Fraud & Corruption Control Procedure

Policy code: OG912
Policy owner: Chief Financial Officer
Approval authority: Vice-Chancellor and President
Approval date: 14 November 2023
Next review date: 13 May 2025

Purpose

Federation University University is actively committed to preventing fraud and corrupt conduct throughout the organisation as well as improving staff awareness of fraud and corruption risks.

This procedure supports the Fraud and Corruption Control Policy Policy. It sets out the Fraud and Corruption Control Systems to be followed in dealing with allegations of fraud and corrupt conduct and the elements that underpin the University’s fraud and corruption prevention, detection and response.

Scope

This Procedure applies across the University and its controlled entities, to all people who are part of the University community, including Council members, staff, students, consultants and contractors, honorary/visiting and adjunct fellows, research associates, volunteers and visitors.  For purposes of this Procedure, all of the above categories will be referred to as “staff” below.

The University’s Fraud and Corruption Control System (FCCS) was developed to align with the core elements of the Australian Standard on Fraud and Corruption Control: AS 8001-2021.

Special procedures and protections apply to any person making a public interest disclosure under the Public Interest Disclosures Act 2012 (Vic). Disclosures under the Protected Disclosure Act 2012 are to be dealt with according to the University’s Protected Disclosures Procedure.

For the purposes of the Standing Directions (2018), this Fraud and Corruption Control Procedure acts as the University’s Fraud, Corruption and Other Losses prevention and management policy.

Legislative Context

  • AS/NZS ISO 31000:2009 Risk Management
  • Australian Standard on Fraud and Corruption Control (AS8001:2021)
  • Federation University Australia Act 2010
  • Financial Management Act 1994
  • Protected Disclosure Act 2012
  • Public Records Act 1973
  • Standing Directions of the Minister for Finance 2016
  • Victorian Government Purchasing Board (VGPB) policies
  • Victorian Government Risk Management Framework

Fraud and Corruption Control System (FCCS)

The FCCS is an integral part of the University’s overall risk management plan on the premise that fraud and corruption are business risks that are controlled by the application of risk management principles.

The FCCS comprises a number of components, including:

  1. FCCS components - procedures and resourcing
  2. Prevention - initiatives to deter and minimise the opportunities for fraud.
  3. Detection - initiatives to detect fraud as soon as possible after it occurs.
  4. Response - initiatives to deal with detected or suspected fraud.

Fraud and Corruption Control Governance Model

To minimise the risk of fraud and corruption, the University’s governance model incorporates:

  • Clear lines of delegation with the Fraud and Corruption Control Officer central to responding to fraud and corruption claims;
  • A strong culture, as supported by the integrity framework (built around the Staff Code of Conduct Policy) and assurance framework (independent attestation on the control effectiveness and management of risk); and
  • Elements of the FCCS as detailed below.

1. Key FCCS Components

The FCCS is a comprehensive framework for addressing fraud and corruption risks.  It takes into account the University’s size, staffing, geographic footprint, risk profile and other factors such as industry risks, the economy and applicable laws and regulations.

Integral to the FCCS is clarity regarding roles and responsibilities, as detailed in the Policy. Other key foundations of the University’s FCCS include:

