University Fraud Policy

Transcription

1 Section 1 University Fraud Policy 1. Introductory Statement The University is committed to the application of the Seven Principles of Public Life commended by the Committee for Standards in Public Life, namely: Selflessness; Integrity; Objectivity; Accountability; Openness; Honesty; Leadership. The policy of the University in relation to the prevention and detection of fraud follows this commitment, and takes into account HEFCE advice note Fighting fraud in higher education 99/65. All members of the Higher Education Corporation, staff and where appropriate students, are required to comply with the policy. 2. Prevention of Fraud The major emphasis of the University s policy is on prevention, and on measures put in place for this purpose, which include denial of opportunity, effective leadership, auditing and employee screening. To this end, the University is committed to incorporating within its management procedures and processes, measures for denying opportunities for fraud, and the training of staff in operating systems to ensure that proper process is followed. In particular, special attention is paid to the avoidance of fraud in the University s financial procedures by the segregation of duties, especially in relation to payments, income and assets, and operational procedures of the University's financial system provides specifically for this. Senior management staff are expected to consider the use of staff rotation between posts carrying financial responsibilities as a means of minimising risk of fraud. The identification of areas vulnerable to fraud are considered as an issue warranting particular management attention at all levels. In relation to possible misuse of IT, the Information Services and Learning Resources Departments have joint central oversight of the management of physical access to terminals, and the electronic and other protection measures to be adopted by the University in relation to access. Security responsibility for particular IT systems may also be shared with other central departments (e.g. access to the Finance System is controlled by the Finance Department): division of responsibility for access must be clearly specified and published within the University. All managers in the University are expected to work within the overall policy framework in applying precautionary measures locally. 3. Leadership The Board of Governors and University Executive, in relation to their own conduct and that of the University have adopted the Seven Principles of Public Life. In implementing this commitment, the University has approved and disseminated policies on Registration and Declaration of Interests for the Board; Registration of Interests for Heads of Department/ School and above; Acceptance of Hospitality and Gifts; and Staff Management Procedures for Disciplinary Offences. The University considers fraudulent acts by employees as gross misconduct warranting summary dismissal, and will normally refer issues of fraud for prosecution under criminal law. A decision on the reference for prosecution will be made by the Vice-Chancellor or Deputy Vice-Chancellors or the University Secretary, as appropriate, after consideration of the matter

2 within the University Fraud Response procedures (see paragraph 12 below). The reasons for this decision will be recorded and reported as those procedures provide. 4. Internal Auditors Within an approach clearly identifying management responsibility for systems of control to prevent and detect fraud, the University is also committed to the involvement of its auditors (and other expert advisers where audit experience does not adequately cover particular specialist areas of knowledge or practice) in systems design and modification to build in fraud prevention and detection mechanisms and procedures. The Joint Internal Audit Service Annual Plans incorporates cyclical risk-based review process to ensure that University systems have appropriate checks and controls to prevent and detect fraud. 5. External Auditors The External Auditors plan and perform their audit so as to obtain all the information and explanations which they consider necessary in order to provide them with sufficient evidence to give reasonable reassurance that the Financial Statements are free from material misstatements, whether caused by fraud or other irregularity or error. 6. Employee Screening The University s recruitment and appointments procedures incorporate screening of candidates through the use of pre-defined post descriptions, person specifications for each job, and structured assessment of applicants at each level of the process, including a compulsory check with previous/current employers for all new appointees. The University s Human Resources policies and procedures will be regularly reviewed to ensure that appropriate measures are in place to protect the University from fraud amongst applicants for appointment to the staff of the institution. A review of Recruitment and Selection procedures is to be carried out by the University s Human Resources Service, and will consider whether any further screening is necessary, including declarations of relationships with staff and governors. 7. Detection of Fraud The University s Financial Regulations approved by the Board of Governors in October 1999 includes statements on the responsibilities of Budget Holders, Director of Finance and other staff, and Internal Auditors, with procedures to be followed in respect of financial irregularities. A Fraud Response Plan was approved by the Audit Committee of the Board of Governors in January 2002 (see paragraph 12 below). 8. Public Interest Disclosure The University s Public Interest Disclosure Policy and Procedure of 2 September 1999 incorporates procedures for the disclosure and investigation of disclosures, including those of alleged fraud. 9. Role of Internal Audit in Detection The role of Joint Internal Auditor Service in the detection of fraud is clearly specified in the Financial Regulations and the Public Interest Disclosure Policy. However, the University recognises that the first responsibility is that of University management, and that internal audit is, and must remain, a long stop. The University undertakes to keep the Head of the Internal Audit Service informed, and to take advice as necessary in relation to any incidence of alleged fraud

