Fraud Prevention and Response Policy, Standard Operating Procedure and Fraud Control Plan

Section
Corporate
To be read in conjunction with

Standard Operating Procedures, Fraud Control Plan and, Appendices A, B, C, D and E.

Approval Date
1 June 2020
Approved By
Executive Leadership Team
Next Review
30 November 2022
Responsibility
Otago Polytechnic Board
Baldrige Criteria
Leadership
PURPOSE

This policy seeks to ensure that the assets and reputation of Otago Polytechnic Limited, its Board, and its staff are protected from fraudulent misconduct.

It also seeks to ensure responsibility and awareness amongst staff and the Board by establishing an environment in which fraud concerns can be identified and readily addressed, and enable compliance with internal control systems that are designed to minimise the opportunity for fraudulent behaviour and provide guidance on how to effectively progress an allegation of fraud.

Whilst it is not possible to eliminate fraud, it is possible to significantly reduce opportunities for fraud through adoption of multiple aligned strategies and policies that address different aspects of the control environment where potential fraud risk exposure exists.

COMPLIANCE

Protected Disclosures Act 2000 and subsequent amendments - provides protection for the facilitation of disclosure and investigation of serious wrongdoing in or by an organisation and protects the individual who reports allegations of serious wrongdoing. Persons who make disclosure under the Act are protected from dismissal or punishment, legal action, or disclosure of their own private information.

 

Refer to the Protected Disclosure and Serious Wrongdoing (Whistleblowers) Policy.

POLICY

Otago Polytechnic Limited’s Deputy Chief Executive: Corporate Services is the appointed Fraud Control Officer and is responsible for overseeing investigations of fraudrelated allegations. The Fraud Control Officer is also the central point of contact for reporting alleged fraud.

 

Fraud is defined as an act of dishonesty to gain an advantage. It includes theft, misuse of assets, and the alteration of financial or other records or any unauthorised act which results directly or indirectly in financial gain to the perpetrator or to a third party.

Fraud may involve, but is not limited to, the intentional:

  • manipulation, falsification, or alteration of data, records, or documents;
  • suppression or omission of the effects of transactions from records or documents;
  • recording of transactions without substance;
  • misapplication of accounting policies;
  • misrepresentation in a financial report;
  • misappropriation (theft) of assets;
  • accepting or offering of bribes or inducements;
  • disclosing of confidential information to third parties with a view to personal gain or gain for another person;
  • presenting of false credentials or qualifications;
  • knowingly submitting false timesheets, leave applications, or expense claims;
  • theft of time e.g., by not entering leave in the leave management system or not working for the agreed length of time
  • dishonest use of the Polytechnic’s computers, vehicles, telephones, credit cards, taxi vouchers, and other property or services;
  • dishonest use of Polytechnic intellectual property;
  • deception resulting in a loss to the Polytechnic from dishonesty, or avoiding or creating a liability for the Polytechnic;
  • falsifying of invoices for goods and services;
  • use of purchase orders to gain a personal benefit;
  • unlawful, or unauthorised transfer, use, or allocation of Polytechnic property and assets including moneys and/or funds held by or on trust for the Polytechnic;
  • dishonest use of grant or research funds, or scholarships;
  • improper disposal of assets;
  • hacking into or interfering with the Polytechnic’s computer system

 

  1. This policy and associated Fraud Control Plan (Fraud Prevention and Response – SOP - Fraud Control Plan) applies to all Otago Polytechnic Limited Board members, staff, contractors, learners, onsite personnel, and people or third parties in a business relationship with Otago Polytechnic Limited.
    1. Otago Polytechnic Limited will bring this policy to the attention of all staff at time of induction via People, Culture and Safety and will ensure a copy of the policy is on the Otago Polytechnic Limited website.
  2. Otago Polytechnic Limited is committed to the development and maintenance of best practices, processes, and procedures to prevent and detect fraud, which demonstrates appropriate stewardship of
  3. Otago Polytechnic Limited will not tolerate fraudulent activity, regards it as totally unacceptable, and will apply a principle of ‘zero
  4. Otago Polytechnic Limited requires any allegation of theft or fraud to be subject to due process, equity, and
  5. All disclosures of dishonest or fraudulent practices will be treated seriously and investigated. All reported incidents of alleged fraud will be investigated fully and pursued through every means available. Appropriate restitution will be sought to ensure full recovery wherever possible and practicable. Appropriate disciplinary action will be taken and the appropriate authorities, including the police, advised under authorisation by the Chief
  6. Otago Polytechnic Limited will have regard for the law and its insurance arrangements noting that its insurance parties will often seek recovery and may have differing criteria for
  7. Each Formal Leader has responsibility for ensuring that appropriate controls are in place at all levels to ensure safeguards against fraudulent activity and must take action to implement and maintain these
  8. Staff must be scrupulously fair and honest in their dealings with their employer, learners, suppliers, contractors, other tertiary service providers and their fellow employees. They must take reasonable steps to safeguard Otago Polytechnic Limited funds and assets against, fraud, waste, loss, unauthorised use, and misappropriation.
  9. Staff who may consider there are grounds for enquiry into fraudulent activity must advise their Formal Leader, or the Deputy Chief Executive: Corporate Services, (Fraud Control Officer), immediately.
  10. Otago Polytechnic Limited recognises that alleged or actual instances of theft or fraud can affect the rights and reputation of the person or persons implicated. All matters related to the case shall remain strictly confidential with all written information kept secure. Should any person improperly disclose such confidential information that person will be in breach of this policy and may become the subject of disciplinary action as a
  11. The Audit and RIsk Committee of the Board will be advised of all instances of fraud or alleged fraud on a monthly basis or sooner if