Strategy Description
Training:
  • Induction fraud and corruption awareness training for select staff, contractors and volunteers.
  • For select staff, annual refresher training.
  • Developing an Academic Integrity online course module.
  • Attendance records are maintained and any failure to attend training is reported to the relevant manager for follow-up.
Fraud and Corruption Risk Assessments:
  • Every two years, a formal Fraud and Corruption Risk Assessment is conducted, applying the principles set out in the University’s Risk Management Policy, Risk Management Procedure and the Risk Assessment Guidelines.
  • Annually an external environment scans, covering political, economic, social, technological, legal and environmental factors, is conducted.
  • The results of the risk assessments are provided to the Audit & Risk Management Committee (A&RMC) for review, if relevant, to Council for approval.
  • The Fraud and Corruption Control Officer regularly reports to the A&RMC on the progress of the implementation of recommendations arising from the risk assessments.
  • Annually, the Fraud and Corruption Control Officer presents a report to the A&RMC summarising the key fraud risks from the fraud and corruption risk assessment as well as a summary of the reports of suspected fraud, investigation reports and their status and outcomes.
Management Accounts:
  • Monthly, management accounts are provided to the Resources Committee, reporting on a suite of organisational data, which could identify unusual transactions or trends.
Fraud and Corruption Incident Register:
  • The Fraud and Corruption Control Officer maintains a register of all reported fraud and corruption incidents. The register records the details of all reports, results of any investigation and recommendations to enhance the fraud and corruption control framework.
  • The Fraud and Corruption Control Officer provides a summary report to the A&RMC on an annual basis of reported suspected fraud and corruption and the results of investigations.
  • The University’s website may be used to communicate reported suspicions of fraud or corruption.
Internal Audit:
  • Internal Audit is an integral aspect of the control of fraud and corruption. The University has focused its Internal Audit function to provide a value-added service based on the following elements:
  • Enterprise-wide focus on risk.
  • Risk based Internal Audit plan.
  • Appropriate mix of core compliance and risk based operational reviews.
  • The integration of the Internal Audit plan with the Risk Management plan.
Information Security Management System (ISMS)
  • The University has implemented it’s ISMS in accordance with the principles of AS ISO/IEC 27001.  Specific fraud and corruption risk measures include:
    • Policies and procedures.
    • Change Management Advisory Board.
    • User access controls.
    • Cyber security framework.
    • Penetration testing.
    • Regular version and patching updates.
    • Vulnerability risk assessments.
    • Cyber security training for University staff, including Privacy and Data Protection awareness training.

FCCS resourcing is a critical element of the University’s fraud and corruption control system.  The University’s Council and the Vice-Chancellor’s Senior Team (VCST) are committed to ensuring that the elements of the FCCS are appropriately resourced to manage the assessed risks.

The FCCS will be reviewed every two years and amended as appropriately.  Factors to be considered in reviewing the fraud and corruption control system include:

  • Is it meeting its objectives.
  • Significant changes in the University’s business conditions.
  • Recently detected fraud or corruption control events.
  • Results of any recent Fraud and Corruption Risk Assessment.
  • Changes in fraud and corruption control better practices, locally or internationally.
  • The changing nature of fraud and corruption within the university sector and/or technology.

2. Fraud and Corruption Prevention

Prevention strategies are proactive measures designed to prevent fraud and corruption insofar as practicable, and reduce the risk of incidents occurring. The University’s key prevention measures include:

