Examination of Witnesses (Questions 420-439)|
WEDNESDAY 13 FEBRUARY 2002
420. That seems to be different from what you
were saying earlier.
(Mr Pilling) I do not think it does. I think the point
is that a number of changes were made in the scheme during the
life of the scheme.
421. The point is that you keep saying that
you were partners with the Department and you are very experienced
people and what we are quite horrified about is now you are telling
us that you could see this great big problem because the accredited
providers were not really accredited at all, but they just got
on just by filling in their forms, so the whole system was open
to abuse from the very beginning, yet no one in Capita said, "This
is going to have real repercussions of potential fraud".
(Mr Pilling) Certainly I have said on previous occasions
that we had still to sit down with the DfES and discuss together
422. Can we just back-track then. You have spent
a lot of the first half of this session saying that you were paid
£50 million to implement and administer a scheme which was
devised by the Government which seems to imply that there was
no quality assurance, as the government officials more or less
told us a few weeks ago, there was no quality assurance because
they wanted to expand it to other training providers, new areas
and all the rest of it, so you accepted that there were no quality
controls in the Government scheme, but that was not in your contract
to do; you were just there to administer the contract they gave
you. You are now saying to us that you set up a scheme which you
were responsible for administering which was so open to abuse
because there were no quality controls on the learning providers
in the first place.
(Mr Pilling) I think it is the terminology of "scheme"
and "system". There is the overall scheme which has
been abused. We are talking, I think, about a system, which is
the most recent incident of actually being abused based on the
IT system itself. That particular abuse is the most recent item
and that was picked up and identified by the DfES and alerted
to us very quickly. We would have picked that information up in
the management reports which we were giving to the DfES at the
end of November and we would have been able to identify with them
which of the learning providers were abusing the system in that
way and have been able to track them.
423. You are saying that it could be abused
in that way whether it was 21 November that it was picked up or
whether it was the spring of that year or whatever. It could be
abused that way and you did not have safeguards against it because
you assumed the training providers would be accredited, legitimate
people and yet you have spent the first half of this meeting saying
that the fact that training providers did not have to be accredited
or quality controlled in any way was not your responsibility,
but the Government drew that up, you accepted it and we have already
had debates about why, when you have got experience in administering
the benefit system which is open to fraud, you did not say right
at the start, "Hang on a minute, this is wide open to abuse".
(Mr Doyle) Denyse did mention earlier as well that
in the original specification there was the opportunity to make
use of an existing database of accredited learners. When we started
to build the scheme, the opportunity was still there and that
was what we hoped was going to be used. Later, as Denyse explained,
we were unable to use that partly because the two systems did
not fit together and we could not merge the two databases and,
secondly, because it was a tiny proportion of what was now becoming
a large population.
424. So your company with a wide experience
of running things like the benefit scheme did not say to the Government
at that point, "We can go ahead in this way, but it is going
to be wide open to abuse"?
(Mr Doyle) Well, no, not at that point in time.
425. Is it ever on the record that you said
(Mr Doyle) I would have to go back and check the records.
426. Why did you not at that time? If it was
going to be so obvious, were you not negligent in not saying that?
(Mr Doyle) It was not completely open to abuse. To
my knowledge and from the evidence we have been presented with
so far, we have not seen any abuse of the IT system in the early
days yet. Now, someone may come back and tell me that at some
point, but at this point in time we have no evidence of it and
we have not been advised of anything. There were checks in there
around the management reports at the end of the month in terms
of being able to see trends and to see if people were blatantly
abusing the system and indeed the event that Simon refers to would
have been picked up through those audits and major management
reports. I did make the point earlier when you asked me where
did I think we were at fault, one of the things that I said was
that I did not believe that we acted quick enough in terms of
the system in the light of the abuse that came out in November,
but we could have gone back and returned to the systems and started
to make them more robust. We did not do that. The only evidence
that we have so far, and this is talking about the IT system and
abuse of the IT system as opposed to the other things we were
talking about earlier, the only evidence that we have so far and,
as the Committee is aware, there is a report being prepared by
Cap Gemini at the moment and the Department of their investigations,
(Mr Doyle) Cap Gemini. I believe in a previous Committee
you were told about that. We were hoping we would have that last
week, but unfortunately it has not appeared, so we do not know
what that is going to say yet, but in terms of our own investigations,
the only abuse of the IT system
428. Are Cap Gemini not the same people who
are your accountants?
(Mr Doyle) No.
429. Are they not part of Ernst & Young?
(Mr Doyle) No. A part of Ernst & Young went over
and joined Cap Gemini to become Cap Gemini Ernst & Young
Chairman: I am just checking on any Enron parallels
430. Just to recap then, the Government set
up a scheme which had no quality assurance on the learning provider.
All the learning provider had to do was send in the name and address
basically. There was no check even to check whether they had one
computer or 100 computers in that training station. There were
no checks at all. You, with all your experience of working in
these areas, including housing benefit where there is a lot of
benefit fraud, did not say to them clearly right at the start,
"Well, yes, we will administer this scheme, but it is going
to be wide open to abuse". Secondly, you did not build in
safeguards so that a rogue learning provider would be stopped
from just working out whole strings of ILA account numbers once
they had got access to one number. So did you not fall down twice?
