Counter Fraud Policy

The University's policy to prevent fraud

Expand All

The University is committed to conducting its activities fairly, honestly and openly, in accordance with relevant legislation, and to the highest standards of integrity. Further, the University believes that action against fraud is in the broader interests of society. As a charity deriving a significant proportion of its income from public funds, benefactions and charitable organisations, the University is concerned to protect its operations and reputation and its funders, donors, staff and students from the detriment associated with fraud and other corrupt activity.

The University has zero tolerance of fraud committed by staff or associated persons and aims to reduce instances of fraud perpetrated against or to benefit the University to the absolute practical minimum. The University will take appropriate action to prevent fraud in respect of its activities. Fraud by University employees, or student members or other associated persons acting on behalf of the University will be treated as a serious disciplinary offence and may also lead to criminal prosecution.

The purpose of this policy is to set out the responsibilities of the University and those acting on its behalf (described under ‘Scope’ below) in observing and upholding its position on preventing fraud. The University will review this policy and supporting procedures regularly (at least every three years).

All staff and associated persons of the University of Oxford who act on behalf of or provide services to the University are expected to act at all times in a manner that is fair, honest, and open. In order to conduct the activities of the University to the highest standards of integrity, in accordance with relevant legislation, and to ensure that there can be no suspicion or appearance of fraud or corruption, they are expected to:
●    not commit any form of fraud;
●    understand their responsibilities under this policy and related policies and comply with these at all times;
●    guard against the commission of fraud by or on behalf of anyone associated with the University;
●    if applicable to their role, undertake their responsibilities with respect to the University’s internal controls in a manner that is diligent and timely;
●    ensure that the University’s Information Security Policy and other relevant guidance is followed at all times, in order to reduce the risk of fraud from unauthorised access to systems and data;
●    have due regard to the steps taken by the University to prevent fraud (section 5); and
●    report any suspicion of fraud or irregularity immediately through the channels set out in this policy (section 7).

For further advice, contact: the Counter Fraud Team at counterfraud@admin.ox.ac.uk.

2.1. Definitions
Fraud is a dishonest act or omission that is made with the intent of making a gain or causing a loss (or the risk of a loss). Under the UK’s Fraud Act 2006 there are three specific offences: 
i.    fraud by false representation; 
ii.    fraud by failing to disclose information; 
iii.    fraud by abuse of position.

Under the Economic Crime and Corporate Transparency Act 2023, the following offences are also included: 
•    Participation in a fraudulent business (section 9, Fraud Act 2006)
•    Obtaining services dishonestly (section 11 Fraud Act 2006)
•    Cheating the public revenue (common law) 
•    False accounting (section 17 Theft Act 1968)
•    False statements by company directors (section 19 Theft Act 1968)
•    Fraudulent trading (section 993 Companies Act 2006)

Failure to prevent fraud offence - The Economic Crime and Corporate Transparency Act 2023 (ECCTA) includes an offence of failure to prevent fraud by persons associated with a business. The University now face a potentially unlimited fine where:
• an associate of the University (see section 4) commits a specified fraud offence; and
• the fraud is intended to benefit the University, directly or indirectly, or a person to whom services are provided on behalf of the organisation. 

The failure to prevent fraud offence is a strict liability offence where the organisation will be liable. A statutory defence is available if the University has in place reasonable procedures to prevent fraud.

Individuals involved may also be personally liable and may be prosecuted for their role in any offence.

These examples include both statutory fraud-related offences and the common-law offences.

Corruption is dishonest or fraudulent conduct, typically involving bribery.

Bribery is the offering, promising, giving, requesting, or accepting of a financial or other advantage with the intention to induce or reward improper performance. (See the University’s Anti-Bribery Policy.) 

Additional information about these definitions is provided on the University website.