Strategy Description
Culture:
  • The desired culture at the University is one where people are aware of fraud and corruption risks, comfortable to ask for guidance, and report reasonable suspicions of misconduct.
  • Culture is set through the Integrity Framework which is supported by associated relevant policies such as the Conflict of Interest Policy and Conflict of Interest Procedure; Staff Code of Conduct Policy; the Gifts, Benefits, Hospitality, Food and Beverages Policy; Research Integrity Policy and the Procurement of Goods and Services Policy and Procurement of Goods and Services Procedure.
  • The Staff Code of Conduct Policy sets out the expected standard for the behaviour and conduct for all staff.
  • Management commitment and line manager accountability - all levels of the University carry the responsibility for the prevention and detection of fraud and corruption
  • Whilst not specific, fraud and corruption controls are incorporated into the performance management system via the “Living Values”.  In the future, fraud and corruption will be specified in either the position description of line managers or performance management plans.
Internal Controls:
  • At the University, internal controls are risk focused, documented, regularly reviewed, effectively communicated, embedded by staff, tested through audit and include:
    • Comprehensive policy and procedure frameworks.
    • Management reviews of organisational processes and structures.
    • Segregation of duties.
    • Approvals within delegated authority.
    • Account and bank reconciliations.
    • Budget monitoring.
    • Performance assessment.
    • Defined procurement practices.
    • Data governance and security.
    • Gifts and benefit register.
    • Conflicts of interest and related partydisclosures management.
  • Annually, the CFO and COO complete the External Auditors FraudRiskAssessment survey which attests their oversight of risk and fraud and that suitable internal controls have been put in place to reduce the risk.
Risk Assessments:
  • Fraud risks assessments will generally be performed every two years (or sooner if there are significant changes in the University’s operating processes or risk environment).
  • Fraud risk assessments will be conducted in accordance with the Risk Management Policy, Risk Management Procedure and the Risk Assessment Guidelines.
  • For a list of possible examples of Fraud, refer to Appendix 1: Examples of Activities that may Constitute Fraud/Corrupt Conduct.
Awareness Training:
  • The University provides fraud awareness training to assist in raising the general level of awareness of the University's FCCS to relevant staff and external parties, including
    • Induction training program (subject to the role and requirements).
    • Periodic training provided to staff in roles where are there are significant fraud and corruption risks.
    • Internal communications to all staff reminding them of the FCCS as well as the types of behaviours that would constitute fraud and corruption and how they should report any suspicions of fraud and corruption.
    • Informal communications conducted by managers to remind staff of the Fraud and Corruption Control Procedure e.g., at team meetings or following an incident within the sector.
  • Managers are responsible to ensure their staff receive appropriate fraud and corruption awareness training.
  • Records of attendance at training will be maintained by the University’s staff learning management system (ELMO).
Pre-employee screening:
  • The University undertakes pre-employment screening on all potential staff in accordance with the Recruitment and Merit Selection Procedure. The types of checks undertaken are specific to the position. Pre-employment screening may include the following, subject to position requirements and all legal requirements and with informed and express consent:
    • Eligibility to work in Australia.
    • Qualifications check or equivalency assessment.
    • Fit and Proper Person Requirements Declaration and Statutory Declaration.
    • Disallowed persons check.
    • Police check.
    • Working with Children Check.
    • Professional registration.
    • Licenses, trades and other certificates.
    • Reference checks.
  • At the time of screening, and throughout the period of employment, any inappropriate or improper relationships should be disclosed to People and Culture (via Employee Self Service) as soon as known.
Supplier and Contractor Vetting:
  • Due diligence on potential contractors or business associates is periodically performed as a precursor to entering into a contract of significant value or an important business relationship as appropriate to the risk profile. The scope of the due diligence, including financial, compliance and reputational considerations, will depend on the nature of the matter and the entity involved, with guidance provided by Legal Services . This includes consideration of the entity’s fraud and corruption risks
  • Review activities may include validating ABNs, director details, bankruptcy search, credit ratings, legal proceedings, trading address, politically exposed persons, etc. Where heightened risks are identified, the University may implement controls or reconsider a relationship.
  • Records of due diligence performed are to be maintained by the University.
Leave Management
  • Staff are expected to take and report their annual leave in the year it is accumulated and that annual leave balances are to be reviewed on a quarterly basis by managers and supervisors based on information provided by People and Culture.
  • Job rotation may be implemented in high-risk positions for fraud or corruption.
Physical Asset Security
  • The University has significant tangible assets (including a number of campuses, plant and machinery, other equipment, vehicles and IT infrastructure) that may be subject to theft.  To combat theft, the University has conducted a risk assessment of their physical security environment and put in place appropriate measure to protect their theft. 
  • Measures include perimeter security, access controls, passwords, locks, gates, fences, alarms and video surveillance.

3. Detecting Fraud and Corruption

The University has proactive systems in place aimed at detecting fraud and corruption as soon as possible after it has occurred.

Channels for Reporting Suspicions of Fraud or Corruption

All staff have a responsibly to prevent fraud and corruption. Almost half of identified fraudulent activities are reported by staff or external parties.  To encourage all staff to report suspected cases of fraud, the University has implemented a formal reporting system through which staff can report suspected fraud and corruption.

