Anti-Fraud Policy and Procedures

The University is committed to conducting its activities fairly, honestly and openly, in accordance with relevant legislation, and to the highest standards of integrity. As a charity deriving a significant proportion of its income from public funds, donations and charitable organisations, the University is concerned to protect itself and its funders, donors, staff and students from the detriment associated with fraud and other corrupt activities.

The University has a zero-tolerance attitude to fraud committed by staff or associated persons either against the University, or committed against third parties with the intention of benefitting the University. The University will investigate actual, attempted and suspected fraud by its staff, students, subsidiaries, suppliers and other external organisations. Fraud by University employees or student members acting on behalf of the University will be treated as a serious disciplinary offence. 

The University is committed to the prevention of fraud and the promotion of an anti-fraud culture through systems, controls, policies and procedures which deter acts of fraud. 

This Policy applies to all University staff, students, research partners, suppliers and other associated persons. 

The term Fraud means the use of deception with the intent to gain financially or cause loss to another person or organisation. Fraud may include acts such as theft (physical or cyber), deception, bribery, forgery, extortion, corruption, conspiracy, embezzlement, misappropriation of funds and collusion.

Examples of fraud in a University context could include:

• forging or altering University financial documents
• theft or misuse of University property, facilities or services
• falsely claiming travel or subsistence expenses
• Research misrepresentation
• Academic consultancy fraud

Fraud may also include the acts of a third party outside the University:

• fraudulent invoices submitted by a supplier
• suppliers offering bribes or inducements to university staff;

• cyber enabled crime, for example sending phishing emails or user impersonation which can lead to theft of financial resources and/or personal data

   

Its important to note that the University may also be a beneficiary of fraud for example:

• A member of University staff deliberately falsifies research data to successfully secure government grants for the next phase of their research.

University Court and Senior Staff Responsibilities

The University Court and University Executive team endorse and promote the University's Fraud Prevention Framework: policies on Anti-Fraud, Conflicts of Interest and Receipt and Provision of Gifts, Hospitality and Other Benefits, Anti Bribery and Anti Money Laundering. 

The University Court advised and assisted by the Chief Financial Officer is responsible for ensuring that University Executive establishes and maintains an effective internal control system. These Internal Controls help to counter the risks faced by the University.

Staff Responsibilities

All University staff and associated persons must:

• report details of any suspected fraud to fraud-awareness@ed.ac.uk
• assist in the investigation of suspected fraud
• comply with internal controls and agreed policies and procedures 

Staff should not attempt to investigate any fraud themselves. 

The Public Interest Disclosure Act 1998 protects employees who raise concerns about certain matters of public interest in good faith. If staff feel unable to follow the standard fraud reporting processes they can follow the University's Public Interest Disclosure (Whistleblowing) Policy and Procedures.

All staff are expected to be aware of the Anti-Fraud Policy and Procedures, which are located on the Finance Department webpages and in the University Policy Repository.

All staff should complete regular University training on fraud awareness every 2 years. The eLearning is located on People and Money Learning at the course linked below: 

Fraud Awareness in the University.

This policy interacts and overlaps with a number of other University policies:

Public Disclosure Act (Whistleblowing) Policy (link to follow)

Anti-Bribery and Corruption Policy

Conflict of Interest Policy 

Receipt and Provision of Gifts, Hospitality and Other Benefits Policy

Anti-Money Laundering Policy 

Who might identify a fraud?

Suspicions of fraud may be identified through many different routes. This includes routine controls, concerns raised by staff, students or external stakeholders, and internal and external audit activity. 

It is the duty of all staff to report any actual or suspected incidents of fraud or irregularity immediately. 

What should I do if I see something suspicious?

Note down as much information as you possibly can which is available to you without investigating.

What exactly did you notice? – Dates, times, witnesses 

Why you think it is fraud, what happened?

