Anti-Fraud Policy

Expand All

The University is committed to conducting its activities fairly, honestly and openly, in accordance with relevant legislation, and to the highest standards of integrity.  Further, the University believes that action against fraud is in the broader interests of society. As a charity deriving a significant proportion of its income from public funds, benefactions and charitable organisations, the University is concerned to protect its operations and reputation and its funders, donors, staff and students from the detriment associated with fraud and other corrupt activity.

The University has zero tolerance of fraud committed by staff or associated persons and aims to reduce instances of fraud perpetrated against the University to the absolute practical minimum. The University will take appropriate action to prevent fraud in respect of its activities. Fraud by University employees or student members acting on behalf of the University will be treated as a serious disciplinary offence.

The purpose of this policy is to set out the responsibilities of the University and those acting on its behalf (described under ‘Scope’ below) in observing and upholding its position on preventing fraud. The University will review this policy and supporting procedures regularly (at least every three years).

All staff and associated persons of the University of Oxford who act on behalf of or provide services to the University are expected to act at all times in a manner that is fair, honest, and open. In order to conduct the activities of the University to the highest standards of integrity, in accordance with relevant legislation, and to ensure that there can be no suspicion or appearance of fraud or corruption, they are expected to:

●    not commit any form of fraud;
●    understand their responsibilities under this policy and related policies and comply with these at all times;
●    guard against the commission of fraud by or on behalf of anyone associated with the University;
●    if applicable to their role, undertake their responsibilities with respect to the University’s internal controls in a manner that is diligent and timely;
●    ensure that the University’s Information Security Policy and other relevant guidance is followed at all times, in order to reduce the risk of fraud from unauthorised access to systems and data;
●    have due regard to the steps taken by the University to prevent fraud (section 5); and
●    report any suspicion of fraud or irregularity immediately through the channels set out in this policy (section 7).

For further advice, contact: Senior Counter Fraud Lead and Financial Compliance Manager: counterfraud@admin.ox.ac.uk  

2.1    Definitions

Fraud is a dishonest act or omission that is made with the intent of making a gain or causing a loss (or the risk of a loss). Under the UK’s Fraud Act 2006 there are three specific offences:

i.    fraud by false representation;
ii.    fraud by failing to disclose information;
iii.    fraud by abuse of position.

Corruption is dishonest or fraudulent conduct, typically involving bribery.

Bribery is the offering, promising, giving, requesting, or accepting of a financial or other advantage with the intention to induce or reward improper performance. (See the University’s Anti-Bribery Policy.)

Additional information about these definitions is provided on the University website 

 

2.2    When might fraud occur in a University context?

Examples of fraud in higher education institutions include, but are not limited to:

●    Fraud involving cash or physical assets
●    Fraud involving confidential information
●    Procurement and payment fraud
●    Payroll fraud
●    Fraudulent expense claims
●    Fraudulent financial reporting (i.e. revenue recognition, asset valuation etc)
●    Fraudulent regulatory and non-financial reporting
●    Facilitation of tax evasion
●    Academic fraud including admissions, examinations, awards and research
●    Reference and qualification fraud 
●    Immigration fraud
●    Recruitment, appointment and employment fraud
●    Bribery and corruption fraud
●    Anti-competitive behaviour
●    Accommodation-related fraud, including preference and payment

 

Breach of this policy may amount to a disciplinary offence for staff and students and will be subject to investigation under the University’s disciplinary procedures (See Procedures for reporting and investigating suspected instances of fraud and financial misconduct). In the most severe cases this could result in termination of employment or expulsion from the University. It may also lead to civil recovery proceedings, and/or reference to professional bodies and/or the police or other criminal investigation agency and may result in prosecution.

For other associated persons (see Definition in Section 4, below), breach of this policy may result in other contractual or legal or other sanctions.

Individuals found guilty of an offence under the Fraud Act can face an unlimited fine and/or a prison sentence of up to 10 years.

Individuals who refuse to take part in fraud, or who report concerns under this policy in good faith, will be protected from detrimental treatment or retaliation. Detrimental treatment includes dismissal, disciplinary action, threats or other unfavourable treatment connected with raising a concern. (See also the provisions of the Public Interest Disclosure (Whistleblowing) Code of Practice).

Malicious or vexatious complaints may result in disciplinary action.

