Introduction
The Accounting Officer for the NHSCFA is our Chief Executive Officer, Alex Rothwell. The governance arrangements summarised in this Statement describe how the Board and Accounting Officer gain assurance. It includes information relating to the effectiveness of:
The Accounting Officer confirms the assurances provided in this Governance Statement are in line with the HM Treasury guidance. As explained in the Directors' report, details of the legislation which established the organisation are available via the Corporate publications | About | NHSCFA.
Sponsor oversight
The DHSC Anti-Fraud Unit (AFU) is the departmental sponsor for the NHSCFA, and a framework agreement between the DHSC and the NHSCFA details the governance arrangements between the two. During the year the framework agreement was updated to reflect intentions for the new strategic period. Framework agreement between DHSC and NHS Counter Fraud Authority 2026 to 2029 - GOV.UK
Finance, performance and accountability meetings are held regularly under the agreement, and these provide opportunities throughout the year to discuss and inform:
- financial and budgetary status and resourcing
- performance in respect of financial and non-financial targets
- high level strategic decision making and planning
Regular working level meetings enable comprehensive and accurate planning at an operational level, through exchanges of information, horizon scanning and problem solving. The DHSC Sponsor attends Board meetings to ensure members of the Board, understand the key stakeholder's views.
NHSCFA Board
This year the Board's principal focus was responding to the government's review of arm's length bodies (ALBs), developing the NHSCFA Strategy for 2026 to 2029 and the 2026 to 2027 Business Plan, and overseeing NHSCFA's transformational programme of work aligned to its longer-term aspirations. Against a backdrop of unexpected NED vacancies and changing spending priorities, the Board maintained effective governance and continued to provide strategic challenge and assurance throughout the year.
Key decisions and areas of oversight during 2025 to 2026 included:
- agreeing terms of reference for a new Finance and Performance Committee (F&P) and for the committee to commence in shadow form
- overseeing performance metrics, the Operational Performance Report and Proceeds of Crime Act figures, and risk mitigation approaches where identified fraud is not prosecuted by stakeholders
- oversight of the Digital Strategy, Estates Strategy, health and safety arrangements, crisis planning, and procurement pipeline - with enhanced reporting introduced to improve transparency of planned procurements, and learning from contract renewals
- agreeing updated risk appetite and tolerance statements for countering internal fraud, bribery and corruption
- agreeing a culture statement on hybrid working and strengthening the integrity focus within our People Strategy
Two Board development and briefing days were held during the year, which focused on the development and review of the NHSCFA Strategy for 2026 to 2029. These prompted useful reflection on whether Board reporting adequately captured the extent and range of NHSCFA influence on realisable counter fraud outcomes - an area that will inform how performance is reported going forward.
At each meeting, the Board received an operational performance report and quarterly updates on progress against strategic goals and targets. Other supporting reports are provided on an annual cycle, covering key compliance and governance topics. Committee reporting kept the Board informed of risks identified and actions taken. The Board provided feedback on the quality of papers and presentations throughout the year and remained satisfied with their standard, balance and accuracy.
This year the Board agreed terms of reference for the establishment of a Finance and Performance Committee (F&P) to review integrated business and financial planning and the ongoing delivery of the published Strategy and Business Plan, provide assurance to the Board regarding the management of risks, internal controls and governance in respect of these, and review programme, project and capital investment programmes against any mandatory standards. It was agreed that the Committee will commence in shadow form until board recruitment was finalised. The Board further considered proposed changes to our corporate governance framework to align assurance reporting to the F&P from Associate Director meetings and proposed Executive Assurance Panels.
Board composition and skills
The year presented challenges to Board resilience. The unexpectedly short tenure of the incoming Chair appointed on 01 August 2025 and a reduction in NED numbers tested quoracy, though this was maintained throughout. This year the Board prioritised in-person meetings with four out of seven taking place in person.
The incoming Chair brought timely and valuable skills, particularly experience of ministerial-level engagement, which proved significant during the ALB review. This reinforced the importance of a broad and relevant skills base at Board level. Recruitment re-commenced promptly and the Interim Chair was actively involved in that process. Future Board appointments and the skills matrix will now include digital, data and AI capabilities to ensure the Board can effectively oversee risks to our strategic objectives. This will be a priority following the appointment of our new Chair of the Board, which was competed on 1 May 2026. All Board members' performance continues to be appraised annually.
