Annex A: University fraud response plan


The purpose of this plan is to define processes, responsibility and authority levels, responsibilities for action, and reporting lines in the event of a suspected fraud or irregularity. The use of the plan should enable the institution to:

  • prevent further loss
  • establish and secure evidence necessary for criminal and disciplinary action
  • notify OfS if the circumstances are covered by the Regulatory advice 16: Reportable events
  • comply with OfS condition of registration, D4 - Having the necessary financial resources to comply with all conditions of its registration
  • recover losses
  • punish the culprits
  • deal with requests for references for employees disciplined or prosecuted for fraud
  • review the reasons for the incident, the measures taken to prevent a recurrence, and any action needed to strengthen future responses to fraud
  • keep all personnel with a need to know suitably informed about the incident and the institution's response
  • inform the police and establish lines of communication with the police if required
  • assign responsibility for investigating the incident
  • establish circumstances in which external specialists should be involved.

These matters are dealt with below.

Initiating action

2. There are a number of ways fraud may be detected or suspicion of fraud reported. Within the University all such instances are required to be reported directly to both the Chief Financial Officer (CFO) or Director of Finance by email, unless either is suspected of involvement, when the Registrar and Chief Operation Officer (R&COO) should be informed. Suspected Fraud Event reporting form.

The CFO/R&COO as appropriate will then form a working group which should comprise:

  • CFO or Director of Finance
  • Chief People Officer (if staff member suspected);
  • Director of Academic and Student Administration (if student suspected);
  • Director of Legal Services
  • Pro-Vice Chancellor and Dean or Director of affected area;
  • The internal audit manager if required

3. The group will decide on the actions to be taken. The group might not actually meet but may be consulted individually to ensure speed of response and the CFO/R&COO’s summation of the group's consensus will be taken to represent the decision of the group.

The action taken may include:

  • To require the internal auditor to carry out an investigation (usually where financial loss to the University has occurred or may have occurred if the fraud had been successful) and where criminal prosecution may be a possibility;
  • To require the Chief People Officer to carry out an investigation where a member of staff may have breached the University's policies and procedures but where this does not lead to direct loss to the University;
  • To require the appropriate Director(s) or PVC Dean(s) to carry out an investigation where a student is suspected
  • Immediate action required to prevent further loss.

Prevention of further loss

4. Where initial investigation, or even the initial detection, provides reasonable grounds for suspecting a member or members of staff of fraud, the working group will decide how to prevent further loss. This may require the suspension of the suspects. It may be necessary to plan the timing of suspension to prevent the suspects from destroying or removing evidence that may be needed to support disciplinary or criminal action.

In these circumstances, the suspect(s) should be:

  • approached unannounced;
  • supervised at all times before leaving the premises;
  • only allowed to collect personal property under supervision, but should not be able to remove any property or records belonging to the University;
  • required to hand over security passes and keys to premises, laptop, university mobile, computer or other equipment in their possession.

The Director of ECS or Deputy Director of ECS should be informed and advised on any action needed to deny the suspect access to the University, while they remain suspended.

The Chief Information Officer should be instructed to withdraw without notice all access to all IT systems.

The internal auditor shall consider whether it is necessary to investigate systems other than that which has given rise to suspicion, through which the suspect may have had opportunities to misappropriate the University’s assets.

Establishing and securing evidence

5. A major objective in any fraud investigation will be the punishment of the perpetrators, to act as a deterrent to other personnel. The University will follow disciplinary procedures against any member of staff who has committed fraud. The University will normally report any cases of fraud to the police and provide full co-operation in the prosecution of the individuals.

6. The internal auditor will:

  • maintain familiarity with the University's disciplinary procedures, to ensure that evidence requirements will be met during any fraud investigation;
  • establish and maintain contact with the police (subject to agreement of the working group);
  • ensure that staff involved in fraud investigations are familiar with and follow rules on the admissibility of documentary and other evidence in criminal proceedings.

Significant fraud

7. The OfS takes a risk based approach to regulation and will examine the context surrounding each case. OfS provides guidance for registered providers on reportable events.

Factors for reporting to OfS

  • Involvement of any member of the governing body, the accountable officer, or any other senior officer
  • The fraud exposes a systemic weakness in the provider’s internal control arrangements that suggest other, as yet unidentified, cases could be taking place
  • The fraud involves public funding
  • The fraud is one of a repeating pattern of even small-scale frauds.

Examples of reporting include:

  • An investigation into a possible low value fraud involving one of the Universities senior officers would be likely to constitute a reportable event, whereas an investigation into a fraud of a similar value involving a junior member of staff, would not.
  • Submitting an additional 10 humanities students in the HESES return would not be likely to constitute a reportable event, but submitting an additional 10 clinical stage medicine students would.

8. In these circumstances the CFO/R&COO will:

  • provide the Vice Chancellor with a draft letter to the OfS setting out the details of the fraud;
  • Inform the Chair of Governors and Chair of Audit Committee;
  • Inform the Audit Committee if the police are not informed, and the reasons for the decision.

Factors for not reporting to OfS

  • The monetary scale of the fraud is below £25,000 or two per cent of the provider’s total income (whichever is smaller).

Recovery of losses

9. Recovering losses is a major objective of any fraud investigation. The CFO/R&COO should ensure that in all fraud investigations the amount of any loss will be quantified. Repayment of losses should be sought in all cases.

10. Where the loss is substantial, legal advice should be obtained without delay concerning the steps needed to secure the suspect's assets through court proceedings.

References for employees disciplined or prosecuted for fraud

11. Any request for a reference for a member of staff who has been disciplined or prosecuted for fraud shall be referred to the Chief People Officer. The Chief People Officer shall prepare any answer to a request for a reference having regard to employment law. 

Reports to governors

12. Any variation from the approved fraud response plan, together with reasons for the variation, shall be reported promptly to the Chair of the Audit Committee.

13. On completion of an investigation, a written report shall be submitted to the Audit Committee containing:

  • a description of the incident, including the value of any loss, the people involved, and the means of perpetrating the fraud;
  • the measures taken to prevent a recurrence;
  • any action needed to strengthen future responses to fraud, with a follow-up report on whether the actions have been taken.

14. This report will normally be prepared by the internal auditor or the CFO.

Reporting lines

15. The CFO/R&COO shall provide on behalf of the working group a confidential report to the Chair of Audit Committee, the Vice-Chancellor, and the external audit partner at least monthly, unless the report recipients request a lesser frequency. The scope of the report shall include:

  • quantification of losses;
  • progress with recovery action;
  • progress with disciplinary action;
  • progress with criminal action;
  • estimate of resources required to conclude the investigation;
  • actions taken to prevent and detect similar incidents.

Review and approval of fraud response plan

16. This plan will be reviewed at least every three years.

17. This policy and procedure was reviewed and approved by the Chief Financial Officer, August 2022.

Next review due: August 2025

Cathy Burleigh
Chief Financial Officer
August 2022