• Section 1 - Summary
• Section 2 - HESF/ASQA/ESOS Alignment
• Section 3 - Scope
• Section 4 - Definitions
• Section 5 - Policy/Regulation
• Section 6 - Procedures
• Part A - Summary of Roles and Responsibilities
• Part B - Fraud and Corruption Control Framework
• Planning and Resourcing
• Prevention
• Risk Assessment
• Detection
• Response

Section 1 - Summary

(1) This Procedure supports the Fraud and Corruption Control Policy of Victoria University (“the University”) by providing the core structural, operational and maintenance elements that make up the necessary infrastructure to underpin fraud and corruption prevention, detection and response.

Section 2 - HESF/ASQA/ESOS Alignment

(2) HESF: 6 Governance and Accountability: 7.1 Representation; 7.3 Information Management

(3) Standards for RTOs: Standard 6, Standard 7, Standard 8

Section 3 - Scope

(4) This Procedure applies across the University, to all people who are part of the University community, including:

1. Staff;
2. Students;
3. Consultants and contractors;
4. Council members;
5. Honorary, visiting and adjunct fellows;
6. Research associates;
7. Volunteers;
8. For purposes of this Procedure, all of the above categories will be referred to as “staff” below.

(5) Any research and academic misconduct by staff and students will be dealt with under the Research Integrity - Guide to the Management of Potential Breaches of the Australian Code Procedure, Research Integrity Policy and Procedures, and the Student Misconduct Procedure. Special procedures and protections apply to any person making a public interest disclosure under the Public Interest Disclosures Act 2012 (Vic), as detailed in the Public Interest Disclosures Policy.

Section 4 - Definitions

(6) Fraud

(7) Corrupt Conduct or Corruption

(8) Misconduct in Public Office

(9) Improper Conduct

Section 5 - Policy/Regulation

(10) Fraud and Corruption Control Policy

Section 6 - Procedures

Part A - Summary of Roles and Responsibilities

Part B - Fraud and Corruption Control Framework

(11) The Fraud and Corruption Control Procedure comprises a number of strategies under the following best practice elements:

1. Planning and Resourcing;
2. Prevention;
3. Detection; and
4. Response.

Planning and Resourcing

(12) The Fraud and Corruption Control Officer will be responsible for monitoring the operation of the Fraud and Corruption Control Procedure and ensuring it is appropriately communicated. The Fraud and Corruption Control Officer will review the Fraud and Corruption Control Procedure every three years, or more often as required in response to specific incidents of fraud and corruption or changes in risk profile.

(13) Appendix A - Fraud and Corruption Control Plan outlines the actions the University will undertake to prevent, detect and respond to the risk of fraud and corruption.

(14) The Fraud and Corruption Control Officer has responsibility for the University’s Fraud and Corruption Control Procedure and Fraud and Corruption Control Policy. This includes all the prevention, detection and response to fraud and corruption including coordinating the fraud and corruption risk assessment, recording all fraud and corruption reports and overseeing investigations into allegations of fraud and corruption. The Fraud and Corruption Control Officer may delegate responsibility for performing some or all of these tasks but maintains overall responsibility for ensuring that they are performed.

(15) The Fraud and Corruption Control Officer will report on the effectiveness of the Fraud and Corruption Control Procedure to the ARC and to the University Council.

Internal Audit

(16) Internal Audit is an integral aspect of the control of fraud and corruption. Victoria University has focused its Internal Audit function to provide a value added service based on the following elements:

1. Enterprise-wide focus on risk;
2. Risk based Internal Audit plan;
3. Appropriate mix of core compliance and risk based operational reviews; and
4. The integration of the Internal Audit plan with the Risk Management plan.

(17) Internal Audit activity is planned with reference to fraud and corruption risks (i.e. business processes or units likely to be vulnerable to fraud, corruption and other losses). Internal Audit will liaise with the Fraud and Corruption Control Officer on suspected fraud or corruption detected as part of the internal audit program.