3 10. Warning Signs The University s staff management policy encourages the early identification of staff problems and their solution prior to the invoking of disciplinary procedures. The University recognises the need to provide, within its staff development and training programme, awareness training for managers in relation to the identification of potential fraud. 11. Investigation All matters of fraud or financial irregularity are dealt with under the Regulations indicated in paragraphs 6 and 7 above. The University recognises the need to address incidents with appropriate action, including the notification of the Vice-Chancellor as Chief Executive, as a matter of first priority. 12. Fraud Response Plan The University s Fraud Response Plan, devised taking HEFCE advice into account, was approved by the Audit Committee of the Board of Governors on 25 January Process of Investigation The process for investigation of alleged fraud is described in the Financial Regulations, Public Interest Disclosure Policy, and HEFCE Audit Code of Practice, and the Fraud Response Plan. 14. The Role of HEFCE Audit Service The HEFCE Audit Code of Practice incorporates the requirement for reporting of suspected or actual fraud; the University undertakes to comply with these requirements, and to take advice from time to time on best practice as identified by HEFCE Audit Service. 15. Insurance Provision The University undertakes to provide such insurance cover against the losses arising from misconduct of members of the corporation, staff and students as it prudently may. 16. Commercial Ethics The University s commercial ethics approach is contained in various documentation,from the Financial Regulations to staff management procedures, and processes. There is no single document at present, but the University undertakes to explore the advantages of, and need for, a consolidated approach and to make proposals to the Board of Governors on this matter. Section 2 University Fraud Response Plan Purpose 1. The purpose of this plan is to define authority levels, responsibilities for action, and reporting lines in the event of a suspected fraud or irregularity. The use of the plan should enable the University to: Prevent further loss

4 Establish and secure evidence necessary for criminal and disciplinary action Notify the HEFCE, if the circumstances are covered by the mandatory requirements of the Audit Code of Practice Recover losses Punish the culprits Deal with requests for references for employees disciplined or prosecuted for fraud Review the reasons for the incident, the measures taken to prevent a recurrence, and any action needed to strengthen future responses to fraud Keep all personnel with a need to know suitably informed about the incident and the University's response Inform the police Assign responsibility for investigating the incident Establish circumstances in which external specialists should be involved Establish lines of communication with the police 2. These matters are dealt with below. Initiating action 3. Suspicion of fraud or irregularity may be captured through a number of means, including the following: The requirement placed on staff under the Financial Regulations to report fraud or irregularity to Director of Finance The University's Policy and Procedure for Public Interest Disclosures to the University Secretary ('whistle-blower's charter') Planned audit work Operation of University procedures generally 4. Responsibility for dealing with actual or suspected incidents is the University management's, and should be reported without delay to the University Secretary, who shall involve the Joint Internal Audit Service. Wherever possible, within 24 hours, the University Secretary shall inform the Vice-Chancellor and Deputy Vice-Chancellors, and shall convene meeting of the Fraud Response Group to decide on the initial response: University Secretary (chair) Head of Joint Internal Audit Service Director of Human Resources Director of Finance University Legal Adviser The Fraud Response Group will determine the action to be taken. This will normally be an investigation, which shall include the Joint Internal Audit Service, and such other officers as are appropriate. The University Secretary, advised by the Group, and after consultation with the Vice- Chancellor and Deputy Vice-Chancellor (Resources), shall give authority to the internal auditor to use time provided in the internal audit plan for special investigations, or contingency time, or to switch internal audit resources from planned audits. If a meeting is not feasible, the University Secretary shall consult members of the Fraud Response Group before determining action. Prevention of further loss