Report your concerns to fraud-awareness@ed.ac.uk

Alternatively, you can discuss your concerns with your line manager or management team. Following discussions, if there are still concerns, these should be reported to the fraud-awareness@ed.ac.uk

The FIRST team will follow the next stages in the reporting procedure to make sure that what you have noticed is captured and investigated. Where appropriate they will escalate to the Chief Financial Officer to initiate a Fraud Investigation – following the procedure below.  

If you have these concerns, you should expect: 

• To be heard and taken seriously by the person you report this to
• That everything you say will be treated as confidential and only shared with appropriately authorized individuals 

Under no circumstances should you: 

• Confront anybody you suspect yourself
• Start your own investigation or attempt to gather any additional evidence yourself
• Discuss your suspicions and concerns with anyone other than through the steps in this procedure
• Do nothing 

What should I do if I’m concerned about an incident involving someone identified in this reporting procedure? 

If the actual or suspected incident involves or implicates the senior management in this reporting line (for example the Chief Financial Officer), it should reported without delay to the Principal, the University Secretary, or the Convener of the Audit & Risk Committee.

If you feel unable to follow the standard fraud reporting procedure you should follow the steps outlined in the University's Public Disclosure (Whistleblowing) Policy and Procedures.

The Chief Financial Officer (CFO)

The Chief Financial Officer is responsible for:

• developing, implementing and maintaining adequate systems of financial management and internal control to mitigate/minimize the risk of financial fraud and to detect financial fraud. 

Examples of internal controls

• segregation of duties (between the person preparing the transaction and the person approving it),
• authorization and approval controls
• access controls – limiting access to systems
• physical controls (eg. safeguarding of assets)
• reconciliation procedures, random checking of transactions
• monitoring and review of management accounting information
• Human Resources controls for hiring and training staff 

• Internal Audit reporting and review

   

The University Executive Team

The University Executive are responsible for promoting the University’s fraud prevention framework through

• Reviewing fraud risk as part of the wider annual risk management assessment
• Ensuring staff and other associated persons are made aware of the Anti-Fraud Policy and Procedures and complete mandatory fraud awareness training

The Director of Human Resources 

The Director of Human Resources will be responsible for:

• Providing confidential advice to staff who suspect a member of staff of fraud.
• Instigating appropriate disciplinary action in relation to fraud and civil action against the perpetrators of fraud.

Line Managers

Line managers should be alert to the possibility that unusual events may be symptoms of fraud or attempted fraud.  Line managers are responsible for 

• ensuring that adequate internal controls are operated within their area of responsibility, and those controls are complied with. This includes ensuring there is segregation of duties between initiating and approving financial tasks, reviewing financial reports
• reviewing and test control systems within their area of responsibility to satisfy themselves the systems and procedures continue to operate effectively.  
• screening potential new members of staff before appointment and obtaining references from previous employer
• reporting any potential suspicions of fraudulent activity, impropriety or dishonest conduct, either internally or from external organisations to fraud-awareness@ed.ac.uk

.

Financial Information Reporting and Strategy Team (FIRST) 

The FIRST Team is responsible for managing the Anti-Fraud mailbox fraud-awareness@ed.ac.uk  The Fraud Log is managed by the Senior Financial Accountant in the Financial Information Reporting and Strategy Team (FIRST).

Internal Controls & Fraud Mitigation Group (IC&FMG)

The IC&FMG:

• supports the ongoing improvement of University internal controls, including prevention, detection and mitigation of fraud risks
• provides a forum for discussion, awareness and communication of such matters
• regularly reviews a summary fraud log documenting all instances of fraud and ‘near misses’
• collaborates with the Information Security team on cyber fraud cases where appropriate
• is responsible for reviewing and updating fraud procedures and reports regularly to the Finance Leadership Team and Audit & Risk Committee.

Internal Audit

Internal Audit provides assurance that the organisation's internal controls are designed effectively and operating efficiently, which helps deter fraud. 

This assurance is achieved through various audit activities, including reviewing existing controls, assessing their effectiveness, and identifying potential weaknesses.