 

  1. Key risk areas are as defined in the Otago Polytechnic Limited’s risk matrix and are informed by regular fraud risk assessment every three
  2. Otago Polytechnic Limited will have an annual internal audit plan, considered, and approved by the Audit and Risk Committee that is informed by the fraud risk Internal audit will be performed by a mix of staff and external contractors. Outcomes from internal audit will be reported to the Audit and RIsk Committee.
  3. Fraud risks are to be assessed regularly to ensure internal control procedures are reviewed as any business practice changes. To assist with fraud prevention and detection, Otago Polytechnic Limited:
    1. has an electronic hierarchy approvals system
    2. uses data mining for irregular and suspicious transactions via contracted audit biennially
    3. maintains a centralised contracts database
    4. has segregation of duties
    5. checks highlevel vendor expenditure
    6. has vendor creation approval processes
    7. undertakes fraud risk assessment
    8. maintains fraud awareness training
  4. As a public entity, Otago Polytechnic Limited will be transparent in dealing with external entities, including the police, and will conduct the investigation in a fair, objective manner. Where legally able, Otago Polytechnic Limited will disclose instances of proven fraud on
  5. Otago Polytechnic Limited has an employment policy that seeks voluntary disclosure of past offences. Due consideration will be given to any potential employee who discloses past Pre-employment screening is an effective means of preventing particular types of fraud, such as falsifying qualifications or employment history. It can also identify previous criminal convictions for offences of dishonesty. The Deputy Chief Executive: People, Culture and Safety and Formal Leaders or equivalent should consider all appropriate checks to conduct (including police and credit checks) having regard for the proposed appointment and the work area.
REFERENCES

Fraud Prevention and Response – SOP - Procedural guidelines

Fraud Prevention and Response – SOP - Fraud Control Plan

 

Policies

STANDARD OPERATING PROCEDURE

Procedural Guidelines

 

  1. In the event of an allegation of theft or fraud the manager concerned shall advise the Deputy Chief Executive: Corporate Services, Director: Business Services (Fraud Control Officer), or Chief Executive immediately. Appendix C within the Fraud Control Plan states the full reporting channels

 

  1. The Fraud Control Officer will:

         Decide to either immediately report the matter to the New Zealand Police, Audit NZ, or other relevant parties under authorisation from the Chief Executive and/or proceed as outlined below.

  1. Fully document any
  2. Within 24 hours:
    1. Record the details of the allegation, the person or persons allegedly involved, and the quantity and/or value or nature of the theft or
    2. Request a written statement from the person who has informed the manager, with details as to the nature of the theft or fraud, the time, and circumstances in which this occurred, how the individual became aware of the matter and the quantity and/or value or nature of the
  3. On the basis of advice received, and after consultation, decide whether or not a prima facie case of theft or fraud exists and, if not, to document this decision and record that no further action is to be
  4. If a case is considered to exist, unless another course of action is more appropriate:
    1. Inform the person in writing of the allegation that has been received and request a meeting with them at which their representative or representatives are invited to be
    2. Meet with the person who is the subject of the allegation of theft or fraud and their representatives to explain the complaint against
  • Obtain a verbal or preferably a written response (all verbal responses must be recorded as minutes of that meeting, and the accuracy of those minutes should be attested by all persons present).
  1. Advise the person in writing of the processes to be involved from this point on.
  1. Maintaining confidentiality is particularly important as the individual(s) allegedly involved will not normally be alerted to the process of gathering and assessing evidential information. This is also to protect the rights of the individual(s)
  2. All instances of fraud are to be recorded in the Fraud Register held at Business Services and disclosed to the Finance and Audit Committee.

 

 

 

 

FRAUD CONTROL PLAN
(November 2018)

 

In relation to policy Fraud Prevention and Response the following plan should be followed.

 

Statement of Principle

Otago Polytechnic Limited is entrusted by the community and government to protect our facilities, assets, revenues, and expenditure.

We have a responsibility to guard against attempts by any person to gain – by deceit – money, assets, information or other inappropriate benefit or advantage. We believe that a Fraud Control Plan is a building block to an ethical and successful organisation.

Fraud prevention and control must be the responsibility of all staff and all levels of management, and not just selected people or departments within the Polytechnic.

 

 

Staff and Community Awareness and Involvement

It is important that Otago Polytechnic Limited staff, learners, external service providers and the community generally is not only aware of our initiatives to address fraud risk but also are able to play a part in the fraud management process.