2.2. When might fraud occur in a University context? 
Examples of fraud in higher education institutions include, but are not limited to:
●    Fraud involving cash or physical assets 
●    Fraud involving confidential information
●    Procurement and payment fraud
●    Payroll fraud
●    Fraudulent expense claims
●    Fraudulent financial reporting (i.e. revenue recognition, asset valuation etc)
●    Fraudulent regulatory and non-financial reporting
●    Facilitation of tax evasion
●    Academic fraud including admissions, examinations, awards and research
●    Reference and qualification fraud 
●    Immigration fraud
●    Recruitment, appointment and employment fraud
●    Bribery and corruption fraud
●    Anti-competitive behaviour
●    Accommodation-related fraud, including preference and payment

 

●    Breach of this policy may amount to a disciplinary offence for staff and students and will be subject to investigation under the University’s disciplinary procedures (See Procedures for reporting and investigating suspected instances of fraud and financial misconduct). In the most severe cases this could result in termination of employment or expulsion from the University. It may also lead to civil recovery proceedings, and/or reference to professional bodies and/or the police or other criminal investigation agency and may result in prosecution. 
●    For other associated persons (see Definition in Section 4, below), breach of this policy may result in other contractual or legal or other sanctions.
●    Individuals found guilty of an offence under the Fraud Act can face an unlimited fine and/or a prison sentence of up to 10 years.
●    Individuals who refuse to take part in fraud, or who report concerns under this policy in good faith, will be protected from detrimental treatment or retaliation. Detrimental treatment includes dismissal, disciplinary action, threats or other unfavourable treatment connected with raising a concern. (See also the provisions of the Public Interest Disclosure (Whistleblowing) Code of Practice).
●    Malicious or vexatious complaints may result in disciplinary action.

4.1 Scope
This policy applies to all staff and associated persons (anyone acting on behalf of the University), including (but not limited to):
●    employees and workers (whether casual, temporary, fixed-term, permanent or on open-ended contracts), agency workers, seconded workers, volunteers or interns; and
●    associated persons, including (but not limited to):

          ○ agents, contractors, associates, consultants, third-party representatives and business partners, suppliers, donors, sponsors, or any other person associated with the University wherever located;
          ○ external members of Council and University committees, panels or boards if they perform services for or on behalf of the University;
          ○ researchers and academic visitors  whether self-funded or employed by other entities (such as other funders, universities or Oxford colleges), and retired members of staff, if they perform services for or on behalf of the University;
          ○ University subsidiary companies and joint venture entities where the University wholly owns or controls the entity unless separate policies have been formally approved and adopted by the Boards of those companies and endorsed by Council’s General Purposes Committee. This covers the joint venture partners and, where applicable, those companies conducting services on behalf of the joint venture;
          ○ Kellogg, St Cross and Reuben Colleges, which are societies of the University of Oxford, but not to other colleges, which have their own policies; and.
          ○ students (i.e. anyone who has a contract for study with the University) when employed by or otherwise acting on behalf of the University, e.g. as members of committees or when representing the University in sports or other competitions. 

This policy has been adopted by the Council and applies throughout the University apart from Oxford University Press, which has its own policy and procedures for the prevention and detection of fraud. This policy applies in full to majority and wholly owned subsidiary companies unless separate policies have been formally approved and adopted by the Boards of those companies and endorsed by Council’s General Purposes Committee.

The University expects Third Parties acting for or providing services to the University not to commit fraud and will take appropriate measures and action should it discover that third parties are engaging in fraud.  Third parties are advised, therefore, to make themselves fully aware of the provisions of this policy and, in particular, the standards relating to fraud. Where appropriate, the University will include contractual obligations in respect of adherence to this policy in its agreements with third parties.

4.2 Responsibilities
Every member of staff and associated persons who act on behalf of, or provide services to, the University is responsible for ensuring that they comply at all times with the Counter Fraud Policy. This involves maintaining and monitoring compliance with internal controls and agreed policies and procedures; immediately reporting details of any suspected fraud, whether by an employee or an external organisation, and assisting in the investigation of suspected fraud.