Information Security Team

The Information Security Team, led by the University Chief Information Security Officer (CISO), is responsible for leading and owning the University information security risk strategy. The team provides advice on existing and emerging information and cyber security threats and support on information security attacks. In cases of suspected fraud involving University digital services, they can assist with ensuring ongoing access to those services is managed to protect both the services and potential evidence that may be required in subsequent investigations.

The purpose of this fraud response plan is to define authority levels, responsibilities for action and reporting lines in the event of suspected fraud or irregularity.

Fraud Investigation Group (FI Group)

When a suspected fraud has been reported, the Chief Financial Officer should, as soon as possible, convene and chair a meeting of the following people to decide on the initial response, using properly appointed nominees where necessary:

Chief Financial Officer 

University Secretary and/or Vice Principal Corporate Services

The Head of College or Director of Professional Services Group involved

University’s General Counsel and Director of Legal Services

Director of Human Resources

Where the Chief Financial Officer is suspected of fraud, the University Secretary will lead the Fraud Investigation Group. Should the incident concern or implicate any other member of this Group, the Chief Financial Officer will appoint a substitute.

The FI Group may invite additional members of staff to join the FI Group, for example, the University Chief Information Security Officer in the event of suspected cyber enabled fraud or the Data Protection Officer in the event of suspected theft of personal data.

For simple or straightforward cases the Chief Financial Officer may choose to make relevant colleagues informed by email or other means at his / her discretion.

Investigating Officer

The Investigating Officer must be suitably trained and experienced in undertaking fraud investigations. To ensure impartiality of reporting, investigations are usually undertaken by the Head of Internal Audit.

 The appointed Investigating Officer will be responsible for investigating allegations of fraud including:

• carrying out a thorough investigation if fraud is suspected,
• gathering evidence, taking statements and writing reports on suspected frauds;
• liaising with the Chief Financial Officer where investigations conclude that a fraud has taken place;
• identifying any weaknesses which contributed to the fraud; and if necessary;
• making recommendations for remedial action

The Investigating Officer will consult with Legal Services prior to commencing the investigation and will have unrestricted access to the Chief Financial Officer, the Director of Human Resources, the Audit & Risk Committee, the University's Internal and External Auditors, and its legal advisers.

Security Manager

The Security Manager should advise on the best means of denying physical access to the University while an employee suspected of fraud remains suspended, for example by changing locks and informing security staff not to admit the individual to any part of the premises.

Insurance Manager

Where appropriate the Investigating Officer should consult with the University Insurance Manager to whether any of the losses warrant a claim under any University insurance policy.

• Considering the initial disclosure and available evidence, and in conjunction with the University Secretary decide the appropriate course of action. The decision taken should be documented.
• Making arrangements for investigating allegations of fraud, including the appointment of a suitably qualified senior member of staff to lead the investigation known as the Investigating Officer.
• Receiving the report of the Investigating Officer and responding appropriately.

The Fraud Investigation Group (FI Group) will decide on the action to be taken.

To ensure impartiality of reporting, investigations are usually undertaken by the Head of Internal Audit and their team, who combine independence, investigative techniques and local knowledge.

A decision by the FI Group to initiate an investigation will constitute authority to the Head of Internal Audit to use time provided in the internal audit plan for investigations, or contingency time, or to switch internal audit resources from planned audits.

Recording Information

The investigating officer should record all details of the facts and circumstances relating to the suspected irregularity including details of:-

• Telephone/ email conversations;
• Face to face/ Teams discussions /interviews;
• A record of documents / computer files reviewed;
• Tests undertaken with results and conclusions drawn.

Files must be marked confidential and must be held securely at all times. Where details of allegations and any subsequent investigation are held digitally, they must be password protected and file name(s) must not identify either the suspect, or details of the suspected irregularity.

Prevention of further loss

Where initial investigation provides reasonable grounds for suspecting a member or members of staff or others of fraud, the FI Group will decide how to prevent further loss.