This Otago Polytechnic Limited Fraud Control Plan has been written to guide our staff and management in the education, prevention, detection, and response to fraud. In addition, we seek to promote a culture of honesty and integrity.

We believe that the Plan has a potentially broader readership than staff and management alone and by making this document available publicly we aim to demonstrate to the general community our commitment to addressing fraud.

While the Plan encourages staff and management to report fraud, and provides options, we also invite members of the public, including our learners and external service providers, to do the same.

If you are not employed by Otago Polytechnic Limited, but you suspect fraud that involves Otago Polytechnic Limited in some way, please report your suspicions in accordance with section 3.5 of this document.

 

1.0   Introduction

1.1.        Commitment to fraud control

Otago Polytechnic Limited ("the Polytechnic") recognises that it has a responsibility to develop, encourage and implement sound financial, legal, and ethical decision-making and organisational practices. This Fraud Control Plan (CP0010a_Fraud Prevention and Response_SOP001_Fraud Control Plan) represents the Polytechnic's commitment to effective fraud risk management and prevention. The desired outcome of this commitment is to minimise the potential for fraud against the Polytechnic whether by staff, learners, or persons external to the Polytechnic.

 

To maintain better practice in its fraud risk management practices, the Polytechnic is committed to the following:

  • Ensuring a consistent approach across all Departments - the plan is to be applied uniformly. All Directors, Heads of College, Formal Leaders, or equivalents are to have an understanding of the Fraud Control Plan content and the responsibilities allocated under the Plan;
  • Communication of Executive Leadership Team’s strong commitment - to ensure there is regular communication to all staff promoting compliance with the Fraud Control Plan and adherence to the Fraud Prevention Policy;
  • Accessibility to the Fraud Control Plan - the Fraud Control Plan will be made accessible to all staff and will be available through the Polytechnic's website;
  • Regular review of the Fraud Control Plan - the Polytechnic is committed to reviewing its Fraud Control Plan every two years to ensure that it remains up-to-date and relevant. Each review will entail:
    • consideration of the findings of the most recent Risk Assessments;
    • reviewing changes in the Polytechnic's operations and environment since the last review; and
    • developing a further two-year programme for fraud control that will identify residual shortcomings in existing procedures.

 

1.2.        Application of Fraud Control Plan

This Fraud Control Plan represents the Polytechnic's commitment to the management and prevention of fraud. It aims to draw together its fraud prevention and detection initiatives into one document. It forms part of the Polytechnic's Risk Management Framework and has three major components:

  • Prevention - initiatives including education for awareness and promoting a culture of honesty and integrity to deter and minimise the opportunities for fraud;
  • Detection - initiatives to detect fraud as soon as possible after it occurs; and
  • Response - initiatives to deal with detected or suspected

 

For the purpose of this document the term "staff" refers to all board members, management, employees, consultants, and contractors. The term "Polytechnic" includes teaching, learning, research, enabling and support activities. The desired outcome of this commitment is the elimination of fraud against the Polytechnic.

 

1.3.        Definition of fraud

            Fraud is defined as an act of dishonesty to gain an advantage. It includes theft, misuse of assets, the alteration or manipulation of financial or other records or any unauthorised act which results directly or indirectly in financial gain to the perpetrator or to a third party.

 

1.4.        Examples of fraud

Fraud may involve, but is not limited to, the intentional:

  • manipulation, falsification or alteration of data, records, or documents;
  • suppression or omission of the effects of transactions from records or documents;
  • recording of transactions without substance;
  • manipulation of accounting policies;
  • misrepresentation in a financial report;
  • misappropriation (theft) of assets;
  • accepting or offering of bribes or inducements;
  • disclosing of confidential information to third parties with a view to personal gain or gain for another person;
  • presenting of false credentials or qualifications;
  • submitting of false timesheets, leave applications or expense claims;
  • theft of time e.g., by not entering leave in the leave management system or not working for the agreed length of time
  • dishonest use of the Polytechnic’s computers, vehicles, telephones, credit cards, taxi vouchers and other property or services;
  • dishonest use of Polytechnic intellectual property;
  • deception resulting in a loss to the Polytechnic that is dishonest, or avoiding or creating a liability for the Polytechnic;
  • falsifying of invoices for goods and services;
  • use of purchase orders to gain a personal benefit;
  • unlawful or unauthorised transfer, use or allocation of Polytechnic property and assets including moneys and/or funds held by or on trust for the Polytechnic;
  • dishonest use of grant or research funds, or scholarships;
  • improper disposal of assets;
  • hacking into or interfering with the Polytechnic’s computer

 

1.5.        Statement of attitude to fraud

Fraud has the potential to damage the reputation of the Polytechnic and have a detrimental effect on the resources available to promote the Polytechnic's objectives. Accordingly, the Polytechnic has adopted a zero tolerance to fraud and will investigate all reported incidents of alleged fraud and appropriate restitution will be sought. The Polytechnic is committed to minimising the incidence of fraud through the development, implementation and regular review of fraud prevention, detection, and response strategies.