5 5. Where initial investigation provides reasonable grounds for suspecting a member or members of staff of fraud, the Response Group will decide how to prevent further loss. This may require the suspension, with or without pay, of the suspects. It may be necessary to plan the timing of suspension to prevent the suspects from destroying or removing evidence that may be needed to support disciplinary or criminal action. 6. In these circumstances, the suspect(s) shall be approached unannounced. They should be supervised at all times before leaving the University's premises. They should be allowed to collect personal property under supervision, but should not be able to remove any property belonging to the University. Any security passes and keys to premises, offices and furniture should be returned. 7. The head of University Security shall be required to advise on the best means of denying access to the University, while suspects remain suspended (for example by changing locks and informing security staff not to admit the individuals to any part of the premises). Similarly, the Head of IT Services shall be instructed to withdraw without delay access permissions to the University's computer systems. 8. The authorised investigator/s shall consider whether it is necessary to investigate systems other than that which has given rise to suspicion, through which the suspect may have had opportunities to misappropriate the University's assets. Establishing and securing evidence 9. A major objective in any fraud investigation will be the punishment of the perpetrators, to act as a deterrent to other personnel. The University will follow disciplinary procedures against any member of staff who has committed fraud. The University will normally refer the matter to the police for a criminal investigation. 10. In order to assist in fraud investigations, the Head of the Joint Internal Audit Service will: Maintain familiarity with the University's disciplinary procedures, to ensure that evidence requirements will be met during any fraud investigation Recommend the establishment and maintenance of contact with the police Advise, with the University's Legal Adviser, whether there is a need for audit and other staff to be trained in the evidence rules for interviews under the Police and Criminal Evidence Act Ensure, by reference to the University's Legal Adviser, that JIAS staff involved in fraud investigations are familiar with and follow rules on the admissibility of documentary and other evidence in criminal proceedings. Notifying the HEFCE 11. The circumstances in which the University must inform the HEFCE about actual or suspected frauds are detailed in the HEFCE Audit Code of Practice (HEFCE 98/28 paragraphs 14-15). The Vice-Chancellor of the University is responsible for informing the HEFCE of any such incidents, and the University Secretary shall ensure that the Vice-Chancellor is kept informed of matters potentially involving report to HEFCE. Recovery of losses 12. Recovering losses is a major objective of any fraud investigation. The University Secretary shall ensure that in all fraud investigations, the amount of any loss will be quantified. Restitution of misappropriated assets shall be sought in all cases. 13. Where the loss is substantial, legal advice shall be obtained without delay about the need to freeze the suspect's assets through the court, pending conclusion of the