Prevention

(18) Prevention strategies are proactive measures designed to prevent fraud and corruption insofar as practicable, and reduce the risk of incidents occurring. These include a robust culture in which fraud and corruption awareness are promoted, as are ethical values of integrity and honesty. This culture is instilled through management commitment from the top down, and reinforced through regular, role-specific training and communication in relation to fraud and corruption issues. Every employee, student and volunteer of the University should be aware of fraud and corruption risks, and know how to respond if they suspect an incident has occurred.

Culture

(19) The University Council, Vice-Chancellor and management are responsible to instil the values of integrity, honesty, and fraud and corruption awareness. Ethical behaviour is modelled in all circumstances.

(20) The desired culture at Victoria University is one where people are aware of fraud and corruption risks, comfortable to ask for guidance, and report reasonable suspicions of misconduct. The culture reinforces that all individuals associated with the University must act in the best interests of the University and embody a positive risk culture, where risk informs all operational activities.

(21) The desired culture is one of transparency and accountability, where sound corporate governance practices are followed, and decisions/approvals/payments are accurately recorded.

(22) The Appropriate Workplace Behaviour Policy sets out the minimum standards for the behaviour and conduct for all staff, establishes the core professional and behavioural expectations and outlines the consequences of engaging in behaviour that is not acceptable. The Appropriate Workplace Behaviour Policy states that where conduct or behaviour falls below the standards outlined, disciplinary action may be commenced under the relevant industrial/employment agreement. Sanctions may also be applied in accordance with appropriate University policy.

(23) The University, through the Fraud and Corruption Control Policy and Procedure and associated relevant policies such as the Appropriate Workplace Behaviour Policy; Financial Code of Conduct Policy; Gifts, Benefits and Hospitality Policy; Research Integrity Policy and Purchasing Policy will ensure the risk of fraud and corruption is minimised, and the University community is aware of their responsibilities.

Management Commitment and Line Manager Accountability

(24) Senior management commitment to fraud and corruption control is an important aspect of Victoria University's fraud and corruption prevention strategies. The University ensures its senior management has an observably-high level of commitment to controlling the risks of fraud and corruption by ensuring they receive appropriate training in fraud and corruption control and by having a high level of risk consciousness in accordance with the Risk Management Policy.

(25) All levels of Victoria University carry the responsibility for the prevention and detection of fraud and corruption, in particular, line managers are accountable for fraud prevention and detection within their area of responsibility. Line managers are made aware of these responsibilities in training in fraud and corruption control.

(26) Good corporate governance within an embedded ethical culture reduces the risk of corrupt and fraudulent behaviour. The University ensures oversight of risk mitigation activities through the ARC; Finance and Investment Committee; Research and Research Training Committee; Academic Board and Council.

Internal Controls

(27) At Victoria University, internal controls are established through the following mechanisms:

1. Comprehensive policy and procedure frameworks.
2. Development of comprehensive business rules.
3. Management reviews of organisational processes and structures.
4. Segregation of duties.
5. Approvals within delegated authority.
6. Account reconciliations.
7. Budget monitoring.
8. Performance assessment.
9. Defined procurement practices.
10. Information security.
11. Gifts and conflicts of interest management.

Risk Assessment

(28) The University will conduct comprehensive fraud and corruption risks assessments on a periodic basis. Risk assessments will be conducted in accordance with the Risk Management Policy, Risk Management Procedure and the Risk Management Framework Guidelines. Risk assessments will be conducted across the University as part of the development and maintenance of the operational risk registers by each College and Division, with support and oversight from the Fraud and Corruption Control Officer who will use the information to inform and update the Fraud and Corruption Control Framework.

(29) Risks assessments will generally be performed every two years (or sooner if there are significant changes in their operating processes or risk environment). Consideration will be given to both internal and external risks, emerging risks and the University’s operating environment. Colleges, school and divisional directors will perform the risk assessments to identify risks within their areas of responsibility, and develop controls to mitigate the risks to an acceptable level, in consultation with the Fraud and Corruption Control Officer.

(30) Each risk is assessed with regards to consequence and likelihood, relative to other operational risks. Treatment plans are monitored for implementation and effectiveness.

(31) Risk assessment will be performed in accordance with the risk management standard ISO 31000:018 and includes:

1. Risk identification.
2. Risk analysis.
3. Risk evaluation.
4. Risk treatment.
5. Recording and reporting.
6. Communication and consultation.
7. Monitoring and reviewing.