 

Each strategy contributes to an environment where risk is managed, through sound internal controls, and ethical practices.

 

To achieve its fraud prevention objectives the Polytechnic will:

  • identify fraud risks and review and update the Fraud Control Plan every two years;
  • provide fraud awareness training to those staff who are considered to be in positions that require fraud awareness training;
  • provide fraud awareness training to all new staff as part of the induction process;
  • ensure all staff are aware of the Polytechnic's Fraud Control Plan;
  • encourage and promote professional and ethical business practice;
  • aim to identify fraud through regular review of the Polytechnic's operations;
  • clearly communicate how suspected instances of fraud may be reported;
  • through the channels authorised in this plan, investigate alleged or suspected instances of fraud using qualified personnel and professionals with experience in investigation techniques;
  • take appropriate action to deal with instances of actual, suspected, or alleged fraud, including by recommending prosecution of persons and/or organisations for fraud offences where and when appropriate; and
  • use all available avenues to recover money or property lost through fraudulent

 

2.0    Prevention

2.1         Integrity framework

A fundamental strategy in controlling the risk of fraud is the development and maintenance of a sound ethical culture, underpinned by effective and continuous communication and example-setting by management.

 

The Polytechnic's attitude to ethical conduct is outlined in its Values which describe the obligation for staff to act with integrity and be guided by:

  • Caring: we are respectful, generous, welcoming, and inclusive
  • Responsibility: we do the right thing, acting in the best interests of those we serve
  • Partnerships: we work and learn collaboratively, contributing to one another’s success
  • Learning: we are continually learning, developing, and innovating
  • Excellence: we set and achieve high standards, always doing our best
  • Sustainability: we practice sustainably for the best of our communities and the environment

 

Otago Polytechnic Limited managers are expected to create and promote an ethical workplace culture. They can best do this by ensuring that they themselves always act ethically and follow correct procedures. Management and staff need to work together to establish an ethical and effective workplace which can identify and implement fraud prevention and control measures.

 

2.2         Fraud control responsibilities

The Polytechnic’s Director: Business Services is the appointed Fraud Control Officer and is responsible for overseeing investigations of fraud related allegations. The Fraud Control Officer is also the central point of contact for reporting alleged fraud.

This Fraud Control Plan allocates the following groups with fraud control responsibilities:

  • Finance and Audit Committee
  • Fraud Control Officer (currently Director: Business Services)

 

  • Deputy Chief Executive: Corporate Services
  • Deputy Chief Executive: People and Performance
  • All Directors and Formal Leaders
  • All staff

 

The specific responsibilities allocated within the Polytechnic, to the above groups, for fraud-related matters are summarised at Appendix B.

 

The Polytechnic has the following expectation of its staff with regard to fraud:

  • Staff are expected to act in a professional and ethical manner, follow legal requirements, care for property, maintain and enhance the reputation of the
  • Staff are expected to remain vigilant to any suspected fraudulent behaviour that may be occurring around them and are expected to fully cooperate with any investigations and the implementation of fraud control
  • Staff who become aware of suspected fraudulent conduct must report the matter in accordance with this
  • Staff must retain strict confidentiality on any Polytechnic fraud incidents of which they have knowledge.
  • Managers must uphold and monitor fraud control strategies within their area of
  • Any failure by staff to comply with this plan may result in disciplinary action against

 

2.3         Fraud awareness training

Generally, a significant proportion of fraud goes undetected because of the inability to recognise the early warning signs of fraudulent activity or because individuals are unsure how and when and to whom they should report their suspicions. Accordingly, the Polytechnic has incorporated fraud awareness training to assist in raising the general level of awareness amongst staff.

 

An awareness of the risk of fraud and fraud control techniques will be fostered by:

  • ensuring all staff receive notification of the Fraud Control Plan at the time of induction;
  • ensuring all new staff receive fraud awareness training at induction
  • ensuring all staff that are considered to be in positions requiring training attend fraud awareness training;
  • ensuring updates and changes to fraud related policies and procedures and other ethical pronouncements are effectively communicated to all staff;
  • ensuring staff are aware of the ways in which they can report allegations or concerns regarding alleged fraud or alleged unethical conduct; and
  • encouraging staff to report any suspected incidents of

 

2.4         Assessing fraud risk

A Fraud Risk Assessment measures the vulnerability of an organisation to fraud and is essential for fraud prevention and control. The purpose of Fraud Risk Assessments conducted at a Functional level are to:

  • define the fraud risk profile;
  • determine the effectiveness of existing control measures and;
  • enable judgements to be made on any required fraud countermeasures.

The Fraud Control Officer will be responsible for monitoring the implementation of the Fraud Risk Assessment programs and reporting progress to the Finance & Audit Committee (“FAC”) and ensure that all timetabled strategies are implemented accordingly.

