Fraud Prevention and Response - Otago Polytechnic

PURPOSE

This policy seeks to ensure that the assets and reputation of Otago Polytechnic Limited, its Board, and its staff are protected from fraudulent misconduct.

It also seeks to ensure responsibility and awareness amongst staff and the Otago Polytechnic Limited Board (Board) by establishing an environment in which fraud concerns can be identified and readily addressed, and enable compliance with internal control systems that are designed to minimise the opportunity for fraudulent behaviour and provide guidance on how to effectively progress an allegation of fraud.

Whilst it is not possible to eliminate fraud, it is possible to significantly reduce opportunities for fraud through the adoption of multiple aligned strategies and policies that address different aspects of the control environment where potential fraud risk exposure exists.

COMPLIANCE

Protected Disclosures Act 2000 and subsequent amendments - provide protection for the facilitation of disclosure and investigation of serious wrongdoing in or by an organisation and protect the person(s) who reports allegations of serious wrongdoing. Persons who make disclosure under the Act are protected from dismissal or punishment, legal action, or disclosure of their private information.

Refer to Otago Polytechnic Limited policy Protected Disclosure of Serious Wrongdoing (Whistleblowing) Policy for advice on how a Protected Disclosure can be made.

POLICY

Otago Polytechnic Limited’s Deputy Chief Executive: Corporate Services is the appointed Fraud Control Officer and is responsible for overseeing investigations of fraud-related allegations. The Fraud Control Officer is also the central point of contact for reporting alleged fraud.

Fraud is defined as an act of dishonesty to gain an advantage. It includes theft, misuse of assets, and the alteration of financial or other records or any unauthorised act which results directly or indirectly in financial gain to the perpetrator or a third party.

Fraud may involve, but is not limited to, the intentional:

manipulation, falsification, or alteration of data, records, or documents;
suppression or omission of the effects of transactions from records or documents;
recording of transactions without substance;
misapplication of accounting policies;
misrepresentation in a financial report;
misappropriation (theft) of assets;
accepting or offering of bribes or inducements;
disclosing of confidential information to third parties with a view to personal gain or gain for another person;
presenting of false credentials or qualifications;
knowingly submitting false timesheets, leave applications or expense claims;
theft of time e.g., by not entering leave in the leave management system or not working for the agreed length of time
dishonest use of Otago Polytechnic Limited’s computers, vehicles, telephones, credit cards, taxi vouchers, and other property or services;
dishonest use of Otago Polytechnic Limited’s intellectual property;
deception resulting in a loss to Otago Polytechnic Limited from dishonesty, or avoiding or creating a liability for Otago Polytechnic Limited;
falsifying of invoices for goods and services;
use of purchase orders to gain a personal benefit;
unlawful or unauthorised transfer, use, or allocation of Otago Polytechnic Limited property and assets including moneys and/or funds held by or on trust for Otago Polytechnic Limited;
dishonest use of grant or research funds, or scholarships;
improper disposal of assets;
hacking into or interfering with Otago Polytechnic Limited’s computer system.