Training and Awareness: staff, clients and stakeholders

(32) The University's Fraud and Corruption Control Framework will be communicated to all staff and external parties by:

1. Inclusion in the induction training program.
2. Inclusion in periodic training provided to staff on a risk basis (i.e. staff in roles where are there are significant fraud and corruption risks should attend training more frequently).
3. Internal communications to all staff reminding them of the Fraud and Corruption Control Framework as well as the types of behaviours that would constitute fraud and corruption and how they should report any suspicions of fraud and corruption.
4. Informal communications conducted by managers to remind staff of the Fraud and Corruption Control Procedure e.g. at team meetings or following an incident within the sector.

(33) Records of attendance at training will be maintained by Victoria University.

(34) Managers are responsible to ensure their staff receive appropriate fraud and corruption awareness training and communications and should contact the Fraud and Corruption Control Officer should any deficiencies in the training program be identified.

Due Diligence and Employee Screening

(35) Victoria University undertakes pre-employment screening on all potential staff in accordance with the Recruitment and Selection Procedure. The types of checks undertaken are specific to the position. Pre-employment screening may include the following, subject to all legal requirements and with informed and express consent:

1. Eligibility to work in Australia.
2. Qualifications check or equivalency assessment.
3. Pre-existing injury declaration.
4. Police Check.
5. Working with Children Check.
6. Professional Registration.
7. Licenses, Trades and other Certificates.
8. Fit and Proper Person Check.

(36) The Recruitment and Selection Procedure also notes that it is important that the currency of certain occupational requirements, such as professional registration, is checked on a regular and ongoing basis. Although processes are in place to prompt such regular checks through the People and Culture information system there is a joint responsibility of managers (to ensure their staff have up to date registrations and other checks at all times) and staff themselves to ensure they satisfy such checks at all times during their employment with the University.

(37) Due diligence on potential contractors or partners is performed as a precursor to entering into a contract of significant value or an important business relationship. The scope of the due diligence, including financial, compliance and reputational considerations, will depend on the nature of the matter and the entity involved, with guidance provided by Legal Services. This includes consideration of the entity’s fraud and corruption risk. Due diligence may be performed regularly thereafter, as appropriate to the risk profile. Where heightened risks are identified, Victoria University may implement controls or reconsider a relationship. Records of due diligence performed are to be maintained by Victoria University.

(38) Contract clauses are included as appropriate to require suppliers to attest to compliance and enable Victoria University to exit relationships where incidents in relation to fraud or corruption have occurred. Contracts may include provision where appropriate to enable Victoria University to request information or perform audits on suppliers or customers.

Leave Management

(39) Staff are expected to take their annual leave in the year it is accumulated and that annual leave balances are to be reviewed on a quarterly basis by managers and supervisors based on information provided by People and Culture.

(40) Job rotation may be implemented in high-risk positions for fraud or corruption.

Controlling the Risk of Corruption

(41) The University has specific measures for countering the risk of corruption including:

1. Additional training for staff operating in high risk jurisdictions at risk of corruption.
2. Performing vendor and partner audits of potentially high risk providers.
3. Enhanced probity and contracting procedures.
4. Communication to providers and partners and other third parties of reporting channels for suspicions of corruption.

Detection

(42) The Fraud and Corruption Control Officer is responsible for overseeing the detection program and working with line management and Internal Audit to apply the findings from the fraud and corruption risk assessment process to develop effective fraud and corruption detection systems and procedures.

(43) The external auditor of Victoria University is the Victorian Auditor-General’s Office (VAGO). The Fraud and Corruption Control Officer will undertake discussions with VAGO in terms of the audit procedures that will be carried out during the audit that are aimed at detecting material misstatements in the University’s financial statements due to fraud or error.

Reporting Suspicions of Fraud or Corruption

(44) Victoria University has implemented a formal internal reporting system through which staff can report suspected fraud and corruption.

(45) The reporting system establishes the arrangements for dealing with allegations that are not public interest disclosures. Staff wanting to make a public interest disclosure should refer to the Public Interest Disclosures Policy and may consult with the Public Interest Disclosure Coordinator to make their report direct to IBAC.

