'Potential fraud risks being overlooked' in HSE payroll system

It also identified that, while not a fraudulent loss per se, overpayments to staff totalling €12.7m in 2023 was an “upward trend of concern” and may mean the full recovery of monies is not possible.

“Many of the controls are appropriate, however some specific fraud assessment is reactive, and many mitigation controls are implicit rather than explicit,” the audit found.

“This requires improvement, however much of this crosses organisational boundaries between HR, Finance, Line Management and ICT, and needs a holistic approach to be effective.

“Fraud risk within payroll processes is heightened and inherently a high risk, as the large sums involved make it a significant target for theft and fraud.” 

It found that the HSE does not incorporate a fraud risk assessment in its approach to fraud risk management while there is no “risk and controls matrix” of the payroll process.

It said such a matrix ensures someone is always responsible for mitigating risk in an organisation and, in the absence of clear accountability and ownership of controls, there is the “potential for fraud risks being overlooked”. 

The audit also recommended that the testing of plans for an IT systems failure needs to be a routine process. It said an over-reliance on untested plans heighten the risk of service interruption and criminal exploitation.

“There is no programme within HSE payroll tailored to the fraud risk response expected from staff and aligned to HR and other procedures,” it said.

The audit concluded that the level of assurance that may be given to management on the adequacy and effectiveness of the governance, risk management and internal control system in this area was “limited”.

In response to the audit, the HSE said payroll is one of the largest and most complex payment systems in the State, and it is "proactively responding to the highlighted risks".