This policy and associated Fraud Control Plan (refer below) applies to all Otago Polytechnic Limited Board members, staff, contractors, learners, onsite personnel, and people or third parties in a business relationship with Otago Polytechnic Limited.
1. Otago Polytechnic Limited will bring this policy to the attention of all staff at the time of induction via People and Culture and will ensure a copy of the policy is on the Otago Polytechnic Limited website.
Otago Polytechnic Limited is committed to the development and maintenance of best practices, processes, and procedures to prevent and detect fraud, which demonstrates appropriate stewardship of assets.
Otago Polytechnic Limited will not tolerate fraudulent activity, regards it as totally unacceptable, and will apply a principle of ‘zero tolerance.
Otago Polytechnic Limited requires any allegation of theft or fraud to be subject to due process, equity, and fairness.
All disclosures of dishonest or fraudulent practices will be treated seriously and investigated. All reported incidents of alleged fraud will be investigated fully and pursued through every means available. Appropriate restitution will be sought to ensure full recovery wherever possible and practicable. Appropriate disciplinary action will be taken and the appropriate authorities, including the police, advised under authorisation by the Chief Executive.
Otago Polytechnic Limited will have regard for the law and its insurance arrangements noting that its insurance parties will often seek recovery and may have differing criteria for recovery.
Each Formal Leader has the responsibility for ensuring that appropriate controls are in place at all levels to ensure safeguards against fraudulent activity and must take action to implement and maintain these controls.
Staff must be scrupulously fair and honest in their dealings with Otago Polytechnic Limited, learners, suppliers, contractors, other tertiary service providers, and their fellow staff. They must take reasonable steps to safeguard Otago Polytechnic Limited funds and assets against, fraud, waste, loss, unauthorised use, and misappropriation.
Staff who may consider there are grounds for enquiry into fraudulent activity must advise their Formal Leader, or the Deputy Chief Executive: Corporate Services (Fraud Control Officer), immediately.
Otago Polytechnic Limited recognises that alleged or actual instances of theft or fraud can affect the rights and reputation of the person or persons implicated. All matters related to the case shall remain strictly confidential with all written information kept secure. Should any person(s) improperly disclose such confidential information that person(s) will be in breach of this policy and may become the subject of disciplinary action as a consequence.
The Audit and Risk Committee of the Board will be advised of all instances of fraud or alleged fraud on a monthly basis or sooner if appropriate
Key risk areas are as defined in the Otago Polytechnic Limited’s risk matrix and are informed by regular fraud risk assessment every three (3) years.
Otago Polytechnic Limited will have an annual internal audit plan, considered, and approved by the Audit and Risk Committee that is informed by the fraud risk asessment. Internal audits will be performed by a mix of staff and external contractors. Outcomes from the internal audits will be reported to the Audit and Risk Committee.
Fraud risks are to be assessed regularly to ensure internal control procedures are reviewed as any business practice changes. To assist with fraud prevention and detection, Otago Polytechnic Limited:
1. has an electronic hierarchy approvals system
2. uses data mining for irregular and suspicious transactions via contracted audit biennially
3. maintains a centralised contracts database
4. has segregation of duties
5. checks high-level vendor expenditure
6. has vendor creation approval processes
7. undertakes fraud risk assessment
8. maintains fraud awareness training
As a public entity, Otago Polytechnic Limited will be transparent in dealing with external entities, including the police, and will conduct the investigation in a fair, objective manner. Where legally able, Otago Polytechnic Limited will disclose instances of proven fraud on inquiry.
Otago Polytechnic Limited has an employment policy that seeks voluntary disclosure of past offences. Due consideration will be given to any potential employee who discloses past offences. Pre-employment screening is an effective means of preventing particular types of fraud, such as falsifying qualifications or employment history. It can also identify previous criminal convictions for offences of dishonesty. The Deputy Chief Executive: People, Culture and Safety and Formal Leaders or equivalent should consider all appropriate checks to conduct (including police and credit checks) having regard for the proposed appointment and the work area.

REFERENCES

Policies

Resolving Performance Problems Policy
Intellectual Property Policy - Mātauranga Māori
Learner Rights and Responsibilities (as published on the Otago Polytechnic Limited website)

Reference Documents

Guidelines and Fraud Control Plan (below)

Signature

Approved by:

Adam La Hood

Chair, Otago Polytechnic Board

Date: 26th May 2022

Adam La Hood Signature

STANDARD OPERATING PROCEDURE

Procedural Guidelines

In the event of an allegation of theft or fraud the Formal Leader concerned shall advise the Deputy Chief Executive: Corporate Services, (Fraud Control Officer), or Chief Executive immediately. Appendix C within the Fraud Control Plan states the full reporting channels matrix.

2. The Fraud Control Officer (FCO) will:

Decide to either immediately report the matter to the New Zealand Police, Audit New Zealand, or other relevant parties under authorisation from the Chief Executive and/or proceed as outlined below.

Fully document any investigation.
Within twenty-four (24) hours:
1. Record the details of the allegation, the person or persons allegedly involved, and the quantity and/or value or nature of the theft or fraud.
2. Request a written statement from the person(s) who has informed the Formal Leader, with details as to the nature of the theft or fraud, the time, and circumstances in which this occurred, how the person(s) became aware of the matter and the quantity and/or value or nature of the theft.
On the basis of advice received, and after consultation, decide whether or not a prima facie case of theft or fraud exists and, if not, to document this decision and record that no further action is to be taken.
If a case is considered to exist, unless another course of action is more appropriate:
1. Inform the person(s) in writing of the allegation that has been received and request a meeting with them at which their representative or representatives are invited to be
2. Meet with the person(s) who is the subject of the allegation of theft or fraud and their representatives to explain the complaint against them.
3. Obtain a verbal or preferably a written response (all verbal responses must be recorded as minutes of that meeting, and the accuracy of those minutes should be attested by all persons present).
4. Advise the person(s) in writing of the processes to be involved from this point on.,

Maintaining confidentiality is particularly important as the person(s) allegedly involved will not normally be alerted to the process of gathering and assessing evidential information. This is also to protect the rights of the person(s) involved.
All instances of fraud are to be recorded in the Fraud Register held at Financial Services and disclosed to the Audit and Risk Committee.

FRAUD CONTROL PLAN

In relation to policy Fraud Prevention and Response Policy the following plan should be followed.

Statement of Principle

Otago Polytechnic Limited is entrusted by the community and government to protect our facilities, assets, revenues, and expenditure.

Otago Polytechnic Limited have a responsibility to guard against attempts by any person(s) to gain – by deceit – money, assets, information or other inappropriate benefit or advantage. We believe that a Fraud Control Plan is a building block to an ethical and successful organisation.