(46) The reporting system controls the risk of detrimental action against, or any victimisation of, those making disclosures. It will also ensure that any person named will be treated fairly and not disadvantaged if the results of the internal review show they were not implicated in improper behaviour.

(47) All persons to whom this Procedure applies must report suspected fraud, corruption or improper conduct, as required by the Appropriate Workplace Behaviour Policy.  Any external parties are also encouraged to report reasonable suspicions. If member of the University community has a suspicion of fraud or corruption, they must make a report via:

1. Immediate supervisor; or
2. The Fraud and Corruption Control Officer.

(48) An individual who reports suspected fraud should provide as much information as possible, including details of any person they believe to be involved and the actions or activities they believe to be fraudulent, including how, when and where those actions or activities occurred. However, they should not investigate the matter themselves, as this may compromise a subsequent investigation.

(49) Upon receiving a report of suspected fraud or corruption the recipient will record the time and date the report is made and details of all matters reported, such as:

1. Date and time the incident was detected;
2. Names of the parties involved;
3. Names of witnesses or potential witnesses;
4. How the incident came to the attention of the individual;
5. The nature of the incident;
6. The value of the loss, if any to the University; and
7. The action taken following discovery of the incident (if any).

(50) Reports received by a supervisor should be referred to the Fraud and Corruption Control Officer prior to any investigation of such allegations being undertaken.

(51) The Fraud and Corruption Control Officer is available for individuals to make reports or raise concerns with the assurance of confidentiality. If these reports raise matters that could form the subject of a public interest disclosure, the Fraud and Corruption Control Officer will involve the Public Interest Disclosure Coordinator to advise the staff member that they should make the disclosure to the IBAC.

(52) In accordance with the Standing Direction 3.5 2018 under the Financial Management Act 1994 (Vic), the Fraud and Corruption Control Officer will ensure all instances of fraud and corruption are recorded on a central register, including details of any remedial actions planned and taken.

(53) Subject at all time to the Independent Broad-based Anti-corruption Commission Act 2011 (Vic) and the Public Interest Disclosures Act 2012 (Vic), should the report of suspected fraud or corruption involve a senior officer of the University, or be significant in terms of value or complexity, the Fraud and Corruption Control Officer will refer the report to the Chancellor via the Chair of the ARC immediately. Otherwise the Fraud and Corruption Control Officer will report all suspected or actual fraud and corruption incidents to the ARC on a periodic basis.

(54) The Fraud and Corruption Control Officer will also provide a report to the ARC on an annual basis with a summary of the key fraud risks from the fraud and corruption risk assessment as well as a summary of the reports of suspected fraud and their status and outcomes and remedial actions taken.

(55) The University’s website will inform individuals who are not staff or students of the University how to submit a report of suspected fraud or corruption to the Fraud and Corruption Control Officer.

Response

(56) The University will ensure that all reasonable reports of fraud or corruption are thoroughly investigated, matters are appropriately escalated and externally reported as required and there are procedures for the recovery of losses and remediation.

Investigations

(57) All instances of suspected fraud, corruption or improper conduct will be promptly evaluated to establish whether a basis exists for further investigation. These evaluations will be undertaken by an appropriately qualified and independent party, using the principles of independence, objectivity and procedural fairness.

(58) The Fraud and Corruption Control Officer is responsible for coordinating and overseeing the University’s investigation response.

(59) The Fraud and Corruption Control Officer will assess the incident to determine the appropriate manner of investigation. Although every suspected incident will be different, consideration will be given to, among other things:

1. The nature and complexity of the alleged fraud or corruption incident.
2. The seniority of the staff member and/or external parties suspected to be involved.
3. The value of the alleged incident.
4. The potential damage to the integrity or reputation of the University;
5. The likely cost of taking action, including the cost of recovering financial losses or property;
6. The likely benefit of taking action, including the deterrent value;
7. Whether it is likely that the fraud is systemic or targeted, rather than an isolated or opportunistic incident;
8. The likelihood that the fraud was committed by an external party with internal assistance (collusion); and
9. Any possible ongoing risks arising from the fraudulent or corrupt conduct, including any security implications.