If you are aware or suspect fraud or corruption, you have the following reporting options:

  1. Your local management, including manager, director or Vice-Chancellor
  2. People and Culture
  3. Fraud and Corruption Control Officer
  4. Protected Disclosure Coordinator
  5. Independent Broad-based Anti-corruption Commission

Any reports of suspected fraud or corruption that are made to local management or People and Culture (whether to a supervisor, manager, director, deputy-vice chancellor or the vice-chancellor) are to be referred to the Fraud and Corruption Control Officer prior to any investigation of such allegations being undertaken. This is irrespective of whether the matter has also been reported to the police for action or not.

The Fraud and Corruption Control Officer is available for individuals to make reports or raise concerns, with the assurance of confidentiality. If these reports raise matters that could form the subject of a public interest disclosure, the Fraud and Corruption Control Officer will evolve the Protected Disclosures Procedure.

Staff wanting to make a public interest disclosure should refer to the Protected Disclosures Procedure (previously the Whistleblower Procedure) and may consult with the Protected Disclosure Coordinator or make their report direct to IBAC.

Ultimately, all formally reported claims will be managed by the independent Fraud and Corruption Control Officer.  Below are the reporting details.

Reports of fraud, corruption or suspected fraud and corruption can be made as follows:

An individual who reports suspected fraud should provide as much information as possible, including details of any person they believe to be involved and the actions or activities they believe to be fraudulent, including how, when and where those actions or activities occurred. However, they should not investigate the matter themselves, as this may compromise a subsequent investigation.

It is noted that the University does not tolerate vexatious and frivolous reports and may initiate disciplinary proceedings where reports of this nature are found.

In addition to the above suspicious reporting channels, the University leverages the following systems:

Strategy Description
Internal Audit
  • The Director, Governance and Strategy (Fraud and Corruption Control Officer) is responsible for overseeing the Internal Audit program and working with line management and Internal Audit to identify risks and control weaknesses that could flag suspicious activity. 
  • The internal auditors must operate under the requirements of the Institute of Internal Auditors in Australia’s International Standards Practice of Internal Auditing Standards.

 

External Audit:
  • The External Audit function has a role to play in the detection of fraud given the responsibilities of auditors under Australian Audit Standards ASA240 'The Auditors' Responsibility to Consider Fraud in an Audit of a Financial Report'.
  • The external auditor of the University is the Victorian Auditor-General’s Office (VAGO). The Fraud and Corruption Control Officer and Chief Finance Officer will undertake discussions with VAGO in terms of the audit procedures that will be carried out during the audit that are aimed at detecting material misstatements in the University’s financial statements due to fraud or error.
Analysis of Management Accounting Reports:
  • To identify trends, anomalies and differences against budget, Management prepares monthly, management accounting reports.  These reports are also a tool to identify unusual transactions and can provide early warning signs.
  • For example, analysis may identify repeated invoice numbers, duplicate payments, or uncover a 'ghost employee' payroll fraud.

4. Responding to Fraud and Corruption Events

All reports of suspected fraud, corruption or improper conduct will be evaluated by the Fraud and Corruption Control Officer to establish whether a basis exists for further investigation.  The following process will be followed:

Fraud and Corruption Incident Register

In accordance with the Standing Direction 3.5 2018 under the Financial Management Act 1994 (Vic), the Fraud and Corruption Control Officer Accountable Officer will ensure all instances of fraud and corruption are recorded on a central register, including details such as:

  1. Date and time the incident was detected.
  2. Names of the parties involved.
  3. Names of witnesses or potential witnesses.
  4. How the incident came to the attention of the individual.
  5. The nature of the incident.
  6. The value of the loss, if any to the University.
  7. The action taken following discovery of the incident (if any).