Fraud prevention and control must be the responsibility of all staff and all levels of management, and not just selected people or departments within Otago Polytechnic Limited.

Staff and Community Awareness and Involvement

It is important that Otago Polytechnic Limited staff, learners, external service providers and the community generally is not only aware of our initiatives to address fraud risk but also are able to play a part in the fraud management process.

This Otago Polytechnic Limited Fraud Control Plan has been written to guide our staff and management in the education, prevention, detection, and response to fraud. In addition, Otago Polytechnic Limited seek to promote a culture of honesty and integrity.

Otago Polytechnic Limited believe that the Fraud Control Plan has a potentially broader readership than staff and management alone and by making this document available publicly Otago Polytechnic Limited aim to demonstrate to the general community our commitment to addressing fraud.

While the Fraud Control Plan encourages staff and management to report fraud, and provides options, Otago Polytechnic Limited also invite members of the public, including learners and external service providers, to do the same.

If you are not employed by Otago Polytechnic Limited, but you suspect fraud that involves Otago Polytechnic Limited in some way, please report your suspicions in accordance with section 3.5 of this document.

1.0 Introduction

1.1. Commitment to Fraud Control

Otago Polytechnic Limited ("the Polytechnic") recognises that it has a responsibility to develop, encourage and implement sound financial, legal, and ethical decision-making and organisational practices. This Fraud Control Plan (Fraud Prevention and Response Policy Fraud Control Plan) represents the Polytechnic's commitment to effective fraud risk management and prevention. The desired outcome of this commitment is to minimise the potential for fraud against the Polytechnic whether by staff, learners, or persons external to the Polytechnic.

To maintain better practice in its fraud risk management practices, the Polytechnic is committed to the following:

Ensuring a consistent approach across all Departments - the plan is to be applied uniformly. All Directors, Heads of College, Formal Leaders, or equivalents are to have an understanding of the Fraud Control Plan content and the responsibilities allocated under the Fraud Control Plan.
Communication of Executive Leadership Team’s strong commitment - to ensure there is regular communication to all staff promoting compliance with the Fraud Control Plan and adherence to the Fraud Prevention and Response Policy.
Accessibility to the Fraud Control Plan - the Fraud Control Plan will be made accessible to all staff and will be available through the Polytechnic's website;
Regular review of the Fraud Control Plan - the Polytechnic is committed to reviewing its Fraud Control Plan every two (2) years to ensure that it remains up-to-date and relevant. Each review will entail:
- consideration of the findings of the most recent Risk Assessments;
- reviewing changes in the Polytechnic's operations and environment since the last review; and
- developing a further two (2) year programme for fraud control that will identify residual shortcomings in existing procedures.

1.2. Application of Fraud Control Plan

This Fraud Control Plan represents the Polytechnic's commitment to the management and prevention of fraud. It aims to draw together its fraud prevention and detection initiatives into one document. It forms part of the Polytechnic's Risk Management Framework and has three major components:

Prevention - initiatives including education for awareness and promoting a culture of honesty and integrity to deter and minimise the opportunities for fraud;
Detection - initiatives to detect fraud as soon as possible after it occurs; and
Response - initiatives to deal with detected or suspected fraud.

For the purpose of this document the term "staff" refers to all Board DIrectors, management, employees, consultants, and contractors. The term "Polytechnic" includes teaching, learning, research, enabling and support activities. The desired outcome of this commitment is the elimination of fraud against the Polytechnic.

1.3. Definition of Fraud

Fraud is defined as an act of dishonesty to gain an advantage. It includes theft, misuse of assets, the alteration or manipulation of financial or other records or any unauthorised act which results directly or indirectly in financial gain to the perpetrator or to a third party.

1.4. Examples of Fraud

Fraud may involve, but is not limited to, the intentional:

manipulation, falsification or alteration of data, records, or documents;
suppression or omission of the effects of transactions from records or documents;
recording of transactions without substance;
manipulation of accounting policies;
misrepresentation in a financial report;
misappropriation (theft) of assets;
accepting or offering of bribes or inducements;
disclosing of confidential information to third parties with a view to personal gain or gain for another person(s);
presenting of false credentials or qualifications;
submitting of false time-sheets, leave applications or expense claims;
theft of time e.g., by not entering leave in the leave management system or not working for the agreed length of time;
dishonest use of the Polytechnic’s computers, vehicles, telephones, credit cards, taxi vouchers and other property or services;
dishonest use of the Polytechnic intellectual property;
deception resulting in a loss to the Polytechnic that is dishonest, or avoiding or creating a liability for the Polytechnic;
falsifying of invoices for goods and services;
use of purchase orders to gain a personal benefit;
unlawful or unauthorised transfer, use or allocation of Polytechnic property and assets including moneys and/or funds held by or on trust for the Polytechnic;
dishonest use of grant or research funds, or scholarships;
improper disposal of assets;
hacking into or interfering with the Polytechnic’s computer system.