4.1.     Scope

This policy applies to all staff and associated persons (anyone acting on behalf of the University), including (but not limited to):

●    employees and workers (whether casual, temporary, fixed-term, permanent or on open-ended contracts), agency workers, seconded workers, volunteers or interns; and
●    associated persons, including (but not limited to):
       ○    agents, contractors, associates, consultants, third-party representatives and business partners, suppliers, donors, sponsors, or any other person associated with the University wherever located;
       ○    external members of Council and University committees, panels or boards if they perform services for or on behalf of the University;
       ○    researchers and academic visitors whether self-funded or employed by other entities (such as other funders, universities or Oxford colleges), and retired members of staff, if they perform services for or on behalf of the University;
       ○    University subsidiary companies and joint venture entities where the University wholly owns or controls the entity unless separate policies have been formally approved and adopted by the Boards of those companies and endorsed by Council’s General Purposes Committee. This covers the joint venture partners and, where applicable, those companies conducting services on behalf of the joint venture;
       ○    Kellogg, St Cross and Reuben Colleges, which are societies of the University of Oxford, but not to other colleges, which have their own policies; and.
       ○    students (i.e. anyone who has a contract for study with the University) when employed by or otherwise acting on behalf of the University, e.g. as members of committees or when representing the University in sports or other competitions. 

This policy has been adopted by the Council and applies throughout the University apart from Oxford University Press, which has its own policy and procedures for the prevention and detection of fraud. This policy applies in full to majority and wholly owned subsidiary companies unless separate policies have been formally approved and adopted by the Boards of those companies and endorsed by Council’s General Purposes Committee.

4.2    Responsibilities

Every member of staff and associated persons who act on behalf of, or provide services to, the University is responsible for ensuring that they comply at all times with the Anti-Fraud Policy. This involves maintaining and monitoring compliance with internal controls and agreed policies and procedures; immediately reporting details of any suspected fraud, whether by an employee or an external organisation, and assisting in the investigation of suspected fraud.

Responsibilities for the effective management of fraud risk within the University are organised along a three lines of defence model, as follows:

4.2.1    First line of defence

The Council is responsible for the administration of the University and for the management of its finances and assets and for setting the University policy to prevent and detect fraud. It is also responsible to the Office for Students for meeting its conditions of registration, which include operating comprehensive corporate risk management and control arrangements. 

The Registrar is responsible for ensuring that the strategic responsibility for fraud is assigned, that the Anti-Fraud Policy is implemented and maintained, and that appropriate explanatory guidance is provided. The Registrar also convenes and chairs the Financial Misconduct Review Group (FMRG; see below).

Relevant Directors are responsible for managing risks of fraud within their respective functional areas (Finance, HR, Research Services, Estates, etc.)

The Chief Finance Officer is responsible for developing, implementing and maintaining adequate systems of financial management and internal control to mitigate/minimize the risk of financial fraud and to detect financial fraud. 

Heads of Division, Heads of Department (including Faculty Board Chairs), and Heads of University Services (UAS and GLAM) are responsible for ensuring that adequate systems of financial management and internal control to mitigate/minimize the risk of fraud and detect fraud are operating in their divisions, departments or sections (as appropriate) and that staff, affected students, and other associated persons are made aware of the Anti-Fraud Policy and associated explanatory guidance. Heads of Department (HoDs) also have specific responsibilities for ensuring their staff comply with the relevant policies and for supporting appropriate reporting and investigations of instances of fraud and near misses. (See Financial Regulations which set out the responsibility to operate systems of internal control).

The Boards of Directors of majority and wholly owned subsidiary companies of the University are responsible for ensuring that the Anti-Fraud Policy, or an alternate policy that is approved by Council’s General Purposes Committee, is implemented and maintained within those companies, and that staff and other associated persons are made aware of the policy and associated explanatory guidance.

 

4.2.2 Second line of defence

The Senior Counter Fraud Lead and Financial Compliance Manager is responsible for developing and delivering strategy to ensure that effective Anti-Fraud arrangements are in place. They are responsible for embedding Anti-Fraud activities, ensuring that arrangements are regularly reviewed, and providing reporting and assurance over them. They also support and/or undertake bribery, fraud and review investigations, in particular those overseen by the FMRG.

The Audit and Scrutiny Committee is responsible for overseeing the adequacy of the University's arrangements to prevent and detect irregularities, fraud and corruption, to include being notified of any action taken under the University's policy.

The Financial Misconduct Review Group (FMRG) oversees the investigations into alleged fraud and bribery.

The Head of Internal Audit is responsible for assisting with/undertaking investigations into suspected cases of bribery and fraud, as directed by the FMRG, and also is responsible for providing reports on serious incidents and fraud to the Audit and Scrutiny Committee. 

Prior to undertaking an internal audit review of the investigations process, the University will assess whether or not there are any perceived and/or actual conflicts of interest, as a result of the Head of Internal Audit’s role in supporting investigations into fraud or financial misconduct. Where potential conflicts are determined, other independent parties will be appointed to undertake and / or oversee this audit.

 

4.2.3 Third line of defence

The Director of Assurance is responsible for coordinating reporting on financial and non-financial fraud to the Audit and Scrutiny Committee.

The University expects Third Parties acting for or providing services to the University not to commit fraud and will take appropriate measures and action should it discover that third parties are engaging in fraud.  Third parties are advised, therefore, to make themselves fully aware of the provisions of this policy and, in particular, the Standards relating to fraud. Where appropriate, the University will include contractual obligations in respect of adherence to this policy in its agreements with third parties.
 