To maximise the effectiveness of the Fraud Risk Assessment process, the assessment should:

  • be completed by a prioritised sample (with notations of Low, Moderate and High-risk areas) of the functional areas, such as payables, payroll, reimbursements, credit cards, tendering purchasing and contract management processes, outsourced functions etc on a rotational basis;
  • be relevant and comprehensive covering as far as possible, all potential risks;
  • comply with AS 8001:2008- Fraud and Corruption Prevention;
  • separately consider inherent risk and internal control risk; and
  • achieve a prioritisation of fraud risks identified through a risk

 

Where fraud risk ratings are assessed as high for particular controls, strategies need to be put in place to address the risk.

 

The fraud risk assessment process does not replace existing manuals or procedures but is additional and complementary.

 

All Departments will ensure that the strategies developed during the course of the most recent Fraud Risk Assessment are reviewed for effectiveness and amended where necessary. The frequency of such reviews is to be no less than three yearly with exact timing to be determined by the Fraud Control Officer.

It is the responsibility of the Fraud Control Officer in consultation with the relevant Departmental Managers to ensure that the proposed actions are implemented.

 

2.5         Internal Control

Internal controls are often the first line of defence against fraud. The Polytechnic will ensure the maintenance of a strong internal control system (refer 3.8) and the promotion and monitoring of a robust internal control culture. The Polytechnic will continue to review internal controls and ensure all key internal controls and policies (refer 5) are robust, regularly reviewed and are documented in a standardised format every two years.

The Polytechnic will promote an internal control culture through a process of:

  • example-setting by management;
  • regular communication of the importance of internal controls; and
  • including adherence to internal controls as part of the performance management framework,
  • implementing an approved internal audit plan with FAC

 

2.6         Employment screening

Otago Polytechnic Limited has an employment policy which seeks voluntary disclosure of past offences. Due consideration will be given to any potential employee who discloses past offences. Pre-employment screening is an effective means of preventing particular types of fraud, such as falsifying qualifications or employment history. It can also identify previous criminal convictions for offences of dishonesty. The Director: People and Culture and Formal Leaders or equivalent should consider all appropriate checks to conduct (including police and credit checks) having regard for the proposed appointment and the work area.

 

2.7         Supplier vetting

The Polytechnic will take steps to ensure the bona fides of new suppliers and periodically confirm the bona fides of continuing suppliers.

 

Prior to a new supplier details (including bank account details) being loaded into the accounts payable system a suitable combination of the enquiries listed below will be undertaken:

  • Companies Office search;
  • Verification of the personal details of directors;
  • Telephone listing verification;
  • Trading address verification; and
  • Internet

 

2.8         Segregation of duties

This is a control plan whereby no person should be given responsibility for more than one related function. The person who approves invoices for payment should not be responsible for arranging the payment. An auditor should note situations where one individual's responsibility extends improperly over related areas, i.e., the person maintaining inventory records has physical possession of the merchandise. Segregation of duties assists in detecting errors and deterring improper activities. The smaller the organization, the more difficult this practice becomes.

 

 

3.0     Detection

The Polytechnic recognises that a comprehensive fraud control plan remains one part of fraud control and that additional elements further mitigate or minimise the prevention of fraud. Accordingly the Polytechnic has adopted a program aimed at detecting fraud as soon as possible after it has occurred.

 

The key elements of this plan include:

  • Management accounting report review;
  • Data analysis programmes;
  • Post transaction review;
  • Identification of early warning signs; and
  • Internal audit.

 

Otago Polytechnic Limited’s employees play an important role in detecting fraud because of their detailed knowledge of work practices and accountabilities. The alertness and participation of staff prevents and detects a significant amount of fraud and is an effective means of preventing particular types of activity.

 

3.1         Management accounting reporting review

Using relatively straightforward techniques in analysing the Polytechnic's management accounting reports, trends can be examined and investigated which may be indicative of fraudulent conduct. Some examples of the types of management accounting reports that can be utilised on a compare and contrast basis are:

  • Financial reports detailing monthly performance against prior periods and budget;
  • Key performance indicator reports and;
  • Reports comparing expenditure against industry

 

3.2         Data analysis

Data analysis is a powerful means of detecting fraud and other improper behaviours. It is a process of uncovering patterns and relationships in datasets that on face value appear unrelated, highlighting activity of fraud and irregular behaviour, or to explain what lies behind previously identified discrepancies. For example, this might include such tests as searching accounts payable data for repeated invoice numbers to identify duplicate payments, or analysing payroll data for duplicate bank account numbers to uncover a 'ghost employee' payroll fraud.

 

The Fraud Control Officer is responsible for an annual review of the possible need for a data analysis program. A data analysis program is aimed at strategic use of computer systems in the identification of fraud indicators.

 

3.3         Post transaction review

A review of transactions after they have been processed can be effective in identifying fraudulent activity. Such a review may uncover altered or missing documentation, falsified, or altered authorisation or inadequate documentary support. In addition to the possibility of detecting fraudulent transactions, such a strategy can also have a significant fraud prevention effect as the threat of detection may be enough to deter a person who might otherwise be motivated to engage in fraud.