1.5. Statement of Attitude to Fraud

Fraud has the potential to damage the reputation of the Polytechnic and have a detrimental effect on the resources available to promote the Polytechnic's objectives. Accordingly, the Polytechnic has adopted a zero tolerance to fraud and will investigate all reported incidents of alleged fraud and appropriate restitution will be sought. The Polytechnic is committed to minimising the incidence of fraud through the development, implementation and regular review of fraud prevention, detection, and response strategies.

Each strategy contributes to an environment where risk is managed, through sound internal controls, and ethical practices.

To achieve its fraud prevention objectives the Polytechnic will:

identify fraud risks and review and update the Fraud Control Plan every two (2) years;
provide fraud awareness training to those staff who are considered to be in positions that require fraud awareness training;
provide fraud awareness training to all new staff as part of the induction process;
ensure all staff are aware of the Polytechnic's Fraud Control Plan;
encourage and promote professional and ethical business practice;
aim to identify fraud through regular review of the Polytechnic's operations;
clearly communicate how suspected instances of fraud may be reported;
through the channels authorised in this Fraud Control Plan, investigate alleged or suspected instances of fraud using qualified personnel and professionals with experience in investigation techniques;
take appropriate action to deal with instances of actual, suspected, or alleged fraud, including by recommending prosecution of person(s) and/or organisation(s) for fraud offences where and when appropriate; and
use all available avenues to recover money or property lost through fraudulent activity.

2.0 Prevention

2.1 Integrity Framework

A fundamental strategy in controlling the risk of fraud is the development and maintenance of a sound ethical culture, underpinned by effective and continuous communication and example-setting by management.

The Polytechnic's attitude to ethical conduct is outlined in its Values which describe the obligation for staff to act with integrity and be guided by:

Caring/Manaakitaka: we value people, communities and the environment.
Courage/Māia: We are fold in shaping a better future.
Accountability/Takohaka: We are responsible and act with integrity.
Emplowerment/Whakamahataka: We inspire and enable others to succeed.

Otago Polytechnic Limited Formal Leaders are expected to create and promote an ethical workplace culture. They can best do this by ensuring that they themselves always act ethically and follow correct procedures. Management and staff need to work together to establish an ethical and effective workplace which can identify and implement fraud prevention and control measures.

2.2 Fraud Control Responsibilities

The Polytechnic’s Deputy Chief Executive: Corporate Services is the appointed Fraud Control Officer and is responsible for overseeing investigations of fraud related allegations. The Fraud Control Officer is also the central point of contact for reporting alleged fraud.

This Fraud Control Plan allocates the following groups with fraud control responsibilities:

Audit and Risk Committee
Fraud Control Officer (currently Deputy Chief Executive: Corporate Services)
Deputy Chief Executive: People, Culture and Safety

All Directors and Formal Leaders
All

The specific responsibilities allocated within the Polytechnic, to the above groups, for fraud-related matters are summarised at Appendix B.

The Polytechnic has the following expectation of its staff with regard to fraud:

Staff are expected to act in a professional and ethical manner, follow legal requirements, care for property, maintain and enhance the reputation of the Polytechnic.
Staff are expected to remain vigilant to any suspected fraudulent behaviour that may be occurring around them and are expected to fully cooperate with any investigations and the implementation of fraud control strategies.
Staff who become aware of suspected fraudulent conduct must report the matter in accordance with this Fraud Control Plan.
Staff must retain strict confidentiality on any Polytechnic fraud incidents of which they have knowledge.
Formal Leaders must uphold and monitor fraud control strategies within their area of responsibility.
Any failure by staff to comply with this Fraud Control Plan may result in disciplinary action against them.

2.3 Fraud Awareness Training

Generally, a significant proportion of fraud goes undetected because of the inability to recognise the early warning signs of fraudulent activity or because person(s) are unsure how and when and to whom they should report their suspicions. Accordingly, the Polytechnic has incorporated fraud awareness training to assist in raising the general level of awareness amongst staff.

An awareness of the risk of fraud and fraud control techniques will be fostered by:

ensuring all staff receive notification of the Fraud Control Plan at the time of induction;
ensuring all new staff receive fraud awareness training at induction;
ensuring all staff that are considered to be in positions requiring training attend fraud awareness training;
ensuring updates and changes to fraud related policies and procedures and other ethical pronouncements are effectively communicated to all staff;
ensuring staff are aware of the ways in which they can report allegations or concerns regarding alleged fraud or alleged unethical conduct; and
encouraging staff to report any suspected incidents of fraud.

2.4 Assessing Fraud Risk

A Fraud Risk Assessment measures the vulnerability of an organisation to fraud and is essential for fraud prevention and control. The purpose of Fraud Risk Assessments conducted at a functional level are to:

define the fraud risk profile;
determine the effectiveness of existing control measures and;
enable judgements to be made on any required fraud counter-measures.