6 investigation. Legal advice shall also be obtained about prospects for recovering losses through the civil court, where the perpetrator refuses repayment. The University will normally expect to recover costs in addition to losses. References for employees disciplined or prosecuted for fraud 14. The University's Staff Management Procedures shall include a requirement that any request for a reference for a member of staff who has been disciplined or prosecuted for fraud shall in all cases be referred to the Director of Human Resources. The Director of Human Resources shall prepare any answer to a request for a reference having regard to employment law. Reporting to Governors 15. Any incident matching the criteria in the HEFCE Audit Code of Practice (as in paragraph 12 above) shall be reported without delay by the Vice-Chancellor, or on his behalf, to the chairmen of the Board of Governors and the Audit Committee. 16. Any variation from the approved fraud response plan, together with reasons for the variation, shall be reported promptly to the chairmen of both the Board of Governors and the Audit Committee. 17. On completion of a special investigation, a written report shall be submitted to the Audit Committee containing: A description of the incident, including the value of any loss, the people involved, and the means of perpetrating the fraud The measures taken to prevent a recurrence Any action needed to strengthen future responses to fraud, with a follow-up report on whether the actions have been taken. The University Secretary, assisted by the Head of the Joint Internal Audit Service shall normally prepare this report. Reporting lines 18. The Fraud Response Group shall provide a confidential report to the chairmen of the Board of Governors and the Audit Committee, the Vice-Chancellor, Deputy Vice- Chancellors and the external audit partner periodically on the progress of fraud cases. The scope of the report shall include: Quantification of losses Progress with recovery action Progress with disciplinary action Progress with criminal action Estimate of resources required to conclude the investigation Actions taken to prevent and detect similar incidents Responsibility for investigation 19. The Internal Audit Service shall be involved in the conduct of special investigations, within the arrangements in paragraph 4.above. University management shall cooperate with requests for assistance from the authorised investigator/s in the conduct of fraud investigations. 20. Some special investigations may require the use of technical expertise, which the authorised investigator/s does not possess. In these circumstances, the Fraud

7 Response Group may approve the appointment of external specialists to lead or contribute to the special investigation. Section 3 Review of fraud response plan This plan will be reviewed for fitness of purpose at least annually or after each use. Any need for change will be reported to the Audit Committee for approval. Cash There have been many frauds involving thefts from cash boxes, cash registers and takings at bars, residences, catering outlets, vending machines, and from social funds. Management of cash shall include the following: (a) Segregation of duties. Systems should prevent one person from receiving, recording and banking cash. Where there are many outlets, the system shall incorporate additional supervisory management, and unannounced checks. Segregation of duties shall continue during periods of leave or sickness absence. (b) Reconciliation procedures. An independent record of cash received and banked may deter and detect fraud. Documents used in reconciliation processes, (such as paying-in slips) shall not be available to the officer responsible for banking. (c) The issue of receipts in return for cash received, to provide an audit trail. (d) Physical security, such as keypad controlled cashiers' offices and safes. Keys and access codes shall also be kept secure. (e) Frequent banking. (f) Use of alternatives to cash (vending cards, credit cards, cheques, direct debits, and standing orders). Cheques Cheques are often completed in ways which facilitate opportunist fraud; and cheques are sometimes intercepted by organised criminals who falsify payee and value details using sophisticated techniques. Debtors may also be told to make cheques payable to a private account, possibly using an account name that is similar to the University's. Preventative measures include: (a) Physical security. Unused, completed and cancelled cheques should never be left unsecured. If cheques are destroyed, more than one officer should be present, and a record of the serial numbers should be maintained. (b) Frequent bank reconciliations. Some frauds have gone undetected for long periods because accounts have not been reconciled promptly, or because discrepancies have not been fully investigated. (c) Segregation of duties. (d) Use of bank account names that it is difficult to represent as personal names, to prevent the simple theft of cheques in the post and their conversion into cash.

8 (e) Clear instructions to debtors about correct payee details and the address to which cheques should be sent. The address should normally be the Finance Department, not the department, school, faculty or other unit that has provided the goods or services. (f) Central opening of all post by more than one person and recording of all cash and cheques received. (g) Rotation of staff responsibilities, including the regular rotation of counter-signatories in accounts departments, to reduce the risk of collusion. (h) Training in secure completion of cheques. (i) (j) Use of electronic funds transfer (EFT) as an alternative to cheques. Occasional checks with local banks of accounts including the University's name. Purchase Ledger Preventative measures include: (a) Minimising little used or unusual account codes. (b) Ensuring that line management effectively monitors all account codes. (c) Segregation of duties. (d) Secure management of the creditors' standing data file, including segregating the origination and approval of new or amended data. (e) Requiring purchase orders for the procurement of all services, as well as goods. (f) The University will exercise particular care and caution in making appointments to the purchasing area. All suppliers should be vetted to establish that they are genuine and reputable companies before being added to lists of authorised suppliers. June 2002