Investigation

The Fraud and Corruption Control Officer is responsible for coordinating and overseeing the University’s investigation response and will assess the incident to determine the appropriate manner of investigation. Although every suspected incident will be different, consideration will be given to, among other things:

  1. The nature and complexity of the alleged fraud or corruption incident.
  2. The seniority of the staff member and/or external parties suspected to be involved.
  3. The value of the alleged incident.
  4. The potential damage to the integrity or reputation of the University.
  5. The likely cost of taking action, including the cost of recovering financial losses or property.
  6. The likely benefit of taking action, including the deterrent value.
  7. Whether it is likely that the fraud is systemic or targeted, rather than an isolated or opportunistic incident.
  8. The likelihood that the fraud was committed by an external party with internal assistance collusion; and
  9. Any possible ongoing risks arising from the fraudulent or corrupt conduct, including any security implications.

Choosing An Investigator

Where the Fraud and Corruption Control Officer determines that an investigation is required, the investigation should be carried out by appropriately skilled, relevantly qualified and experienced personnel who are independent of the business unit which the alleged fraudulent or corrupt conduct occurred. The Fraud and Corruption Control Officer will appoint the investigator taking into account:

  1. Perceived required qualifications, experience and investigation skills.
  2. Transparency, confidentiality and independence to treat all persons fairly and consistent with the principles of procedural fairness.
  3. Physical, emotional or psychological issues/impacts.

An investigation may be conducted by personnel including Governance and Strategy, Internal Audit, Procurement, ITS, People and Culture and other appropriate and trained staff.

The investigators, whether internal or external, will be overseen by the Fraud and Corruption Control Officer, and will determine the appropriate form of investigation and ensure it is appropriately documented, including an investigation plan and investigation report, which will also be provided to the A&RMC. 

An investigation will potentially involve the following investigative activities:

  1. Interviewing of relevant witnesses including obtaining statements, where appropriate including witnesses internal and external to the entity.
  2. Reviewing and collating documentary evidence.
  3. Forensic examination of computer systems/digital evidence.
  4. Examination of telephone records.
  5. Enquiries with banks and other financial institutions (subject to being able to obtain appropriate Court orders).
  6. Enquiries with other third parties.
  7. Data search and seizure.
  8. Search of the office or premise for documentary and physical evidence.
  9. Expert witness and specialist testimony.
  10. Tracing funds/assets/goods.
  11. Preparing briefs of evidence.
  12. Liaison with the police or other law enforcement or regulator agencies.
  13. Interviewing persons suspected of involvement in fraud and corruption.
  14. Report preparation.

Investigation Outcomes

On reaching a finding that there is evidence of fraud or corruption, the Fraud and Corruption Control Officer will make a recommendation (in consultation with the Vice Chancellor, Director or Manager and any other stakeholders as appropriate) as to what action should occur.

The following should be considered if the matter:

  1. Is determined to unlikely be a possible criminal offence, and not materially impact the University or its reputation, refer the matter to a divisional representative to resolve, fix the control weakness and/or proceed with administrative remedies.
  2. Relates to alleged criminal conduct by a department employee, or is a potentially serious or complex fraud offence, report the matter to Victoria Police and manage the University’s involvement in any subsequent criminal investigation.
  3. Meets the mandatory reporting threshold under the Independent Broad-based Anti-Corruption Commission Act 2011, or involves a senior officer of the University, or be significant in terms of value or complexity, refer the report to the Vice-Chancellor and the Chair of the A&RMC immediately, and report the matter to IBAC.
  4. Is ‘significant or systemic’ (an incident, or a pattern or recurrence of incidences, that a reasonable person would consider has a significant impact on the Agency or the State's reputation, financial position or financial management), in accordance with the Standing Direction 3.5 2018 under the Financial Management Act 1994 (Vic), as soon as is practicable, notify the Minister of Tertiary Education, the Department of Education, the A&RMC and the Auditor-General.
  5. Is considered prosecutable based on legal advice, refer the matter to the Legal Office for legal pursuit.