The Fraud Control Officer will be responsible for monitoring the implementation of the Fraud Risk Assessment programmes and reporting progress to the Audit and Risk Committee (“ARC”) and ensure that all timetabled strategies are implemented accordingly.

To maximise the effectiveness of the Fraud Risk Assessment process, the assessment should:

be completed by a prioritised sample (with notations of Low, Moderate and High-risk areas) of the functional areas, such as payables, payroll, reimbursements, credit cards, tendering, purchasing and contract management processes, outsourced functions etc on a rotational basis;
be relevant and comprehensive covering as far as possible, all potential risks;
comply with AS 8001:2008- Fraud and Corruption Prevention;
separately consider inherent risk and internal control risk; and
achieve a prioritisation of fraud risks identified through a risk register.

Where fraud risk ratings are assessed as high for particular controls, strategies need to be put in place to address the risk.

The fraud risk assessment process does not replace existing manuals or procedures but is additional and complementary.

All departments will ensure that the strategies developed during the course of the most recent Fraud Risk Assessment are reviewed for effectiveness and amended where necessary. The frequency of such reviews is to be no less than three (3) yearly with exact timing to be determined by the Fraud Control Officer.

It is the responsibility of the Fraud Control Officer in consultation with the relevant Departmental Formal Leaders to ensure that the proposed actions are implemented.

2.5 Internal Control

Internal controls are often the first line of defence against fraud. The Polytechnic will ensure the maintenance of a strong internal control system (refer to Section 3.8) and the promotion and monitoring of a robust internal control culture. The Polytechnic will continue to review internal controls and ensure all key internal controls and policies (refer to Section 5) are robust, regularly reviewed and are documented in a standardised format every two (2) years.

The Polytechnic will promote an internal control culture through a process of:

example-setting by management;
regular communication of the importance of internal controls; and
including adherence to internal controls as part of the performance management framework;
implementing an approved internal audit plan with Audit and Risk Committee.

2.6 Employment Screening

Otago Polytechnic Limited has an employment policy which seeks voluntary disclosure of past offences. Due consideration will be given to any potential employee who discloses past offences. Pre-employment screening is an effective means of preventing particular types of fraud, such as falsifying qualifications or employment history. It can also identify previous criminal convictions for offences of dishonesty. The Deputy Chief Executive:: People, Culture and Safety, and Formal Leaders or equivalent should consider all appropriate checks to conduct (including police and credit checks) having regard for the proposed appointment and the work area.

2.7 Supplier Vetting

The Polytechnic will take steps to ensure the bona fide of new suppliers and periodically confirm the bona fide of continuing suppliers.

Prior to new supplier details (including bank account details) being loaded into the accounts payable system a suitable combination of the enquiries listed below will be undertaken:

Companies Office search;

Verification of the personal details of Directors;
Telephone listing verification;
Trading address verification; and
Internet

2.8 Segregation of Duties

This is a control plan whereby no person should be given responsibility for more than one related function. The person who approves invoices for payment should not be responsible for arranging the payment. An auditor should note situations where one person's responsibility extends improperly over related areas, i.e., the person maintaining inventory records has physical possession of the merchandise. Segregation of duties assists in detecting errors and deterring improper activities. The smaller the organisation, the more difficult this practice becomes.

3.0 Detection

The Polytechnic recognises that a comprehensive Fraud Control Plan remains one part of fraud control and that additional elements further mitigate or minimise the prevention of fraud. Accordingly, the Polytechnic has adopted a programme aimed at detecting fraud as soon as possible after it has occurred.

The key elements of this plan include:

Management accounting report review;
Data analysis programmes;
Post transaction review;
Identification of early warning signs; and
Internal audit.

Otago Polytechnic Limited’s staffs play an important role in detecting fraud because of their detailed knowledge of work practices and accountabilities. The alertness and participation of staff prevents and detects a significant amount of fraud and is an effective means of preventing particular types of activity.

3.1 Management Accounting Reporting Review

Using relatively straightforward techniques in analysing the Polytechnic's management accounting reports, trends can be examined and investigated which may be indicative of fraudulent conduct. Some examples of the types of management accounting reports that can be utilised on a compare and contrast basis are:

Financial reports detailing monthly performance against prior periods and budget;
Key performance indicator reports and;
Reports comparing expenditure against industry

3.2 Data Analysis

Data analysis is a powerful means of detecting fraud and other improper behaviours. It is a process of uncovering patterns and relationships in datasets that on face value appear unrelated, highlighting activity of fraud and irregular behaviour, or to explain what lies behind previously identified discrepancies. For example, this might include such tests as searching accounts payable data for repeated invoice numbers to identify duplicate payments or analysing payroll data for duplicate bank account numbers to uncover a 'ghost employee' payroll fraud.