Board effectiveness review
The Board and Committees routinely consider effectiveness at the end of each meeting. A Board effectiveness self-evaluation was completed during 2025 to 2026, complemented by an independent advisory review conducted by internal audit in quarter 4. The advisory review was designed to provide objective observations on current effectiveness and recommendations for improvement, covering:
- leadership and culture
- Board composition
- Board decision making
- Board committees
- risk management
- partnership working and stakeholder engagement
The findings were discussed at the Board meeting on 31 March 2026 and shared with our DHSC Sponsor. The review confirmed that the Board had remained effective during a period when its resilience was challenged by unexpected vacancies and noted that consultation with the Board had increased during NED recruitment. However, work to review the skills profile of the Board will be completed once the Board is at full complement, including the use of the Insights Discovery psychometric tool to support team dynamics.
Actions to be taken following full Board recruitment include:
- reviewing KPIs to ensure they are clearly aligned to strategic objectives, enabling the Board to track progress against the 2026 to 2029 Strategy more directly
- focusing Board-level risk oversight on strategic risks, with clearer ownership and linkage to performance reporting
- developing and implementing a stakeholder management plan
- completing a formal Board skills matrix, development plan and succession plan
The full programme of follow-up actions will be overseen by PREMCO during 2026 to 2027, with findings from the effectiveness review also considered in NED and Chair appraisals.
Workforce engagement
Board members engaged with staff throughout the year through written updates shared via an internal virtual platform following each Board meeting, and through periodic workplace visits. The Board Apprentice was unable to actively participate during the year, and the programme concluded on 31 December 2025, with no current plans to renew this. The Board will consider future arrangements for engagement when it returns to full strength.
Internal Audits
The Board received updates during the year on the progress of the internal audit plan, and implementation of follow-up recommendations. The Board noted the observations of the ARAC concerning a number of internal audit reports and in particular had discussion on the areas listed below.
| Audit title | Assurance rating | Number and priority of actions | Nature of discussion and improvements agreed |
|---|---|---|---|
| Data security and protection toolkit | Moderate | 2 low | The overall risk was identified as low with some improvements suggested to strengthen the overall governance and risk framework |
| Financial Performance | Moderate | 3 medium | Inclusion of additional financial metrics to provide deeper insights into financial performance and aid in strategic decision-making |
| Insider Risk | Moderate | 1 medium, 2 low | Improvements in specific areas to enhance overall data protection and risk management |
| Project Athena review – (advisory) | Advisory | 11 suggestions intended to benefit quality Assurance, documentation processes, and continuing to explore more advanced techniques to increase their effectiveness | |
| Fraud Hub | Substantial | 3 low | Minor improvements to strengthen control and enhance communication of strategy and objectives, the management of operating procedures and the measurement of internal productivity and efficiency |
| Board Effectiveness | Advisory | 5 suggestions for areas of improvement which have been accepted | |
The ARAC formally received the following audit reports on 4 June 2026
- Effectiveness of risk management - limited assurance
- Workforce Planning - moderate assurance
A range of suggested improvements will be introduced next year as a result of the insight provided from audits, these can be found in the respective areas under internal controls and risk management and are summarised in the overall statement of effectiveness of internal controls in the Accountability Report.
Annual Internal Audit opinion
Internal Audit services are provided Government Internal Audit Agency (GIAA). The progress of the internal audit programme and implementation status of Internal audit recommendations made are tracked throughout the year and reported to the ARAC. The ARAC received the following Head of Internal Audit opinion:
In accordance with the requirements of the Global Internal Audit Standards in the UK Public Sector, I provide the Accounting Officer (AO) and the Audit and Risk Committee with my annual opinion on the adequacy and effectiveness of the organisation's risk management, control and governance arrangements. My opinion supports the AO's Governance Statement. However, the AO retains personal responsibility for risk management, governance and control processes.
Basis for opinion
The 2023 revised ‘Orange Book: Management of risks - Principles and Concepts’ introduced the Risk Control Framework (RCF) as a basis for AOs to navigate and gain assurance on the design and application of controls to mitigate risks to tolerance. It is also referenced in the Financial Reporting Manual (the FReM) guidance on Governance Statements. To support the AO, my annual opinion report is now presented in accordance with the areas and sub-areas of the RCF based on an analysis of our work.
