with HR to prevent and detect potential issues.

Risk area #11

Treasury management

Inherent risk

Medium

Residual risk

Low

Risk description

Treasury Management involves the management and safeguarding of the Council’s cash flow, its banking, and money market and capital market transactions. Weaknesses in controls could result in fraud or error through unauthorised transactions. Financial losses could affect the Council’s ability to meet statutory obligations and cause reputational damage to the authority.

Risk controls

Treasury Management systems are subject to a range of internal controls, legislation, and codes of practice which protect Council funds. Only pre-approved employees can undertake transactions in this area and they work within pre-set limits. The Council has a process to prevent fraudulent diversion of payments.

Priorities for internal audit / counter fraud

IA conduct periodic work in this area to ensure controls are strong and fit for purpose, and that there is officer compliance with these controls. CFT can provide support through advice and investigation where fraud is suspected. Raising awareness of the Council’s whistleblowing arrangements routinely takes place to ensure that officers can raise concerns about potential internal issues.

Risk area #12

Grant schemes

Inherent risk

Medium

Residual risk

Low

Risk description

The Council takes on the responsibility for disbursing government funded grant schemes to local residents, businesses, and other organisations. Fraud in this area can include applicants supplying incorrect information to obtain grant payments or grant funded works (for example where grant funds are paid to a third-party supplier). Suppliers undertaking work may overcharge or not complete work to agreed standards. The Council can become liable for recovery of any incorrectly paid government funding. This can create a loss to the Council and may affect access to future grant schemes.

Risk controls

The Council will complete any required fraud management plan which will consider fraud risks, and mechanisms for preventing and detecting fraud. When awarding payments or agreeing works, the Council (or their contractor) will complete checks to confirm applicants’ eligibility. Contacts with suppliers may also include clauses on quality standard and clawback provisions.

Priorities for internal audit / counter fraud

The CFT and IA will support the development of fraud management plans, and associated controls, where required. CFT can undertake investigation in cases of suspected fraud.

Risk area #13

Blue badge fraud & parking fraud

Inherent risk

Low

Residual risk

Low

Risk description

Misuse of blue badges and parking permit schemes can affect effective management of parking facilities. Blue Badge fraud carries low financial risk to the authority but can have a significant negative impact on disabled residents and visitors. There is a risk of reputational damage to the Council if abuse of this scheme is not addressed. Other low level parking fraud includes misuse of residential permits to avoid commercial parking charges. The Council controls a number of car parks and chargeable on street parking spaces. Electronic payments by members of the public for use of council car parks can be diverted by criminals using false QR codes. This fraud targets the public and could lead to financial losses and cause reputational damage for the Council.

Risk controls

The Council also has a dedicated team that monitor blue badge and permit use, and enforce parking regulations. Measures are in place to control the issuing of blue badges, to ensure that only eligible applicants receive badges. The Council participates in the National Fraud Initiative which flags blue badges issued to deceased users, and badge holders who have obtained a blue badge from more than one authority, enabling their recovery to prevent misuse.

Priorities for internal audit / counter fraud

The CFT will continue to engage with the Council’s enforcement team and encourage participation on the 2026 national parking day of action. This will help raise awareness and act as a deterrent to blue badge misuse. Warnings can be issued to people who misuse parking permits and blue badges. Serious or repeated misuse cases will be considered for prosecution.