The Fraud Control Officer is responsible for an annual review of the possible need for a data analysis programme. A data analysis programme is aimed at strategic use of computer systems in the identification of fraud indicators.

3.3 Post Transaction Review

A review of transactions after they have been processed can be effective in identifying fraudulent activity. Such a review may uncover altered or missing documentation, falsified, or altered authorisation or inadequate documentary support. In addition to the possibility of detecting fraudulent transactions, such a strategy can also have a significant fraud prevention effect as the threat of detection may be enough to deter a person who might otherwise be motivated to engage in fraud.

In light of this, the Polytechnic has implemented a programme of post-transaction reviews with particular emphasis on data mining. This strategy will identify a targeted sample of transactions for review with a particular focus on authorisation, adherence to guidelines on expenditure, receipting, and missing documentation. This process will be conducted with direct reference to the findings of past internal control reviews and fraud risk assessments.

3.4 Identification of Early Warnings Signs

Identification and acting on early warning signs of fraudulent activity is an important part of early fraud detection. The key to achieving an early warning capability is awareness. The fraud awareness training programme, (refer to Section 2.3) will therefore include the identification of early warning signs or "red flags" for suspected fraud and how to respond if they are identified.

All staff and all Formal Leaders in particular, should be aware of their responsibility to remain vigilant to identify and report any suspected fraudulent activity.

Formal Leaders and staff should be alert to the common signs of fraud. Signals for potential fraud include:

illogical excuses and reasons for unusual events or action;
senior staff inappropriately involved in routine processes;
staff evidently living beyond their means, who have access to funds or control or influence over service providers;
excessive staff turnover;
staff who do not take holidays for extended periods;
potential conflicts of interest not declared;
insufficient separation of duties (e.g. both processing and approving the same transaction) residing with one person;

undue secrecy, or excluding people from available information;
evidence of failure to conduct reference checks on staff prior to employment;
unauthorised changes to systems or work practices;
“blind approval,” where the person signing does not sight supporting documentation;
duplicates only of invoices;
theft of time.

3.5 Avenues for Reporting Suspected Incidents

3.5.1 By Staff

Staff who become aware of suspected fraudulent conduct are required to report the matter in accordance with this procedure. Staff are also required to maintain strict confidentiality on any suspected fraud matter of which they have knowledge.

In the first instance, report the matter to their relevant Formal Leader.
If, for any reason, the staff member feels that reporting the incident through this channel would be inappropriate, they may report the matter directly to the Fraud Control Officer. Such reports may be made confidentially, if desired.

Any relevant Formal Leader receiving a report of alleged fraud must advise the Fraud Control Officer immediately (refer to Appendix C).

The contact details for the Fraud Control Officer, Deputy Chief Executive: Corporate Services.

The Polytechnic will ensure all staff are aware of the fraud reporting procedures and actively encourage all staff to report suspected cases of fraud through the appropriate channels.

Attached to Appendix C is a table that displays the appropriate reporting channels that should be adopted in the event of a person(s) wanting to report any alleged fraud.

3.6 By External Parties

Members of the public are to report any suspicions of fraud direct to the Fraud Control Officer.

3.7 Whistle-blower Protection

Staff who report suspected corrupt conduct through the appropriate channels, as set out above, will be protected from detrimental action by the Protected Disclosures Act 2000. This Act provides the framework for the protection of staff who report corrupt conduct.

Information received as a protected disclosure is strictly confidential, and includes the:

identity of the person(s) making the disclosure
nature of the disclosure
identity of the person(s) against whom the disclosure has been made
The Polytechnic’s Protected Disclosure of Serious Wrongdoing (Whistleblowing) Policy

provides guidance on the procedure to be followed in making, receiving, dealing with, and investigating information about serious wrongdoing in or by the Polytechnic.

The Polytechnic strives to meet or exceed best practice standards on whistle-blower protection and will do the following:

Require staff to act in good faith and reasonably in making reports under whistle-blower protection.
Recognise and respect the confidentiality of the identity of a bona fide informant.
Ensure support and protection is provided to an informant against any form of recrimination or reprisal or any threat of detriment.

3.8 Role of the External Auditor in the Detection of Fraud

The Polytechnic recognises that the external audit function has a role to play in the detection of fraud given the responsibilities of auditors under ISA (NZ) 240: The Auditors' Responsibility relating to Fraud in an Audit of Financial Statements.

3.9 Role of Internal Audit in the Detection of Fraud

Although Otago Polytechnic Limited has no dedicated internal audit service, it will have an annual internal audit plan, considered, and approved by the Audit and Risk Committee that is informed by the fraud risk assessment. Internal audit will be performed by a mix of finance staff and external contractors. Outcomes from the internal audit will be reported to the Audit and Risk Committee.