 

In light of this, the Polytechnic has implemented a programme of post-transaction reviews with particular emphasis on data mining. This strategy will identify a targeted sample of transactions for review with a particular focus on authorisation, adherence to guidelines on expenditure, receipting, and missing documentation. This process will be conducted with direct reference to the findings of past internal control reviews and fraud risk assessments.

 

3.4         Identification of early warnings signs

Identification and acting on early warning signs of fraudulent activity is an important part of early fraud detection. The key to achieving an early warning capability is awareness. The fraud awareness training programme, referred to in Section 2.3 will therefore include the identification of early warning signs or "red flags" for suspected fraud and how to respond if they are identified.

 

All staff and all Formal Leaders in particular, should be aware of their responsibility to remain vigilant to identify and report any suspected fraudulent activity.

Managers and staff should be alert to the common signs of fraud. Signals for potential fraud include:

  • illogical excuses and reasons for unusual events or actions;
  • senior staff inappropriately involved in routine processes;
  • staff evidently living beyond their means, who have access to funds or control or influence over service providers;
  • excessive staff turnover;
  • staff who do not take holidays for extended periods;
  • potential conflicts of interest not declared;
  • insufficient separation of duties (e.g. both processing and approving the same transaction)
  • residing with one person;
  • undue secrecy, or excluding people from available information;
  • evidence of failure to conduct reference checks on staff prior to employment;
  • unauthorised changes to systems or work practices;
  • “blind approval,” where the person signing does not sight supporting documentation;
  • duplicates only of invoices;
  • theft of time.

 

3.5         Avenues for reporting suspected incidents

3.5.1     By staff

Staff who become aware of suspected fraudulent conduct are required to report the matter in accordance with this procedure. Staff are also required to maintain strict confidentiality on any suspected fraud matter of which they have knowledge.

  • In the first instance, report the matter to their relevant line
  • If, for any reason, the staff member feels that reporting the incident through this channel would be inappropriate, he or she may report the matter directly to the Fraud Control Officer. Such reports may be made confidentially, if

 

Any relevant line manager receiving a report of alleged fraud must advise the Fraud Control Officer immediately (subject to Appendix C).

The contact details for the Fraud Control Officer are as follows:

Email: louisa.homersham@op.ac.nz  Phone: 021 941476

 

The Polytechnic will ensure all staff are aware of the fraud reporting procedures and actively encourage all staff to report suspected cases of fraud through the appropriate channels.

Attached at Appendix C is a table that displays the appropriate reporting channels that should be adopted in the event of a person wanting to report any alleged fraud.

 

3.6         By external parties

Members of the public are to report any suspicions of fraud direct to the Fraud Control Officer via the above contact details.

 

3.7         Whistle-blower protection

Staff who report suspected corrupt conduct through the appropriate channels, as set out above, will be protected from detrimental action by the Protected Disclosures Act 2000. This Act provides the framework for the protection of employees who report corrupt conduct.

Information received as a protected disclosure is strictly confidential, and includes the:

  • identity of the person making the disclosure
  • nature of the disclosure
  • identity of the person or persons against whom the disclosure has been

 

The Polytechnic’s policy Protected Disclosure of Serious Wrongdoing (Whistleblowing) provides guidance on the procedure to be followed in making, receiving, dealing with, and investigating information about serious wrongdoing in or by the Polytechnic.

The Polytechnic strives to meet or exceed best practice standards on whistle-blower protection and will do the following:

  • Require staff to act in good faith and reasonably in making reports under whistle-blower protection;
  • Recognise and respect the confidentiality of the identity of a bona fide informant;
  • Ensure support and protection is provided to an informant against any form of recrimination or reprisal or any threat of

 

3.8         Role of the external auditor in the detection of fraud

The Polytechnic recognises that the external audit function has a role to play in the detection of fraud given the responsibilities of auditors under ISA (NZ) 240: The Auditors' Responsibility relating to Fraud in an Audit of Financial Statements.

 

3.9         Role of internal audit in the detection of fraud

Although Otago Polytechnic Limited has no dedicated internal audit service, it will have an annual internal audit plan, considered, and approved by the FAC that is informed by the fraud risk assessment. Internal audit will be performed by a mix of finance staff and external contractors. Outcomes from the internal audit will be reported to the FAC.

 

4.0     Response

4.1         Investigation procedures

All instances of alleged fraud must be reported to the Fraud Control Officer, whether by the person making the allegation or by the Head of Department or relevant line manager receiving the initial complaint. The Fraud Control Officer will then be responsible for overseeing and managing the investigation process, in consultation with other members of an investigation team which shall comprise as a minimum those individuals holding the following positions:

  • Deputy Chief Executive: Corporate Services/Chief Operating Officer
  • Director: People and Culture and;
  • Other relevant senior executive managers e.g. Chief Executive / Deputy Chief Executive.

The team will follow the procedures as outlined in the policy CP0010 Fraud Prevention Policy this Fraud Control Plan and other related Polytechnic policies.

