1. Introduction

Crossrail is the largest infrastructure project in Europe. Costing £14.8bn it connects 40 stations running from Reading in the west, to Shenfield and Abbey Wood in the east through 42kms of newly construction tunnels underneath central and south east London.
The Elizabeth line, as the new line will be called, will, for the first time, connect Europe’s busiest airport, Heathrow, with the key employment hubs – the West End, the City of London and Canary Wharf on one rail line. It provides 10 new stations, nine of which are in central London. Within the central section 24 trains per hour will operate in both directions enabling 200m journeys per year providing a 10% increase in London’s rail capacity
A project of this scale attracts attention in many ways, including people attempting to commit fraud. Crossrail Limited therefore took action from the outset to prevent and mitigate the risk of fraud occurring on the programme.

2. The Fraud Risk

According to Grant Thornton[1], fraud and corruption remains commonplace in the UK construction industry. The Chartered Institute of Loss Adjusters produced a report in 2011 stating that fraud in construction in the UK was estimated at 10% of the total revenue of £6.5bn, or an average of £40,000 per company per year.
Krolls’s 2013/2014 Global Fraud Report[2] concurred with the above conclusions, citing the construction industry as having the highest incidence of management conflict of interest at 34%. The sector was also quoted as having the second highest rate of corruption at 18%, and market collusion at 13%.
Fraud was therefore identified as a strategic risk for the Crossrail Project; a risk that is owned by the Crossrail Finance Director.

What was the Risk to Crossrail?

A funding envelope of £14.8bn was agreed to deliver the Crossrail Project in October 2010. Therefore, due to the size of the project, it is a potential target for attempted fraud. Attempted fraud from external threats has been a regular occurrence at Crossrail as it is in all large organisations.
For Crossrail, the most common form of attempted fraud has been ‘bank mandate’ fraud. This can occur when someone tries to get a member of staff of a targeted organisation to change a direct debit, standing order or bank transfer mandate, by purporting to be an organisation to which regular payments are already made. For example, this could be a subscription or membership organisation, or one of the many regular business suppliers such as a Tier 1 contractor.
Examples of how this type of fraud have manifested on Crossrail have included the following;

• Crossrail is contacted by someone pretending to be an existing supplier and told they have changed their bank and request the direct debit be amended to reflect this.
• Employees, usually in the finance team, are contacted by an external fraudster claiming to be from the Crossrail Chief Executive or Chairman. They are requested to make a payment that day, often to an overseas account.
• Employees are contacted by external fraudsters by phishing emails. The purpose is social engineering, i.e. just to elicit a response from an employee. These emails take many forms, but any response from a Crossrail employee helps the fraudster make contact, from which the employee is ‘groomed’ for more information about the project.

Fraud Risk Mitigation

In order to mitigate the risk of fraud, processes were put in place from the beginning of the works to detect and manage these threats. A key element of this was implementing a system whereby Crossrail always checks with the organisation involved if there really are any changes being made to its bank account details. A change can only be effected after approval by the Finance Director.
It has not, however, been possible to eliminate all fraud attempts and, as such, the risk remains that the project could be subject to fraud which could result in additional costs being incurred.

The mitigation measures identified and implemented include the following:

• Setting up the Crossrail Fraud Risk Assurance Group (FRAG) with a remit of raising fraud awareness across the project and its contractors
• Incorporating FRAG into the formal governance structure of the project
• Maintaining an up-to-date financial controls environment
• Promoting the whistle-blower facility ‘SafeLine’ to staff and contractors throughout the life of the project.
• An active cost verification function that oversees contractor payments which makes contractors aware that cost verification will take place
• Seconding a police officer into Crossrail to assist with security and fraud issues
• Include fraud risk aspects when auditing finance and other functions
  Many of these activities are co-ordinated by FRAG.