4.0 Response

4.1 Investigation Procedures

All instances of alleged fraud must be reported to the Fraud Control Officer, whether by the person(s) making the allegation or by the Head College/Service Area or relevant Formal Leader receiving the initial complaint. The Fraud Control Officer will then be responsible for overseeing and managing the investigation process, in consultation with other members of an investigation team which shall comprise as a minimum those individuals holding the following positions:

Deputy Chief Executive: Corporate Services
Director: People Culture and Safety and;
Other relevant Executive Leadership Team members e.g., Chief Executive / Deputy Chief Executive.

The team will follow the procedures as outlined in the Fraud Prevention and Response Policy this Fraud Control Plan and other related Polytechnic policies.

4.2 Reviewing Systems and Procedures (Post-Fraud)

In each instance where fraud is detected, the Polytechnic will reassess the adequacy of the internal control environment (particularly those controls relating to the fraud incident and potentially allowing it to occur) and actively plan and implement improvements where required. Where improvements are required, they will be implemented as soon as practicable.

4.3 Recovery of Money or Property Lost Through Fraud

The Polytechnic will actively pursue the recovery of any money or property lost through fraud after considering all relevant issues.

4.4 Communication Protocol

Should fraud against the Polytechnic be detected the following protocols must be applied:

The Fraud Control Officer, Chief Executive and Chairperson will make all decisions on the appropriate communications protocol to be adopted
The Chief Executive or Chairperson or their nominee will be the authorised spokesperson for any matter.

5.0 Relationship with Other Otago Polytechnic Limited Policies

The Polytechnic has a number of policies which should be read in conjunction with this Fraud Control Plan. These policies include:

Appendix A: Otago Polytechnic Limited Fraud Control Plan – Overview Diagram

1. Introduction

Commitment to fraud control
Application of Fraud Control Plan
Definition of fraud
Examples of fraud
Statement of attitude to fraud
Relationship with other Otago Polytechnic Limited policies
2. Prevention
- Integrity framework
- Fraud control responsibilities
- Fraud awareness training
- Assessing fraud risk
- Internal control
- Employment screening
- Supplier vetting
- Segregation of duties
3. Detection
- Management accounting reporting review
- Data analysis
- Post transaction review
- Identification or early warning signs
- Avenues for reporting suspected incidents
- Whistle-blower protection
- Role of the external auditor
- Role of Internal Audit

4. Response

Investigation procedures
Reviewing systems and procedures (post fraud)
Recovery of money or property lost through fraud
Communication protocol

Appendices

A Fraud Control Plan – Overview diagram

B Fraud responsibilities

C Fraud Reporting Channels

D Fraud Register

E Receiving Allegations Form

Appendix B: Otago Polytechnic Fraud Control Responsibilities

Role

Fraud Control Responsibilities

Finance and Audit Committee

· The Finance and Audit Committee (FAC) is responsible for overseeing the process of developing and implementing the Fraud Control Plan. The FAC is required to assure itself, on behalf of the Board the action proposed by the Polytechnic appropriately addresses the fraud risks identified during the fraud risk assessments. In doing so it will consider the nature and timing of a program of internal audits (refer 3.8) to monitor key controls. The FAC will also review the reporting of the progress of reviews to determine whether appropriate fraud prevention and monitoring measures are in place.

Role

Fraud Control Responsibilities

Fraud Control Officer

The Fraud Control Officer has principal responsibility for fraud control within the Polytechnic: This includes:

· Developing an overall fraud control strategy for the Polytechnic, including operational arrangement for dealing with fraud;

· Building a programme of internal audit;

· Overseeing fraud awareness and control training;

· Overseeing the Polytechnic’s fraud risk assessment process every two years;

· Overseeing the follow-up of the fraud risk assessment by ensuring that all timetabled mitigation strategies are implemented in accordance with the Fraud Control Plan;

· Facilitating a review of the Polytechnic’s Fraud Control Plan every two years, or following any significant structural change to the Polytechnic;

· Reporting to the Finance and Audit Committee on fraud control initiatives undertaken by the Polytechnic;

· Ensuring that all fraud related policies and procedures are communicated and available to staff via the Polytechnic Intranet;

· Developing systems to prevent, detect and respond to fraud;

· Acting as a central referral point for allegations of incidents of fraud to be reported, including ensuring that all instances of suspected fraud are appropriately recorded, investigated, and reported to the FAC and satisfactorily resolved;

· Ensuring that the Chief Executive and the Finance and Audit Committee are briefed on allegations of suspected fraud;

· Investigating minor instances of fraud against the Polytechnic in consultation with the Deputy Chief Executive People, Performance and Development and Chief Operating Officer.

Role	Fraud Control Responsibilities
Deputy Chief	· Designing, implementing, and overseeing a fraud detection program incorporating data analysis, management accounting reviews and post
Executive Corporate Services/Chief Operating Officer	transition reviews; · Designing and overseeing Fraud Risk Assessments; · Reviewing the internal control environment after each detected occurrence of fraud; Reviewing annually the need for data analysis programs and consult with the Fraud Control Officer on proposed recommendations and timetables
	for same; · Overseeing appropriate management accounting reporting and post transaction reviews.