While the investigation take place this may require the suspension of the employee/s suspected, under the appropriate disciplinary procedure. It may be necessary to plan the timing of suspension to prevent suspected employees from destroying or removing evidence that may be needed to support disciplinary or criminal action.

Approaching suspect

In order to prevent concealment of wrongdoing an employee suspected of fraud should be approached unannounced where practical / appropriate.

They should be supervised at all times before leaving the University's premises. They should be allowed to collect personal property under supervision but should not be able to remove any property belonging to the University.

Security

The Head of Security should be required to advise on the best means of denying access to the University while the employee(s) remain suspended, for example by changing locks and informing security staff not to admit the individuals to any part of the premises.

Similarly, the Head of Information Services should be instructed to withdraw without delay access permissions to the University's computer systems.

Investigation of systems

The FI Group will consider whether it is necessary to investigate systems other than that which has given rise to suspicion, through which the suspect may have had opportunities to misappropriate the University's assets, establishing and securing evidence.

Disciplinary procedures

The University will follow disciplinary procedures against any member of staff or student who is found to have committed fraud and will normally report any such individual to the criminal authorities.

Conduct of investigation

The FI Group will:

• ensure that evidence requirements are met during any fraud investigation;
• ensure that staff involved in fraud investigations are familiar with and follow rules on the admissibility of documentary and other evidence in criminal proceedings.

Communication with perpetrator

The final outcome of any investigation will be reported to the perpetrator. Any request for a reference for a member of staff or student who has been disciplined or prosecuted for fraud must be referred to the University Secretary for advice.

Review of fraud response plan

This plan will be reviewed annually to ensure its fitness of purpose by the Internal Controls & Fraud Mitigation Group. This review will take into account any audit findings or fraud investigations. Any recommended changes will be reported to the Audit & Risk Committee for consideration and to Court for approval.

The Fraud Investigation Group will provide regular, confidential reports to the Principal, the Convener of Court and Convener of the Audit & Risk Committee, which will include:

• quantification of losses;
• progress with recovery action;
• progress with disciplinary action;
• progress with criminal action;
• estimate of resources required to conclude the investigation;
• actions taken to prevent and detect similar incidents.

There will also be ongoing reports on the status of live and completed investigations.

Audit & Risk Committee

Audit & Risk Committee (ARC) will review progress reports on any fraud investigations  as a standing item on the ARC agenda.

Notification to the Police

The Director of Legal Services is responsible for deciding when its necessary to inform the police. Notifying the Police must be done by the Director of Legal Services or the Investigating Officer who must be suitably trained and experienced in undertaking fraud investigations. This is vital because when findings are referred to the Police the evidence needs to be of criminal evidence standard. Allegations of any financial impropriety will be investigated by a qualified member of the Internal Audit team.

Report to Scottish Funding Council (SFC)

The Chief Financial Officer will, on behalf of the University, notify the SFC of any attempted, suspected or actual fraud or irregularity where:

• the sums involved are significant;
• the particulars of the fraud are novel, unusual or complex;
• there is likely to be public interest because of the nature of the fraud or the people involved.

Recovery of losses

The Head of Internal Audit will endeavour to ensure that the amount of any loss is quantified. Repayment of losses will be sought in all cases. Where the loss is substantial, legal advice should be obtained about what processes may be available to preserve the suspects assets, pending conclusion of the investigation.

Legal advice may be obtained about prospects for recovering losses through the civil court, where the perpetrator refuses repayment. The University will normally expect to recover costs in addition to losses.

Final report

On completion of a special investigation n, a written report, normally prepared by the Head of Internal Audit, shall be submitted to the Audit & Risk Committee containing:

• a description of the incident, including:
• the value of any loss;
• the people involved; and
• the means of perpetrating the fraud.
• the measures taken to prevent a recurrence;
• action needed to strengthen future responses to fraud, with a follow-up report on whether the actions have been taken