3. Fraud Risk Assurance Group (FRAG)

The Crossrail Fraud Risk Assurance Group is a working group established by the Crossrail Executive & Investment Committee and is chaired by the Finance and Analysis Director. Its role is to prevent, monitor and report fraud across the Crossrail Project under the following key fraud risk themes:

• Contract Fraud
• Contractor Fraud
• People Risks, e.g. Construction Skills Certification Scheme Card fraud
• Corruption / Conflicts of Interest
• Accounting / Financial Fraud
• ‘Any other areas of potential fraud that the Group considers appropriate’

FRAG consists of representatives from across the whole Crossrail Project that meet on a quarterly basis. The primary activity of FRAG has been to raise awareness of the risk of fraud. This has been implemented by:

• Developing an annual Fraud Risk Communications Plan
• Conducting Tool Box Talks on the topic of fraud risk – both personal and corporate fraud, for example, the ‘12 frauds of Christmas’, focused on person fraud risks for staff
• Organising lunch time ‘Listen and Learn’ sessions on fraud risk
• Developing a fraud risk quiz to help maintain awareness
• Promoting the whistle-blower ‘SafeLine’ through which Crossrail staff and Contractors can report potential fraudulent activity
• Running internal detailed fraud risk awareness workshops with staff from Finance, Commercial Management, and Human Resources to identify fraud risks and how to improve controls
• Running fraud risk awareness workshops with all Tier 1 contractors
• Instigating fraud risk awareness workshops with Tier 2 contractors. These were arranged through the Tier 1 contractors, and were aimed at raising awareness of how vulnerable Tier 2 contractors might be to attempted fraud
• Running Tier 1 Chief Finance Officer / Audit specialist risk management workshops
• Including fraud risk in the CEO Forum including the Chief Executive Officers of all Tier 1 Contractors; and
• Carrying out regular audits to identify fraud risks across the Project. This not only generates valuable audit evidence, it also raises awareness for fraud risk to those being audited.

4. Monitoring

FRAG has reviewed available benchmarking models to assess how well Crossrail is doing to manage the fraud risk. This has included the Association of Certified Fraud Examiners (ACFE) fraud checklist[3] and the Chartered Institute of Public Finance and Accountancy (CIPFA) Code of Practice[4].
FRAG refers potential fraud to the Fraud Investigations team at Transport for London. The results of any investigations are then reported direct to the Crossrail Executive and Investment Committee. In addition, a quarterly report is submitted to the Board via the Audit Committee, providing high level visibility of this activity.

5. Benefits of FRAG

Key benefits have resulted from raising the issues around fraud. We have found:
The benefit of the communications plan is that staff have become much more aware of the risk of fraud, both personally and to the project as a whole. This has helped Crossrail identify potential attempted fraud, and to investigate and manage the outcomes effectively. In addition, potential ‘insider’ fraudsters are alerted that Crossrail is serious about managing the fraud risk and are therefore less likely to attempt fraud.

The Tier 1 contractors, through the CFO workshops, have shared intelligence on fraud risks. This again increases the likelihood for Crossrail and its contractors to identify and manage potential frauds.

It is not possible to quantify the reduction in fraud risk as a result of FRAG activity. However, the level of detected fraud is extremely low despite continual cyber attempts.

It is important to remember that the effect of a successful fraud is not only financial. There are real effects on staff morale, on the time and effort taken to manage any subsequent investigation, and the increased controls that need to be put in place to stop re-occurrence. Any measures that can be put in place to reduce fraud have multiple benefits.

6. Lessons Learned

By far the biggest improvement has been the level of recognition given to the issue. The implementation of FRAG and the subsequent level of awareness have meant that, the number of instances where Crossrail has actually suffered loss as a result of fraud has been constrained to only minimal amounts, most of which has been able to be recovered.

7. Future Developments

There is a case to be made for developing a construction industry Fraud Risk Group to share experiences more widely. Crossrail, through FRAG, will be investigating if there is any appetite within the industry for a more open sharing of fraud risks.

8. References

[1] Grant Thornton (2013), Fighting Construction fraud in the UK; [online]available at: http://www.grantthornton.co.uk/globalassets/1.-member-firms/united-kingdom/pdf/publication/2013/fighting-construction-fraud-in-the-uk.pdf. Accessed 19 July 2017.

[2] Kroll, Global Fraud and Risk report 2013/14, “who’s got something to hide? Searching for insider fraud”; [online] available at:  http://www.kroll.com/en-us/fraud-report-confirmation. Accessed 19 July 2017

[3] Association of Certified fraud Examiners (2016); [online] available at:  http://www.acfe.com/fraud-prevention-checkup.aspx. Accessed 19 July 2017.

[4] Chartered Institute of Public Finance and Accountancy (CIPFA), code of practice on managing the risk of fraud and corruption (2014); [online] available at:  http://www.cipfa.org/policy-and-guidance/consultations-archive/code-of-practice-on-counter-fraud . Accessed 19 July 2017