Role

Fraud Control Responsibilities

Director: People and Culture

· Ensuring the Fraud Control Plan and Policy are incorporated in the Polytechnic’s induction program;

· Ensuring fraud awareness training is available to all relevant staff.

Role

Fraud Control Responsibilities

Formal Leaders

Formal Leaders must be vigilant to the possibility of fraudulent behaviour and to respond accordingly. Formal Leaders are required to ensure that:

· Internal reviews are undertaken of their business areas on a regular or at least annual basis and that any significant change s in responsibilities and inherent fraud risks are reported to the Fraud Control Officer;

· They inform new staff of the fraud prevention policies and procedures that are to be observed.

Role

Fraud Control Responsibilities

All Staff

All Polytechnic staff shall:

· Promote professional and ethical practice by setting an appropriate example and recognising the contributions of others;

· Not condone, or fail to take appropriate action in relation to, suspected fraudulent or improper conduct within the Polytechnic;

· Assist in the implementation of fraud risk management strategies and participate fully in activities relating to fraud control;

· Remain vigilant and report all instances of suspected fraud immediately to the Departmental Head, Line Manager or Fraud Control Officer where they hold any concern, suspicion, or information of any instance of fraudulent, corrupt, or improper conduct and encourage others to do the same;

· Not knowingly make a false or misleading report;

· Not act in a retaliatory, discriminatory, or otherwise adverse manner in regard to a person, on account of that person making a genuine report or providing assistance in a relevant inquiry; and

· Not hinder or impede an investigation and shall give every courtesy and assistance to any person authorised by management to conduct an investigation.

Appendix C: Otago Polytechnic Limited Fraud Reporting Channels Matrix

If a staff member suspects fraud by:	They should report it to:	The means by which the allegation is investigated:
Another Employee	Their line manager (who must inform the Fraud Control Officer “FCO” immediately) or directly to the FCO	The FCO
The CE	The FCO (the FCO must then notify the Chair of the FAC )	The Chair of the FAC
The FCO	The CE (the CE must then notify the Chair of the FAC)	The CE
Contractor	The FCO	The FCO
Councillors	The CE (the CEO must then notify the Chair of the FAC)	The CE, in conjunction with Chair/Deputy Chair and external parties, as required

If a Councillor suspects fraud by:	They should report it to:	The means by which the allegation is investigated:
Another Councillor	Chair (the Chair must then notify the CE)	The CE, in conjunction with Chair and external parties, as required
Chair	The Deputy Chair (the Deputy Chair must then notify the CE)	The CE, in conjunction with Deputy Chair and external parties, as required
All other parties	Chair (the Board Chair must then notify the CE)	The investigation will be the same as specified in the employee section above and vary according to whom the suspected party is

If a Contractor suspects fraud by:	They should report it to:	The means by which the allegation is investigated:
Staff, Board member, other contractors	The FCO, CE or Chair	Depending on the party, the investigation will be managed as above

Appendix D: Otago Polytechnic Limited Fraud Register (held at Finance)

Date of notification or identification	Nature of the Instance	Estimated or Actual Value	Details of Investigation Undertaken	Outcome of Investigation	Policy or Procedures Amended as a Result

Appendix E: Otago Polytechnic Limited Receiving Fraud or Corruption Allegations Form

please complete this form and return to the Fraud Control Officer, Level 3, Forth Street. All correspondence will be kept confidential. Employees should note that Otago Polytechnic Limited complies with the Protected Disclosures Act 2000.

Part A

Details of suspected fraud, corruption, or serious and substantial waste

Name and details of people involved (Includes people both within and external to the organisation):

...............................................................................................................................…….

Description of suspected fraud, corrupt conduct, or serious and substantial waste:

(Includes: What happened? Where did it happen? When did it happen? How did it happen?)

...............................................................................................................................…………………….

Completed by: .............................................................. Date: ......................................

Part B

Details about evidence:

(Includes what evidence exists? Where is the evidence? Does the caller have any evidence? Who else has any evidence?)

...................................................................................................................................................................

.........................................................................

Details of others who may have information:

...................................................................................................................................................................

...........................................................................................

Details of person making allegation (optional)

(If the person making the allegation would like to be contacted upon resolution of this matter, their contact details must be included in this section.)

Name: .............................................................................................................…...........................................

Position and Location: .......................................................................................…........................................

Address: ........................................................................…............................................................................

Telephone (home): ............................................. (work): .............................................................................

How did the person become aware of the reported conduct or incident?

.................................................................................................................................................................

Date and Time of Call: ...................................................................................…........................

Completed by: .............................................................. Date: .....................................................