Annual opinion
Internal audit annual opinion and risk control framework pillars Opinion Moderate Some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control. By risk control framework pillar Governance and management framework Roles and Accountabilities Strategy, Planning and Reporting Standards, Policies and Procedures I am providing an overall ‘Moderate’ opinion on the framework of governance, risk management and control within the NHSCFA for the financial year ended 31 March 2026 that reflects the audit plan agreed and is not limited in scope, to the extent that the assurance provided by internal audit can never be absolute.
NHSCFA Board and Committee Member Appointments and attendance records 2025 to 2026
| Board Member Appointment Date |
Title | 29/05 2025 |
27/06 2025 |
30/07 2025 |
29/09 2025 |
27/11 2025 |
19/02 2026 |
31/03 2026 |
|---|---|---|---|---|---|---|---|---|
| Alex Rothwell 01/11/2021 |
Chief Executive Officer | Y | Y | Y | Y | Y | Y | Y |
| Alyson Coates 01/04/2021 |
PREMCO Chair Non-Executive Director |
Y | N | Y | Y | Y | Y | Y |
| Andrew Flanagan 01/04/2021 to 17/11/2025 |
ARAC Chair Non-Executive Director |
Y | Y | Y | Y | |||
| Angela Dragone 01/01/2025 |
Non-Executive Director | Y | Y | Y | Y | Y | Y | Y |
| Gaon Hart* 01/04/2021 |
Interim Board Chair Non-Executive Director |
Y | Y | Y | Y | Y | Y | Y |
| Jon Hayes 01/02/2025 |
ARAC Chair Non-Executive Director |
Y | Y | Y | Y | Y | Y | Y |
| Dame Linda Pollard 01/08/2025 to 27/11/2025 |
Board Chair Non-Executive Director |
Y | ||||||
| Matthew Jordan-Boyd 30/01/2018 |
Executive Director of Finance and Corporate Resources | Y | Y | Y | Y | Y | Y | Y |
| Tricia Morrison 15/06/2020 |
Executive Director, Strategy, Operations and Data Analytics | N | Y | Y | Y | N | Y | Y |
*Gaon Hart served as Interim Chair from 01/04/2025 to 31/07/2025, and from 27/11/2025 onwards. Empty cells indicate not in post at material time.
NHSCFA Audit and Risk Assurance Committee (ARAC)
The ARAC is comprised of three Non-Executive Board members. Between 01 April 2025 to 30 October 2025 it was chaired by Andrew Flanagan and from 31 October 2025 it was chaired by Jon Hayes. Both of whom who had recent and relevant financial experience. The ARAC reviews our internal control arrangements and the adequacy of all aspects of our risk management, governance and assurance and audit mechanisms. This includes the review and appraisal of:
- financial management
- the annual internal audit plan
- reports made by our external and internal auditors
- the implementation of audit recommendations
- our assurance maps and Board Assurance Reports
- the maintenance of our risk register
- the Annual Report and Accounts
This year detailed areas of oversight and scrutiny noted by the ARAC included:
- development of our Board Assurance Framework (BAF) strategic risk reporting
- progress against our mandatory training requirements
- declarations of interests and guidance to our people on our Standards of Business Conduct policy
- Government Functional Standards adoption report
- cyber security reports
The ARAC has regularly scrutinised corporate risks and issues, including ratings and the adequacy of mitigating actions and control measures. The ARAC continued to receive enhanced summary strategic risk reporting with the provision of detailed supplementary risk appendix reports. The Committee reviewed the NHSCFA risk appetite statement in the context of the wider environment and risk landscape and further considered the NHSCFA fraud risk appetite and internal counter fraud arrangements.
This year the ARAC completed a self-assessment effectiveness review using the National Audit Office (NAO) effectiveness tool, with no significant concerns raised, but some minor improvement points to be taken forwards.
The ARAC considered in detail the findings of all internal audit reports, noting the assurance levels. The ARAC considered the management response to these and plans to implement recommended improvements. The ARAC received reports on the final internal audit engagements of the year in respect of Board Effectiveness and Effectiveness of Risk Management reports and discussions in 2026 to 2027 The ARAC presented an annual report to the Board on 31 March 2026.
