Executive summary

An overview of the report, provides NHSCFA’s opinion of NHS organisations’ financial governance, assurance and fraud risk management for the periods examined as part of the Covid-19 post event assurance exercise


NHS organisations demonstrated prudent application of governance and financial risk management during the Good Covid-19 pandemic.

Our classification system is defined in appendix 3 of this report.


The vision of the NHS Counter Fraud Authority (NHSCFA) is to lead and proactively support the NHS to understand, find, prevent, and respond to fraud.

The Covid-19 pandemic placed the NHS and UK government under extreme operational and financial pressures. In line with the government programme of work to scrutinise centralised spending, the Health Sector Counter Fraud Board(CFB) tasked NHSCFA to lead a Post Event Assurance (PEA) exercise on local NHS healthcare spend during the pandemic response. This work would be unlike anything NHSCFA had previously undertaken.

The Counter Fraud Board is chaired by Department of Health and Social Care which draws together key national organisations including: NHSCFA, NHS Business Services Authority and NHS England and NHS Improvement; with representation from Cabinet Office for strategic oversight of all NHS counter fraud activity

NHSCFA set out to understand the true nature and potential value of procurement fraud risks associated with Covid-19. The unique nature of the pandemic and the subsequent need for an immediate response put extreme pressure on procurement practices. It was therefore important to capture behaviours locally during the emergency management response.

It would not have been possible for NHSCFA to undertake this work without the assistance and participation of NHS provider organisations and their Local Counter Fraud Specialists (LCFSs). NHSCFA is grateful to all those organisations and their staff for their work in this assurance exercise.


It is our opinion that despite the mounting operational pressures, the vast majority of NHS organisations maintained good levels of financial governance, assurance, transparency, and fraud risk management for the periods examined as part of the Covid-19 PEA.

There were a small number of instances within a small number of NHS organisations where performance could be improved. This opinion is based on our assessment of NHS organisations’ performance in response to instructions on financial activity during Covid-19. The Cabinet Office issues guidance in the form of Procurement Policy Notes (PPNs) which brings together best practice on public sector procurement. Our exercise looked to test NHS organisations against three PPNs issued in the early stages of the pandemic. Our focus was on the areas of direct award of contracts and supplier relief payments (SRPs).

We also identified proactive activity at a local NHS organisational level that was taken to avoid identified risks when taking on new suppliers. The impact was evaluated where supplier contracts (either in the process of being onboarded, or under active consideration) were cancelled and/or payments clawed back due to an identified risk, following information/intelligence received, or due diligence undertaken. In this respect, NHSCFA identified £10m savings.

Notable areas of good practice

It is acknowledged that risk appetite and control frameworks will shift during an emergency management situation. Our assurance exercise demonstrated that the vast majority of the NHS organisations maintained good record keeping as stipulated within the direct award and supplier relief payments guidance.

Where this PEA exercise identified failures of internal controls, they were mostly attributed to a small number of NHS organisations with unique circumstantial contexts. NHSCFA will be providing individualised feedback to all participating NHS organisations in 2022-2023 and will work in collaboration to address the identified issues. This should not however distract from the prudent application of fraud risk management protocols largely applied throughout the NHS provider sector.

Notable areas of improvement

Two key themes were identified to have shifted the ability to mitigate fraud risk in procurement activity locally: routes to market and management of contracts. The urgency posed by the pandemic forced NHS organisations to accept new additional risks in the form of new overseas procurement routes, use of multiple intermediaries and inflated prices. The PEA also exposed a lack of centralised support and coordination for NHS organisations in sourcing and procuring ventilators and medical clothing.

Whilst the proportion of supplier contracts both in receipt of SRPs and directly awarded – which demonstrated no evidence of records of decisions / agreements made – was low, there is an opportunity for all NHS organisations to ensure that there are adequate provisions to undertake such activity, and a suitable platform to record such decisions. This is likely to derive from standard operating procedures (SOPs), and a contract management software platform.

Equally, it is important for organisations to provide the capability to their staff to record risk assessments relating to contractual activity (more specifically, advance payments relating to SRPs). Again, this is likely to derive from a contract management software platform.

The low level of due diligence undertaken on new suppliers is concerning. When entering a contract with an unknown entity, it is paramount to understand what risks lie within the contractual relationship. When no due diligence is undertaken on a new supplier, a contracting authority is accepting a high level of risk by entering into the unknown. It is important for NHS organisations to build a capacity of commercial due diligence – a function that NHSCFA has previously raised concern over. It is however acknowledged that in an emergency management situation, it may be necessary to accept higher levels of risks.

There were common trends of contracting authorities not undertaking adequate due diligence on SRPs, as well as failing to manage internal records on key decisions and the suppliers failing to use SRPs in the manner intended. These outcomes highlight the importance of contracting authorities applying basic principles of risk management (as set out in PPN 02/20), even during an emergency management situation. Effective management of internal controls under normal circumstances will impact an organisation’s ability to apply basic risk management protocols in an emergency management scenario, such as the Covid-19 pandemic. It is therefore recommended that NHS organisations continue to implement and review the appropriateness of their fraud risk management regime. Again, NHSCFA will work collaboratively with NHS organisations to achieve this.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!