Once was that you did not tell the Government clearly at the start,
"This could be open to abuse. I will do what you are telling
me, but it could be open to abuse", and, secondly, you did
not build safeguards into your system to stop it being abused
in the way that apparently it was on 21 November.
(Mr Doyle) I have got to come back on that again.
At the very start when the system was being built, we believed
that we were going to be hooking up to a database which was accredited.
By the time the decision was made that that was not possible and
it was not going to happen, the system was built.
431. So you did not feel at that point, "If
we cannot use these old authenticated learning providers, this
system can now be abused"?
(Mr Doyle) That is a fair criticism. At that time
we believed that the management reporting at the other end of
the system would pick up any major abuse of the system. Now, as
time has gone on that is obviously not appropriate and I have
already held my hands up to that and said, "This is the way
we should have done it". The other thing is I have to come
back and say that at the moment with the information that we have
available to us and with our investigations, we only have this
incident in November where the IT system has been abused. The
number of providers that we, through our analysis, reported to
the DfES are six. Of those six, two, we feel, could be bona
fide users of the system. There are four which we are particularly
432. You mention the 21 November incident where
a CD-rom was for sale, but your consultants who were doing some
checks on account holders, they said that in the early autumn
you gave them a load of numbers of people who had used their accounts.
They rang up a sample of them to see what they thought of the
system and clearly a large number said, "I've never used
my account", and your accounts of it were saying that it
was either down to dodgy information from you or it was fraud
that their accounts had been entered when they had not used them.
(Mr Doyle) That is something different. There is no
proof that that goes back to the IT system, and we have our own
people who were coming to us and saying, "I don't understand
this. I have got this account and someone has told me, but I've
not used it", or, "I never set this account up in the
first place", and that goes back to a number of these other
issues going on around people being signed up without them knowing
they were being signed up, accounts appearing without anybody
even knowing they had any account and then suddenly something
comes through their door to say that they have used it, so there
were a number of other issues going on and that does not necessarily
refer back to the IT system.
433. You have gallantly held your hands up,
Mr Doyle, to a number of questions, saying, "Yes, we got
things wrong with the benefit of hindsight and if we were starting
again, sitting down with our partners, the DfES, to devise a new
scheme," and indeed you may well be involved in a successor
scheme, "we would not have started where we are now, but
we would have learnt the lessons". That is fair enough to
some extent. I wonder what lessons did you take from information
that was already available perhaps with the DfES and indeed the
public and companies such as yours about IT fraud in setting up
the scheme. The Treasury publish every year their Fraud Report
and I wonder if you are aware of this. What lessons did you learn
before setting up the scheme?
(Mr Doyle) I think in terms of the level at which
people believed that security needed to be aimed at around this
scheme was at a reasonably low level because of the way the scheme
was designed. Looking back on it now, we can all say that that
was incorrect, but that was where it came from, so there was a
low level of security agreed and we were party to that, absolutely.
I am very aware of the report you have in front of you there and
we are an extremely open company and, in other contracts that
we have with the Government, we work very closely with the Government's
own specialists in this area. Indeed, whilst we would say that
we are specialists and we are professionals in this area, this
is a particular area where you can never know too much, there
is something going on somewhere else, somebody is inventing some
other way of hacking into an IT system which people who are working
with us will not see, so we are very happy to work with experts
and we do indeed work closely with the Government's experts and
with third-party experts to share in that information.
434. They did not need to know too much to hack
into your system, did they? The other thing is that as long ago
as 1998 the Audit Commission were saying that computer crime was
on the increase. Were you aware of that?
(Mr Doyle) Absolutely, yes. This system does not have
cash flowing around in it. To my knowledge, again I have to come
back because I have not seen the report from Cap Gemini, but to
our knowledge around the IT system the only evidence that we had
of abuse in the system was around that November incident. I have
already said that it was four providers. To my knowledge, no money
has been paid out to any of those providers.
435. To your knowledge, no money has been?
(Mr Doyle) Has been paid over to those providers as
a result of that incident, so we are not talking about masses
of money flying out of the system here and there being absolutely
no controls which cannot trap abuse of this type. What I am saying
is that it is after-the-event trapping at the moment, whereas
with what we know now, you would want a system that would trap
it at the time of the event or very close to the time of the event.
436. In your discussions with the Department
officials, did they ever say, "We think we have overspent
by £30 million"?
(Ms Metcalf) I do not think they used those words.
437. "Oh my God, we have overspent by £30
(Ms Metcalf) Because we had a close relationship with
them and because, as the Chairman pointed out, I have some knowledge
of government spending myself, I was aware that they had been
seeking supplementary estimates, but I was also aware that that
had been granted.
438. Certainly one official had been seeking
(Ms Metcalf) So we were aware that the scheme was
seen as a very successful scheme and engaged a lot of people in
learning. That was not seen as a negative at that point.
439. So you were aware of overspend. Last week
we heard from Mr Hall from the Learning and Skills Council and
he told the Committee that he advised the Department of the risk
of abuse in May 2000. Were you aware of that?
(Ms Metcalf) Not personally, no.