ARAC Membership and attendance table 2025 to 2026
| Name | 23/06/2025 | 16/09/2025 | 17/12/2025 | 18/03/2026 |
|---|---|---|---|---|
| Andrew Flanagan Committee Chair up to 16/9/2025 |
Y | Y | N | N |
| Angela Dragone, Non-Executive Director |
Y | Y | Y | Y |
| Jon Hayes* Non-Executive Director, Chair from 17/12/2025 |
Y | Y | Y | Y |
| Alex Rothwell** Chief Executive Officer |
Y | Y | Y | Y |
| Matthew Jordan-Boyd** Executive Director of Finance and Corporate Resources |
Y | N | Y | Y |
*Jon Hayes was appointed as Chair of the ARAC from September 2025. **indicates attendee.
The Committee is committed to continuing to develop its function and effectiveness and intends seeking further assurance in 2026 to 2027 in respect of its annual cycle of business, and review and development of its strategic risks aligned with the 2026 to 2029 NHSCFA Strategy.
NHSCFA People, Remuneration and Nominations Committee (PREMCO)
The PREMCO is comprised of three Non-Executive Board members and it is chaired by Alyson Coates. The PREMCO oversees contractual and remuneration issues concerning the CEO and Executive Directors and provides assurance to the Board on NHSCFA people and workforce development arrangements. During the year 2025 to 2026, the PREMCO received assurances on the monitoring of the CEO's personal objectives, those of the Executive Director of Finance and Corporate Resources and Executive Director of Strategy, Operations & Data Analytics, as well as those of the Interim Board Chair and NEDs. The committee has also discussed and challenged reports in the following important areas of our work, including:
- progress of the People and Workforce Development (PWD) Strategy
- our equality, diversity and inclusion aspirations
- significant findings from the workforce Spotlight survey and follow-up action
- hybrid/homeworking arrangements review
- areas to note from people workforce data and analysis,
The committee provided valuable feedback on:
- the workforce data report dashboard
- ·the Freedom to Speak Up initiative and plans for Freedom to Speak Up Guardian recruitment
- analysis of workforce leavers by category
- detailed breakdown of statutory and mandatory training
- recruitment policies and plans, and arrangement for skills development planning for business critical posts
- Board development programme and arrangements for assessment of values and behaviours at board level
The Committee regularly reviews risks linked to the workforce where members consider each risk via a ‘people focused lens’. Key issues considered included workforce wellbeing, succession planning and recruitment challenges, hybrid working arrangements and consideration of the cultural diagnostic exercise.
The Committee provided advice and feedback on the recruitment, skills and experience of the Board and NEDs, however, the Committee was unable to progress skills mapping and NED composition advice in the absence of a substantive Chair of the Board.
The PREMCO undertook a self-assessment of committee effectiveness during the period and provided assurance on matters within its remit via the PREMCO Annual Report, which was presented to Board on 19 February 2026. The Committee is committed to continuing to develop its function and effectiveness and intends seeking further assurance in 2026 to 2027, particularly in respect of the new operating model.
PREMCO Membership and attendance table 2025 to 2026
| Name | 28/04/2025 | 11/07/2025 | 10/10/2025 | 27/01/2026 |
|---|---|---|---|---|
| Alyson Coates Committee Chair |
Y | Y | Y | Y |
| Angela Dragone Non-Executive Director |
Y | Y | Y | Y |
| Jon Hayes* Non-Executive Director |
Y | Y | Y | N |
| Alex Rothwell** Chief Executive Officer |
Y | Y | Y | Y |
| Matthew Jordan-Boyd** Executive Director of Finance and Corporate Resources |
N | Y | Y | N |
*Jon Hayes was appointed as Chair of the ARAC and ceased to be a Member of the PREMCO in October 2025. **indicates attendee.
Internal controls
Together these underpin our organisational culture and integrity, support the meeting of objectives and inform our leaders and managers on strategic and operational risks.
A description of risks that have or will affect meeting of objectives is set out in the performance report. Our response to these challenges during the year, the effect on service delivery, and how we will approach mitigating these risks are discussed in the Performance Analysis section.