(60) Where the Fraud and Corruption Control Officer determines that an investigation is required, the investigation may be carried out by appropriately qualified and experienced personnel within the University. Depending on the type of fraud or corruption being investigated the investigation may be conducted by personnel including Risk, Audit, Procurement, IT, People and Culture and other appropriate and trained staff. If external investigators are engaged, the University will ensure that they are also appropriately qualified so that all investigations will be undertaken skilfully and confidentiality maintained and all persons are treated fairly and consistent with the principles of procedural fairness applied.

(61) The investigators, whether internal or external, will be overseen by the Fraud and Corruption Control Officer, and will determine the appropriate form of investigation and ensure it is appropriately documented, including an investigation plan and investigation report, which will also be provided to the ARC.

(62) In cases where any doubt exists as to the appropriate course of action, advice is to be sought from the Public Interest Disclosure Coordinator.

Employee Support

(63) Confidential and independent counselling and other services are available to all staff of Victoria University through the Employee Assistance Program (EAP). EAP services are private and confidential. Staff can ring the EAP provider on 1300 EAP AT VU or 1300 327 288.

External Reporting

(64) On reaching a finding that there is evidence of fraud or corruption, the Fraud and Corruption Control Officer will make a recommendation (in consultation with the Head of Legal Services, Chief Human Resources Officer and any other stakeholders as appropriate) as to whether the matter is to be reported to the relevant authority including law enforcement.

(65) In accordance with section 57 of the Independent Broad-based Anti-corruption Commission Act 2011 (Vic) this includes the Office of the Vice-Chancellor notifying IBAC, as soon as practical, of any matter which they suspect on reasonable grounds that corrupt conduct has occurred or is occurring.

(66) In accordance with the Standing Direction 3.5 2018 under the Financial Management Act 1994 (Vic) this also includes notifying, as soon as is practicable, the Minister of Tertiary Education, the Department of Education, the ARC and the Auditor-General of all significant or systemic incidents and the remedial action to be taken. This also includes ensuring that the persons notified are kept informed about the incident, including the outcome of investigations and actions taken to mitigate against future fraud, corruption and other losses.

(67) The Standing Directions 2018 define ‘significant or systemic’ to means an incident, or a pattern or recurrence of incidences, that a reasonable person would consider has a significant impact on the Agency or the State's reputation, financial position or financial management. The thresholds relevant to Victoria University are:

1. $1,000 for incidents involving purchasing and prepaid debit cards.
2. $5,000 in money.
3. $50,000 in other property.

(68) The Fraud and Corruption Control Officer will have responsibility to make such reports through the Office of the Vice-Chancellor.

(69) The Fraud and Corruption Control Officer, on advice from the Head of Legal Services, will also refer instances of potential serious or complex fraud offences to the Police.

(70) When a matter has been referred to the relevant authority or law enforcement bodies, the University will provide assistance as requested in the investigation process.

Sanctions

(71) Following an investigation, the University may pursue disciplinary proceedings with respect to all staff against whom violations of the Fraud and Corruption Control Policy or other relevant University policies have been established. These may include disciplinary action, which may include dismissal, in accordance with the University's disciplinary procedures and subject to the limitations of relevant enterprise agreements and workplace laws. Line Management, People and Culture, Legal and Compliance will consult to determine the appropriate course of action.

(72) Other actions may include possible termination of relationship with the University or associate entities or civil action for the recovery of losses.

(73) All information received by the University in relation to suspected fraudulent or corrupt conduct will be collected, classified and handled appropriately having regard to privacy, confidentiality, legal professional privilege and the requirements of natural justice.

(74) Individuals involved in or who become aware of a theft, fraud, or corrupt conduct investigation must keep the details and results of the investigation confidential, subject to the needs of the University, and/or the police during their investigation.  Staff must not discuss or report any suspected or proven instance of theft, fraud or corrupt conduct to the media, except with the prior written approval of the Vice-Chancellor.

Insurance

(75) The University will maintain appropriate insurance cover against losses from fraud, including cyber fraud.

Review of Internal Controls

(76) Following an incident of fraud and corruption the Fraud and Corruption Control Officer and Line Management will reassess the adequacy of the internal control environment and consider whether improvements are required, reporting their findings to the ARC.