Responsibilities for the effective management of fraud risk within the University are organised along a three lines of defence model. The model aims to provide assurance to Council, which is responsible for the administration of the University and for the management of its finances and assets, that risks are being managed. Council is also responsible to the Office for Students for meeting its conditions of registration, which include operating comprehensive corporate risk management and control arrangements. 

The Audit and Scrutiny Committee is responsible for overseeing the adequacy of the University's arrangements to prevent and detect irregularities, fraud and corruption, to include being notified of any action taken under the University's policy.

The components of the three lines of defence model are as follows:
 

4.2.1 First line of defence
Relevant Service Heads are responsible for managing risks of fraud within their respective functional areas (Finance, People, Research Services, Estates, etc.), and for developing, implementing and maintaining adequate control frameworks.

Heads of Division, Heads of Department (including Faculty Board Chairs), and Heads of University Services (UAS and GLAM) are responsible for ensuring that adequate systems of financial management and internal control to mitigate/minimize the risk of fraud and detect fraud are operating in their divisions, departments or sections (as appropriate) and that staff, affected students, and other associated persons are made aware of the Counter Fraud Policy and associated explanatory guidance. Heads of Department (HoDs) also have specific responsibilities for ensuring their staff comply with the relevant policies and for supporting appropriate reporting, investigations of instances of fraud, and near misses. (See Financial Regulations which set out the responsibility to operate systems of internal control).

Relevant directors in majority and wholly owned subsidiary companies of the University are responsible for ensuring that the Counter Fraud Policy, or an alternate policy that is approved by Council’s General Purposes Committee, is implemented and maintained within those companies, and that staff and other associated persons are made aware of the policy and associated explanatory guidance.

4.2.2 Second line of defence
The Counter Fraud team is responsible for developing and delivering a strategy to ensure that effective fraud risk management arrangements are in place. They are responsible for supporting the University to identify and assess key fraud risks and controls, ensuring that arrangements are regularly reviewed, and providing reporting and assurance over them.

4.2.3 Third line of defence
Internal Audit is responsible for providing independent, objective assurance that arrangements for managing fraud risk are well designed and operating effectively.

Prior to undertaking an internal audit review of the investigations process, the University will assess whether or not there are any perceived and/or actual conflicts of interest, as a result of the Head of Internal Audit’s role in supporting investigations into fraud or financial misconduct. Where potential conflicts are determined, other independent parties will be appointed to undertake and / or oversee this audit.

This policy interacts and overlaps with a number of other University policies and procedures: 
•    Anti-Bribery Policy; 
•    Financial Regulations and supporting Financial Processes; 
•    Policy on Conflict of Interest;
•    Gifts and Hospitality Policy; 
•    Anti-Facilitation of Tax Evasion Policy; 
•    Information Security Policy and implementation guidance; 
•    Code of Practice on Academic Integrity in Research; 
•    Public Interest Disclosure (whistleblowing) Code of Practice; 
•    Student admissions policies and procedures; 
•    Staff recruitment policies and procedures; 
•    HR policies, including staff disciplinary procedures; and 
•    Student disciplinary procedures.

This policy also takes account of the University’s wider legislative obligations and provisions pertaining to fraud and associated behaviour as set out in but not limited to:
•    The Fraud Act, 2006;
•    The Bribery Act 2010; 
•    The Terrorism Act, 2006; 
•    The Proceeds of Crime Act, 2002; 
•    The Criminal Finances Act 2017; 
•    Public Interest Disclosure Act 1998; 
•    The Computer Misuse Act, 1990; 
•    U.S. Foreign Corrupt Practices Act 1977; 
•    The Economic Crime (Transparency and Enforcement) Act 2022;
•    Economic Crime and Corporate Transparency Act (ECCTA) 2023 and
•    EU Whistleblowing Directive 2021.

Procedures for reporting and investigating suspected instances of fraud are described in the University’s “Public Interest Disclosure (whistle-blowing) Code of Practice” and “Procedures for reporting and investigating suspected instances of fraud and financial misconduct”.