A description of the organisation's process for review and the main features which support regular monitoring are described under each feature below. Planned enhancement to our internal control arrangements are described throughout this section and summarised in our overall review of effectiveness of controls.
Risk Management
The NHSCFA's approach to risk management complies with HM Government's Orange Book – Management of Risk – Principles and Concepts, and with the five principles set out therein. This section describes our risk management framework, and the improvements made to our approach during the year.
Framework and structures
Responsibility for risk management is embedded across the organisation. Managers identify, evaluate and manage operational, principal and emerging risks within their areas and escalate these to Performance and Assurance Panels (PAPs), where performance trajectories against targets and emerging risks were formally reviewed on a quarterly basis. Time-critical decisions are escalated to senior or executive management as required.
The Risk Register Review Group (RRRG) provided active oversight of corporate and emerging risks throughout the year. It draws on discussions from PAPs, gap analysis, and intelligence from the horizon scanning working group and strategic stakeholder engagement to take decisions on whether risks should be monitored, escalated to the Audit and Risk Assurance Committee (ARAC) or Board, or referred to DHSC. This integrated approach supports timely and informed risk management across the organisation.
The overall risk profile informs the annual review of our risk appetite statement, which was monitored and updated throughout the year to reflect changes in the operating environment, including geopolitical events and shifting political priorities that may affect our strategic objectives.
Improvements made during 2025 to 2026
During the year we supported our risk management framework through the following actions:
- mandatory risk awareness training was released for all staff, improving risk literacy across the organisation
- direct monthly engagement with risk owners and managers was introduced, ensuring risks are actively owned and regularly reviewed rather than passively recorded
- oversight of risk management was incorporated into the Executive Assurance Panels, providing an additional layer of assurance.
- formal reporting to the ARAC was strengthened through the introduction of the RRRG Chair’s Assurance Report
- reporting of strategic risks was developed and extended through the Board Assurance Framework (BAF, these are reflected in the performance section
- enhancements were made to the reporting format for strategic, corporate and emerging risks to ensure relevant data is effectively captured and communicated to the ARAC
An internal audit reviewed the effectiveness of our risk management and internal control systems during the year. Improvements agreed for implementation will centre on improving the application of our risk management policy and guidance. This will include greater overview of risks managed across projects and in response to International Organization for Standardization (ISO) accreditations.
New risks identified during the reporting period are summarised in the Performance Report. This section also sets out the links between these risks and the strategic pillars against which we are accountable for delivery, the mitigations in place, and the overall direction of travel.
No relevant ministerial directions have been given during the period and there have been no significant lapses of protective security.
We continue to assess the potential impact of climate change on our organisation. Currently, neither our operating model nor the threat of economic crime against the NHS is location or climate dependent. As such, climate change is not considered a principal risk to our core objectives and deliverables. Nonetheless, we remain committed to monitoring climate-related impacts through our business continuity planning and to taking action to reduce our environmental footprint.
Assurance mapping
The NHSCFA operates an assurance mapping approach, following the three lines of defence model set out in HM Government’s The Orange Book; Management of Risk, Principles and Concepts.
Our assurance mapping and governance and management frameworks are aligned to our organisation structure and provide for ongoing alignment to the government functional standards and continuous improvement approach. Detailed ratings guidance issued to our leadership team, and peer review, supports the consistent application, moderation and challenge of assurance ratings.
We have reviewed our assurance mapping arrangements given the increased maturity in our governance approaches across all areas of operation. During the year we reviewed plans for a phased redesign of the map and supporting processes, taking account of effective practice seen across the wider public sector and a proportionate response given the scale of our organisation, and we consolidated our assurance mapping into our strategic risk reporting to reflect this maturity.
Periodic review of assurance mapping, as well as internal audit findings, are used to identify any assurance gaps, informing conversations around our annual internal audit plan.
Corporate performance assurance, project management, integrated planning
Operation of our performance management arrangements with oversight by the Board continued in 2025 to 2026. Managers met regularly to review performance trajectories against targets and emerging risks and formally reported quarterly to the Performance and Assurance Panels (PAPs), where clear pathways existed for the escalation of risk. During the year we piloted changes to enhance the quality of management assurance and challenge, with the introduction of associate director meetings and Executive Assurance Panels, intended to align to our risk framework to provide clear escalation pathways.