 

4.2         Reviewing systems and procedures (post fraud)

In each instance where fraud is detected, the Polytechnic will reassess the adequacy of the internal control environment (particularly those controls relating to the fraud incident and potentially allowing it to occur) and actively plan and implement improvements where required. Where improvements are required, they will be implemented as soon as practicable.

 

4.3         Recovery of money or property lost through fraud

The Polytechnic will actively pursue the recovery of any money or property lost through fraud after considering all relevant issues.

 

4.4         Communication protocol

Should fraud against the Polytechnic be detected the following protocols must be applied -

  • The Fraud Control Officer, Chief Executive and Chairperson will make all decisions on the appropriate communications protocol to be adopted
  • The Chief Executive or Chairperson or their nominee will be the authorised spokesperson for any

 

5.0      Relationship with other Otago Polytechnic Limited Policies

The Polytechnic has a number of policies which should be read in conjunction with this Fraud Control Plan. These policies include:

  • Fraud Prevention and Response
  • Protected Disclosure of Serious Wrongdoing (Whistleblowing)
  • Conflict of Interest
  • Resolving Employment Problems
  • Authorities and Delegations from the Chief Executive
  • Employment Delegations
  • Specific Financial Authorities and Delegations
  • Otago Polytechnic Limited Credit Cards
  • Travel on Otago Polytechnic Limited Business
  • Sensitive Expenditure
  • Learner Discipline
  • Asset Management (Operational – Acquisition and Disposal)
  • Procurement and Purchasing Policy
Appendix A: Otago Polytechnic Limited Fraud Control Plan – Overview Diagram

1.        Introduction

  • Commitment to fraud control
  • Application of Fraud Control Plan
  • Definition of fraud
  • Examples of fraud
  • Statement of attitude to fraud
  • Relationship with other Otago Polytechnic Limited policies
  • 2.    Prevention
    • Integrity framework
    • Fraud control responsibilities
    • Fraud awareness training
    • Assessing fraud risk
    • Internal control
    • Employment screening
    • Supplier vetting
    • Segregation of duties
  • 3.   Detection
    • Management accounting reporting review
    • Data analysis
    • Post transaction review
    • Identification or early warning signs
    • Avenues for reporting suspected incidents
    • Whistle-blower protection
    • Role of the external auditor
    • Role of Internal Audit

4.     Response

  • Investigation procedures
  • Reviewing systems and procedures (post fraud)
  • Recovery of money or property lost through fraud
  • Communication protocol

Appendices

A       Fraud Control Plan – Overview diagram

B       Fraud responsibilities

C       Fraud Reporting Channels

D       Fraud Register

E        Receiving Allegations Form

 

 

Appendix B: Otago Polytechnic Fraud Control Responsibilities

Role

Fraud Control Responsibilities

Finance and Audit Committee

·     The Finance and Audit Committee (FAC) is responsible for overseeing the process of developing and implementing the Fraud Control Plan. The FAC is required to assure itself, on behalf of the Board the action proposed by the Polytechnic appropriately addresses the fraud risks identified during the fraud risk assessments. In doing so it will consider the nature and timing of a program of internal audits (refer 3.8) to monitor key controls. The FAC will also review the reporting of the progress of reviews to determine whether appropriate fraud prevention and monitoring measures are in place.

 

Role

Fraud Control Responsibilities

Fraud Control Officer

The Fraud Control Officer has principal responsibility for fraud control within the Polytechnic: This includes:

·     Developing an overall fraud control strategy for the Polytechnic, including operational arrangement for dealing with fraud;

·     Building a programme of internal audit;

·     Overseeing fraud awareness and control training;

·     Overseeing the Polytechnic’s fraud risk assessment process every two years;

·     Overseeing the follow-up of the fraud risk assessment by ensuring that all timetabled mitigation strategies are implemented in accordance with the Fraud Control Plan;

·     Facilitating a review of the Polytechnic’s Fraud Control Plan every two years, or following any significant structural change to the Polytechnic;

·     Reporting to the Finance and Audit Committee on fraud control initiatives undertaken by the Polytechnic;

·     Ensuring that all fraud related policies and procedures are communicated and available to staff via the Polytechnic Intranet;

·     Developing systems to prevent, detect and respond to fraud;

·     Acting as a central referral point for allegations of incidents of fraud to be reported, including ensuring that all instances of suspected fraud are appropriately recorded, investigated, and reported to the FAC and satisfactorily resolved;

·     Ensuring that the Chief Executive and the Finance and Audit Committee are briefed on allegations of suspected fraud;

·     Investigating minor instances of fraud against the Polytechnic in consultation with the Deputy Chief Executive People, Performance and Development  and Chief Operating Officer.

 

Role

Fraud Control Responsibilities

Deputy Chief

·     Designing, implementing, and overseeing a fraud detection program incorporating data analysis, management accounting reviews and post

Executive Corporate Services/Chief Operating Officer

transition reviews;

·     Designing and overseeing Fraud Risk Assessments;

·     Reviewing the internal control environment after each detected occurrence of fraud;

Reviewing annually the need for data analysis programs and consult with the Fraud Control Officer on proposed recommendations and timetables

 

for same;

·     Overseeing appropriate management accounting reporting and post transaction reviews.