Where fraud is suspected, responsibilities for managing an investigation include:
The Counter Fraud Team will triage queries and reports received via the Counter Fraud inbox and Suspicious Activity Report. High risk reports will be referred to the Financial Misconduct Review Group (FMRG). Other incidents may be referred for further action under various polies such as staff and student disciplinary or academic misconduct policies.

The Financial Misconduct Review Group (FMRG), convened and chaired by the Registrar, oversees the investigations into high risk alleged fraud and bribery.

The Head of Internal Audit is responsible for assisting with/undertaking investigations into suspected cases of bribery and fraud, as directed by the FMRG.

Investigations commission by FMRG may result in disciplinary action under People, Academic Misconduct or other relevant policies, referral to the Proctors, reporting to funders and/or referral to other bodies including the police as set out in section 3.

This policy will be reviewed at least every 3 years. 

This policy may also be reviewed and updated as required to incorporate learning from instances of fraud and near misses and changes to the organisation.

Risk assessment
The identification of key, inherent, external and internal, fraud risks is key to the effective design of processes and controls to detect and prevent fraud. 

The assessment will reflect the financial and non-financial impact of potential fraud risks across the University.

The University does not tolerate fraud within the business and aims to promote an environment that is hostile to the exploitation of the University through fraudulent activity. However, it acknowledges that the risk of fraud will be present as a result of its ongoing activities. This is reflected within the fraud risk assessment where it is acknowledged that a level of residual risk remains after controls are applied.

The risks of fraud will be reviewed on an annual basis, alongside the wider risk assessment undertaken by management within the various divisions, departments and committees. This process will be overseen by the Director of Finance Operations and Counter Fraud Team.

See Appendix 2 of the Procedures for reporting and investigating suspected instances of fraud and financial misconduct for the fraud risk assessment criteria used by the University as part of this assessment.

Fraud prevention and detection 
In order to promote an environment that reduces the risk of internal and external fraud, the University will maintain a proportionate control framework that protects the business, while supporting its purpose and goals.

This control framework includes a combination of preventative and detective controls, communications and training, and planned monitoring and oversight activities to ensure that the processes and controls in place are operating effectively. 

Communication and training
The University will provide all staff with mandatory induction on compliance with all policies, including the Counter Fraud policy. The Counter Fraud Team uses various methods to communicate the importance of understanding, managing and reporting fraud risks and issues, as well as highlighting legislative changes and emerging concerns through the Finance Community, Finance Bulletins, Process Oversight Groups and broader stakeholder engagement.

Monitoring and oversight
The University monitors the effectiveness of the controls and processes in place to manage fraud risk using the “three lines of defence” model as described in paragraph 4.2.

Management Reporting
The Audit and Scrutiny Committee (A&SC or Committee) will receive regular reports, at least termly, on the following:
•    Number of High and Low/Medium risk category reports received in the period; 
•    An overview of the investigation status for all ongoing investigations; 
•    For High risk reports, further detail may be provided in the report to the ASC, including: 
          o A description of the actions taken to date; 
          o Details of the reports made to the University’s auditors, regulators and / or law enforcement; 
•    A summary of the findings and remediation activities taken for completed investigations. 

On at least an annual basis a report on the University’s fraud risks, including the adequacy of the University's arrangements to prevent and detect irregularities, fraud and corruption will be provided. The report will reflect the nature and type of fraud risks reported in the period, to allow an assessment of trends which may require updates to the underlying assessment and control environment, including targeted training and communication. The Committee will determine, in coordination with the Counter Fraud Team, if an interim report is required, including the contents and frequency of such report. See the ‘Procedures for reporting and investigating suspected instances of fraud and financial misconduct’ for further information on the reporting of investigations.

Approved by Council on 15 December 2025

A downloadable PDF version of this policy is also available here: Counter Fraud Policy

Contact us

For further information contact the Risk, Compliance and Assurance Team.

Email: compliance@admin.ox.ac.uk