The organisation operates bespoke governance frameworks for corporate projects, with simplified arrangements for smaller projects. During the year we assessed our arrangements aligned to Government Functional Standard GovS02: Project Delivery, to benchmark our aspirations and improvements. Corporate project boards, established project management roles, consistent but flexible project management practices, tools and resources, and the development of our programme framework and project assurance charter, assure the health of all project boards.
Our integrated business planning process initiates corporate projects, using a prioritisation scoring matrix for project proposals, which are then governed by a combination of project boards, highlight reports and strategic updates during the performance cycle and accountability process. Accountability and visibility are ensured via the organisation's performance, programmes, and portfolio management system.
Our Operational Infrastructure Programme Board was implemented to provide structured oversight of operational systems commissioning.
Bespoke governance arrangements have been implemented to oversee the organisation's transformational portfolio of work, with a Sponsor Group, Programme Boards, and a Transformation Governance and Risk Group (TGRG), ensuring the effective oversight and management of risk arising from NHSCFA Transformation Programme Boards where there is a cross organisational effect on core strategic aims, operational or support functions. The TGRG and RRRG consider, evaluate and escalate governance and risk issues ensuring they are highlighted via the Summary Strategic Risk Report to the ARAC.
A self assessment review of performance against the suite of government functional standards was competed.
Integrated data assurance framework
Our integrated data assurance and control framework aligns our Data Strategy and data quality management arrangements. Robust methodologies ensure the integrity of our performance and operational management data. Our expert reference forum, the Data Strategy Group (DSG), reviews procedures and escalates issues and risks around access to data and approves submitted technical appendices to ensure the robustness of all formal metrics within the NHSCFA. Where appropriate, the Board receives progress reports on the operation of the DSG, including data acquisition and data related opportunities for joint-working and engagement across government and between arm's length bodies and insights from the Control Strategy and Strategic Tasking and Co-ordination Group (CSSTCG). Each year a self-review forms part of the DSG scheduled activities, and during 2025 to 2026 this included preparation to incorporate the Government Functional Standard GovS10: Analysis, to ensure analytical best practice will be embedded across all our activities.
Financial control framework
Our financial control framework supports the organisation in meeting its commitments in a sustainable manner while ensuring value for money across all areas of expenditure. This framework encompasses a comprehensive set of policies, procedures and internal controls designed to safeguard assets, mitigate risks, and promote transparency and accountability in our financial operations. The main elements of the framework are:
- internal control environment: including clear delineation of roles and responsibilities, segregation of duties and a range of policies, procedures and practices designed to ensure the accuracy, completeness and reliability of financial reporting
- Standing Financial Instructions, Standing Orders, and Scheme of Delegation, which form part of our control environment
- opportunities to secure additional funding are identified to achieve best financial outcomes
- financial balance is achieved by aligning financial and workforce planning
- monitoring and review: we continuously monitor and review our financial control environment and financial position to assess its effectiveness and identify opportunities for improvement. This includes monthly finance assurance meetings to review and assess the risk of the financial position with accountable budget holders
- service line reporting, aligned to the delivery of our business functions via our new operating model and corporate projects, support planning, effective cost analysis, and control
- communication: we maintain effective channels of communication to ensure timely dissemination of financial information to relevant stakeholders, including management, the Board, ARAC and external auditors
- risk assessment: we conduct regular risk assessments to identify and evaluate potential risks that may impact our financial objectives. These assessments inform our control activities and help us prioritise funding allocation to mitigate the most significant risks effectively and are reported to ARAC
During the year, we continued to perform strongly, supported by robust financial controls and a high level of assurance across our processes. The introduction of the new monthly Executive Assurance Panel meetings provides an additional layer of reporting, scrutiny, and accountability, further strengthening our oversight.
We continued to review the effectiveness of our financial control framework through internal audits, finance assurance meetings, and regular engagement with external auditors. This work has enabled us to enhance the clarity and usefulness of our reporting dashboards, supporting more informed and timely decision making.
The budget holder training programme is now embedded as an annual cycle designed to strengthen financial capability and support consistent compliance with our control framework. This ongoing approach ensures that staff remain equipped to make value conscious decisions and maintain strong financial stewardship.