The thresholds for being “significant” to the University are:

  1. $1,000 for incidents involving purchasing and prepaid debit cards.
  2. $5,000 in money.
  3. $50,000 in other property.

When a matter has been referred to the relevant authority or law enforcement bodies, the University will provide assistance as requested throughout the investigation process.

Record Keeping

The investigator will maintain complete, accurate records of all investigations conducted into a fraud or corruption event.  Given the private, sensitive or controversial nature of the records, the records should be held securely with access to them should be limited to those who “need-to-know’ having regard to privacy, confidentiality, legal professional privilege and the requirements of natural justice.

Investigation Privacy

Individuals involved in or who become aware of a theft, fraud, or corrupt conduct investigation, must keep the details and results of the investigation confidential, subject to the needs of the University, and/or the police during their investigation. Staff must not discuss or report any suspected or proven instance of theft, fraud or corrupt conduct to the media, except with the prior written approval of the Vice-Chancellor.

Fraud Incident Reporting

For all reported fraud or corruption incidents, an incident report must be prepared.  The incident report should address:

  1. Investigation findings and recommendations.
  2. Whether any weaknesses in internal controls and systems have been identified and have or will be rectified. Where recommendations for controls improvement have been made, a Controls Improvement Plan will be developed and presented to the A&RMC, with the improvements implemented as soon as practicable. 
  3. The status of any proceedings, investigations or disciplinary actions.
  4. What has been recovered, whether by way of money, stores, other property or insurance.

The Fraud and Corruption Control Officer will have responsibility to determine if an incident report is provided to the Office of the Vice-Chancellor, A&RMC, Council, relevant line manager or complainant. Determination will be based on impact to the University’s brand, seriousness of the actions, losses incurred and nature of the incident.

On an annual basis, the Fraud and Corruption Control Officer will report to the A&RMC on fraud and corruption, with a summary of the key fraud risks from the fraud and corruption risk assessment, a copy of the Fraud Incident Register, as well as a summary of all incident reports of suspected fraud and their status and outcomes and remedial actions taken.

Sanctions & Civil Recovery Action

Following an investigation, the University may pursue disciplinary proceedings with respect to all staff against whom violations of the Fraud and Corruption Control Policy or other relevant University policies have been established.

This may include dismissal in accordance with the University's disciplinary procedures and subject to the relevant enterprise agreements and workplace laws. Line management, People and Culture and Governance and Strategy will consult to determine the appropriate course of action.

Other actions may include possible termination of the relationship with the University or associate entities or civil action for the recovery of losses. Where it is determined that it is in the best interest of the University to undertake legal proceedings, action to recover any money or property lost through fraud will be vigorously pursued.

Employee Support

Confidential and independent counselling and other services are available to all staff of the University through the Employee Assistance Program EAP. EAP services are private and confidential. Staff can contact the EAP officer.

Insurance

The University will maintain appropriate insurance cover against losses from fraud, including cyber fraud, after considering the required level of cover, inclusions/exclusions and deductibles, and level of risk.  For losses, the Fraud and Corruption Control Officer will determine if recovery can be obtained via the insurance policy.

Responsibility

•  Council (as the Approval Authority) is responsible for monitoring the implementation, outcomes and scheduled review of this procedure.

•  The COO/CFO (as the Policy Sponsor) is responsible for maintaining the content of this procedure as delegated by Council.

Promulgation

This Procedure will be communicated throughout the University community in the form of:

  • An Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the Policy Central Portal to alert the University-wide community of the approved Procedure.
  • Notification to Council.

Implementation

This Procedure will be implemented throughout the University via:

  • An Announcement Notice via FedNews website and on the ‘Recently Approved Documents’ page on the Policy Central Portal to alert the University-wide community of the approved Procedure.
  • Policy/Procedure Training Sessions.
  • Staff Induction Sessions.

Forms/Record Keeping

Title Location Responsible Officer Minimum Retention Period
Records of fraud or corrupt conduct. Finance Portfolio Fraud and Corruption Control Officer Permanent