There are significant risks of fraud in Health Service Executive's payroll systems that oversee multi-billion euro payments annually due to weaknesses in oversight, risk assessment and staff training, according to an internal audit report.
The confidential report, released under Freedom of Information legislation, concluded that the adequacy and effectiveness of measures used by the HSE to detect and quantify fraud risk in its payroll operations is "limited."
It warned that there is "potential for fraud risks being overlooked" by the HSE due to the absence of having a structured way of identifying and mapping the main risks in its payroll systems.
The report said the payroll systems as currently structured could also allow unapproved salary rates to be paid over an extended period of time.
Auditors noted that 3.2 million payments to 190,000 staff and pensioners totalling €8.5 billion in 2023 made the HSE's payroll services a significant target for theft and fraud.
Although many controls are appropriate, the report said some specific assessment of fraud risk is "reactive", while many mitigation controls were "implicit rather than explicit."
The audit said improvement was required and needed "a holistic approach" as many controls cross various operations of the HSE including HR, finance, line management and ICT.
"The HSE does not incorporate a fraud risk assessment in its approach to fraud risk management. This needs to be a live process, not just a statement, to ensure that it is useful," the report noted.
Auditors also recommended that the testing of plans for an IT system failure needs to be a routine process within the HSE in case of future cyber attacks.
They warned that a risk of service interruption and criminal exploitation was increased if there is an over-reliance on untested business continuity plans.
The audit report also identified that there is no training programme to help payroll staff recognise and report suspected irregularities.
Auditors identified the main risks as mostly relating to the integrity and security of information on which payroll is based as well as the security of manual and electronic processes for transferring money.
A separate report also addressed the issue of payroll overpayments which have been increasing annually in terms of new overpayments from €2 million in 2016 to €12.7 million in 2023.
While auditors said losses from overpayments were not as a result of fraud "per se", they said the upward trend was a concern.
"It is an area of risk that may weaken the control environment and may reduce the probability of a full recovery in cases of irregularity," they added.
They said overpayments posed a risk of both financial loss and reputational damage.
The report acknowledged that over €8 million of overpayments was recovered in 2023 - an annual increase of over 50%.
The audit noted there were new overpayments of €5.5 million up to May 2024, of which €3 million related to employees, €1 million to pensioners and €1.1 million to deceased recipients.
Details of many specific areas identified by HSE auditors as needing improvement were redacted on security grounds.
In response to the audit report, the HSE said its recommendations would be addressed through a formal project which would be implemented by June 2026.
All three recommendations were classified as "medium" and "potentially systemic."