Procurement governance
Our governance arrangements around procurement and contract management are an area where we have achieved greater maturity. Procedural guidance documents clearly link to our Standing Orders (SOs), Standing Financial Instructions (SFIs) and contract amounts requiring Board approval, which we have reviewed during the year.
We have continued to embed the strengthened procurement and contract management arrangements developed and introduced in the previous year. Updated procedural guidance, tools and templates are now fully operational, providing clearer expectations, approval routes and improved visibility of contracts requiring management oversight. Internal training has been delivered to improve organisational knowledge and competency around the procurement process.
The enhanced contract risk tiering methodology has been successfully implemented across all new procurements and retrospectively applied to existing contracts. This has enabled earlier identification of higher risk contracts and more proportionate allocation of commercial oversight.
Increased specialist commercial support has improved the robustness of our specifications, market engagement, and evaluation processes. This has contributed to stronger value for money assurance, reduced procurement cycle times, and improved contract handover into business areas.
Closer alignment to financial data and processes has been embedded supported by quarterly reporting, providing increased organisational confidence in meeting statutory, regulatory, and financial obligations while strengthening accountability for procurement and contract delivery outcomes.
Over the coming year we will continue to refine these processes, focusing on data quality, contract performance reporting, and strategic supplier management to further enhance the maturity of our procurement governance arrangements.
Managing conflicts of interests, gifts and hospitality
Integrity and impartiality are paramount to us. Declarations of interest, gifts, hospitality or outside engagements, including nil returns, are requested annually as detailed within the NHSCFA Standards of Business Conduct policy which applies across the organisation. Declarations made by members of the Board are published externally. Each Board and Committee meeting has a standard agenda item to note any changes.
During the year we maintained our control environment by requiring declarations of interests for prospective employees at offer stage and confirming them through our induction processes to ensure awareness and compliance by our people.
Declarations are reviewed to confirm there is no conflict of interest, and considered as part of our procurement procedures, including for procurements under £10K. Declarations of loyalty conflicts and recusal from decision making are integral to our arrangements, including operational decision making.
Data protection and freedom of information
As a special health authority, the NHSCFA is subject to the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018. Appropriate notifications have been filed with the ICO. This means that all Data Subject Access Requests are responded to within the requirements of UK Data Protection legislation, typically within a calendar month.
During 2025 to 2026 we dealt with
10 Data Subject Access Requests
all were responded to within the required timeframe, once the requestor had provided proof of their identity
The NHSCFA is also subject to the requirements of the Freedom of Information Act (FOI) 2000. This means that all requests for information are responded to within the provisions of the Act, typically within 20 working days.
During 2025 to 2026 we dealt with
35 Freedom of Information Requests
all were responded to within the required timeframe
There was no significant change in our performance in responding to requests this year compared to previous year, when all requests also met required timescales.
Information governance framework, including data breaches
The NHSCFA has maintained a robust Information Governance Framework, including established policies, to ensure effective processes and procedures are in place to protect both confidential personal data and sensitive business information. All data breaches are tracked and escalated if required.
Issues relating to information security within the NHSCFA are coordinated by the Information Security Forum which is attended by our Senior Information Risk Owner (SIRO). The remit of the SIRO is to take ownership of the NHSCFA's information risks, act as advocate for the management of information risk, and provide written advice to the Accounting Officer on the content of the Governance Statement with regard to information risk.
During 2025 to 2026 there were 15 information governance personal data related incidents reported and recorded. No incidents were reported to the Information Commissioner's Office (ICO).
Each year, the NHSCFA completes the NHS wide Data Security and Protection Toolkit (DSPT) review which is based on the National Data Guardian's 10 data security standards. Our return was submitted at the end of June 2025 and independently audited by Government Internal Audit Agency (GIAA). Compliance updates are provided to the ARAC and Board under our audit implementation arrangements.
Counter fraud and anti-bribery arrangements
Our internal policies and procedures explain how to report allegations of suspected fraud, bribery or corruption. We continue to develop and enhance our internal prevention controls using approved fraud risk assessment methodologies.
The NHSCFA has a counter fraud action plan that sets out risk based delivery of counter fraud activity for the year, in alignment with the GovS013 Counter Fraud Standard. We reported progress against our plan to the ARAC during the year.