  

Role

Fraud Control Responsibilities

Director: People and Culture

·     Ensuring the Fraud Control Plan and Policy are incorporated in the Polytechnic’s induction program;

·     Ensuring fraud awareness training is available to all relevant staff.

 

Role

Fraud Control Responsibilities

Formal Leaders

Formal Leaders must be vigilant to the possibility of fraudulent behaviour and to respond accordingly. Formal Leaders are required to ensure that:

·     Internal reviews are undertaken of their business areas on a regular or at least annual basis and that any significant change s in responsibilities and inherent fraud risks are reported to the Fraud Control Officer;

·     They inform new staff of the fraud prevention policies and procedures that are to be observed.

 

Role

Fraud Control Responsibilities

All Staff

All Polytechnic staff shall:

·     Promote professional and ethical practice by setting an appropriate example and recognising the contributions of others;

·     Not condone, or fail to take appropriate action in relation to, suspected fraudulent or improper conduct within the Polytechnic;

·     Assist in the implementation of fraud risk management strategies and participate fully in activities relating to fraud control;

·     Remain vigilant and report all instances of suspected fraud immediately to the Departmental Head, Line Manager or Fraud Control Officer where they hold any concern, suspicion, or information of any instance of fraudulent, corrupt, or improper conduct and encourage others to do the same;

·     Not knowingly make a false or misleading report;

·     Not act in a retaliatory, discriminatory, or otherwise adverse manner in regard to a person, on account of that person making a genuine report or providing assistance in a relevant inquiry; and

·     Not hinder or impede an investigation and shall give every courtesy and assistance to any person authorised by management to conduct an investigation.

 

 

 

Appendix C: Otago Polytechnic Limited Fraud Reporting Channels Matrix

If a staff member suspects fraud by:

They should report it to:

The means by which the allegation is investigated:

Another Employee

Their line manager (who must inform the Fraud Control Officer “FCO” immediately) or directly to the FCO

The FCO

The CE

The FCO (the FCO must then notify the Chair of the FAC )

The Chair of the FAC

The FCO

The CE (the CE must then notify the Chair of the FAC)

The CE

Contractor

The FCO

The FCO

Councillors

The CE (the CEO must then notify the Chair of the FAC)

The CE, in conjunction with Chair/Deputy Chair and external parties, as required

 

If a Councillor suspects fraud by:

They should report it to:

The means by which the allegation is investigated:

Another Councillor

Chair (the Chair must then notify the CE)

The CE, in conjunction with Chair and external parties, as required

Chair

The Deputy Chair (the Deputy Chair must then notify the CE)

The CE, in conjunction with Deputy Chair and external parties, as required

All other parties

Chair (the Board Chair must then notify the CE)

The investigation will be the same as specified in the employee section above and vary according to whom the suspected party is

 

If a Contractor suspects fraud by:

They should report it to:

The means by which the allegation is investigated:

Staff, Board member, other contractors

The FCO, CE or Chair

Depending on the party, the investigation will be managed as above

 

 

 

 

 

Appendix D: Otago Polytechnic Limited Fraud Register (held at Finance)

 

Date of notification or identification

 

Nature of the Instance

Estimated or Actual Value

Details of Investigation Undertaken

Outcome of Investigation

Policy or Procedures Amended as a

Result

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix E: Otago Polytechnic Limited Receiving Fraud or Corruption Allegations Form

please complete this form and return to the Fraud Control Officer, Level 3, Forth Street. All correspondence will be kept confidential. Employees should note that Otago Polytechnic Limited complies with the Protected Disclosures Act 2000.

 

Part A

 

Details of suspected fraud, corruption, or serious and substantial waste

Name and details of people involved (Includes people both within and external to the organisation):

 

 

...............................................................................................................................…….

...............................................................................................................................…….

...............................................................................................................................…….

...............................................................................................................................…….

...............................................................................................................................…….

...............................................................................................................................…….

  

Description of suspected fraud, corrupt conduct, or serious and substantial waste:

(Includes: What happened? Where did it happen? When did it happen? How did it happen?)

 

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

...............................................................................................................................…………………….

 

 

Completed by: .............................................................. Date: ......................................

 

Part B

 Details about evidence:

(Includes what evidence exists? Where is the evidence? Does the caller have any evidence? Who else has any evidence?)

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

.........................................................................

 
Details of others who may have information:

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...................................................................................................................................................................

...........................................................................................

 

Details of person making allegation (optional)

(If the person making the allegation would like to be contacted upon resolution of this matter, their contact details must be included in this section.)

 

Name:        .............................................................................................................…...........................................

Position and Location: .......................................................................................…........................................

Address:        ........................................................................…............................................................................

Telephone (home): ............................................. (work): .............................................................................

 

How did the person become aware of the reported conduct or incident?

.................................................................................................................................................................

.................................................................................................................................................................

.................................................................................................................................................................

 

Date and Time of Call: ...................................................................................…........................

 

 

Completed by: .............................................................. Date: .....................................................