This policy interacts and overlaps with a number of other University policies and procedures:

●   Anti-Bribery Policy - https://compliance.web.ox.ac.uk/anti-bribery-policy;
●    Financial Regulations and supporting Financial Processes - https://finance.admin.ox.ac.uk/financial-processes;
●    Policy on Conflict of Interest - https://researchsupport.admin.ox.ac.uk/governance/integrity/conflict/pol...
●    Gifts and Hospitality Policy - https://compliance.admin.ox.ac.uk/gifts-and-hospitality;
●    Anti-Facilitation of Tax Evasion Policy - https://finance.admin.ox.ac.uk/criminal-finances-act-2017;
●    Information Security Policy and implementation guidance - https://www.infosec.ox.ac.uk/guidance-policy;
●    Code of Practice on Academic Integrity in Research - https://hr.admin.ox.ac.uk/academic-integrity-in-research;
●    Public Interest Disclosure (whistleblowing) Code of Practice - https://hr.admin.ox.ac.uk/public-interest-disclosure-whistle-blowing-cod...
●    Student admissions policies and procedures;
●    Staff recruitment policies and procedures;
●    HR policies, including staff disciplinary procedures; and
●    Student disciplinary procedures.

This policy also takes account of the University’s wider legislative obligations and provisions pertaining to fraud and associated behaviour as set out in but not limited to:

●    The Fraud Act, 2006; 
●    The Bribery Act 2010;
●    The Terrorism Act, 2006; 
●    The Proceeds of Crime Act, 2002;
●    The Criminal Finances Act 2017;
●    Public Interest Disclosure Act 1998;
●    The Computer Misuse Act, 1990;
●    U.S. Foreign Corrupt Practices Act 1977;
●    The Economic Crime (Transparency and Enforcement) Act 2022; and
●    EU Whistleblowing Directive 2021.
 

This policy will be reviewed 12 months after it comes into force and thereafter every 3 years.

This policy may also be reviewed and updated as required to incorporate learning from instances of fraud and near misses and changes to the organisation.
 

Risk assessment

The identification of key, inherent, external and internal, fraud risks is key to the effective design of processes and controls to detect and prevent fraud. 

The assessment will reflect the financial and non-financial impact of potential fraud risks across the University.

The University does not tolerate fraud within the business and aims to promote an environment that is hostile to the exploitation of the University through fraudulent activity.

However, it acknowledges that the risk of fraud will be present as a result of its ongoing activities. This is reflected within the fraud risk assessment where it is acknowledged that a level of residual risk remains after controls are applied.

The risks of fraud will be reviewed on an annual basis, alongside the wider risk assessment undertaken by management within the various divisions, departments and committees. This process will be overseen by the Registrar, with the support of the FMRG and Senior Counter Fraud Lead and Financial Compliance Manager. 

See Appendix 2 of the Procedures for reporting and investigating suspected instances of fraud and financial misconduct for the fraud risk assessment criteria used by the University as part of this assessment.

Fraud prevention and detection

In order to promote an environment that reduces the risk of internal and external fraud, the University will maintain a proportionate control framework that protects the business, while supporting its purpose and goals. 

This control framework includes a combination of preventative and detective controls, communications and training, and planned monitoring and oversight activities to ensure that the processes and controls in place are operating effectively.  

Communication and training

The University will provide all staff with induction on compliance with all policies, including the Anti-Fraud policy. 

Monitoring and oversight

The University monitors the effectiveness of the controls and processes in place to prevent fraud using the “three lines of defence” model as described in paragraph 4.2.

Reporting

The Audit and Scrutiny Committee (A&SC or Committee) will receive regular reports, at least termly, on the following: 

•    Number of High and Low/Medium risk category reports received in the period; 
•    An overview of the investigation status for all ongoing investigations;
•    For High risk reports, further detail may be provided in the report to the ASC, including: 
       - A description of the actions taken to date; 
       - Details of the reports made to the University’s auditors, regulators and / or law enforcement;
•    A summary of the findings and remediation activities taken for completed investigations.  

On at least an annual basis a report on the University’s fraud risks, including the adequacy of the University's arrangements to prevent and detect irregularities, fraud and corruption will be provided. The report will reflect the nature and type of fraud risks reported in the period, to allow an assessment of trends which may require updates to the underlying assessment and control environment, including targeted training and communication. 

The Committee will determine, in coordination with the Counter Fraud Lead, if an interim report is required, including the contents and frequency of such reports. See the ‘Procedures for reporting and investigating suspected instances of fraud and financial misconduct’ for further information on the reporting of investigations.
 

Approved by Council on 11 July 2022

A downloadable PDF version of this policy is also available here:

Contact us


For further information contact the Risk, Compliance and Assurance Team.

Email: compliance@admin.ox.ac.uk