New employees receive anti-fraud, bribery and corruption training during onboarding. This is reinforced with fraud awareness communications during the year, with activities based on identified risks and emerging threats, such as cyber enabled fraud.
During 2025 to 2026, two recruitment related referrals were received. Both were assessed on receipt and referred to human resources for review, as they fell within their remit. Arrangements were in place for escalation to LCFS if further issues were identified. Neither referral progressed to an LCFS investigation. Separately, two non-fraudulent salary related overpayments totalling £1,606.78 were identified as loss or error as detailed in the accounts.
Whistleblowing/Freedom to Speak Up
Following the establishment of the Freedom to Speak Up (FTSU) initiative, there has been regular communication within the organisation to maintain awareness and visibility. This awareness raising led to the successful recruitment of a new Freedom to Speak Up Guardian which has enabled continuation in offering this important service. Anonymous and confidential reporting mechanisms are in place for staff, not only for raising concerns but also when things are going well and could be even better. Staff and managers are supported in raising, listening to and following through when issues are raised.
During 2025 to 2026 no internal concerns were raised through our Freedom to Speak Up Guardian and associated reporting routes.
The FTSU service plays a key role alongside other employee engagement routes, such as through our employee resource groups where we encourage openness, provide safe spaces to listen and act to help staff fully contribute to the work of NHSCFA.
Complaints
Our NHSCFA Complaints Policy outlines our approach to handling and responding to complaints against our organisation, including routes for escalation. This policy can be found at Making a Complaint | Corporate and information governance | NHS Counter Fraud Authority
Complaints provide us with a valuable opportunity for the NHSCFA to identify areas for continuous improvement to enhance our service to the public and our stakeholders. During 2025 to 2026 we received 4 formal Stage 1 complaints. 3 complaints were concluded during the year and were resolved within an average of 18.3 working days, well within the policy standard of 25 working days. (An increase on the average of 14 working days in 2024 to 2025). One complaint remained open at year end. This complaint was subject to a wider review beyond the usual scope of the complaints process and as a result has been excluded from the year's timeliness calculations.
One complaint was escalated to Stage 2 of the complaints process and was resolved within three working days. There were no known referrals to the Parliamentary and Health Service Ombudsman (PHSO) during 2025 to 2026.
Additionally, 40 enquiries outside our complaints remit were received and managed, offering signposting and guidance to the public. This was an increase from 19 during 2024 to 2025.
We remain committed to learning from complaints and feedback, using insight gained to strengthen internal processes and support continual service improvement.
Public Interest Disclosure Act
The NHSCFA is classified as a ‘Prescribed Person’ under Public Interest Disclosure legislation. Our Annual Report, detailing relevant activity in respect of this responsibility can be accessed here on our website.
Overall review of effectiveness of controls
As Accounting Officer, I have responsibility for reviewing the effectiveness of our internal controls. I have examined the information provided to me regarding the scope of performance reporting, financial management, risk management and information governance and assurance reports. I have considered the opinion of our internal auditors. I have also discussed this with our Board, the ARAC and the executive management of the organisation.
We continue to embed robust and proportionate governance so that risks to delivery of our strategic counter fraud aspiration will continue to be well-managed through the next strategic period.
Areas of focus for the year ahead include but are not limited to:
- ongoing review and development of strategic risks aligned with the 2026 to 2029 NHSCFA's Strategy
- systematic evaluation of risks presented to the Board and committees to ensure alignment with the Strategy and longer term aims
- enhancing governance and defining the scope of our workforce planning activities, documented regular review of strategic workforce risks, critical role analysis and arrangements for digital and technical skills development planning
- enhanced financial performance measures including forecast accuracy, risks, operational efficiencies, and value-for-money metrics, especially for high-risk programs
- embedding the changes to our corporate governance framework and extending NED oversight, for example by aligned risk and assurance reporting from associate director meetings and Executive Assurance Panels to the F&P
- robust effectiveness reviews of our risk oversight groups and governance mechanisms
- introduction of efficiency and productivity metrics where proportionate
- continued focus on process improvement to support these areas
We will continue with horizon scanning, advanced analytical approaches, partnerships and engagement, and strategic planning which enable us to respond with agility to a changing threat landscape.
Alex Rothwell
Chief Executive Officer
Date: 1st July 2026