2.1 All reports will be treated as a disclosure under the University’s Public Interest Disclosure (Whistleblowing) Code of Practice and will be brought to the attention of the Registrar and / or Proctor.
Subjecting people who have reported reasonably held concerns or suspicions to any detriment will be regarded as a disciplinary issue. Malicious or vexatious complaints may also result in disciplinary action.
2.2 Triage and immediate incident response
On receipt, all reports will be processed through the University’s triage process.
Depending on the topic, either the Head of Risk, Compliance and Assurance or the Senior Counter Fraud Lead and Financial Compliance Manager will be the first to review all reports received via email@example.com or firstname.lastname@example.org email accounts or from other relevant parties (detailed in Section 1).
They will consult with a limited group of stakeholders as needed in order to:
• assess the potential scale and impact of the report;
• identify and manage any relevant stakeholders;
• identify the necessary regulatory and law enforcement reporting requirements to be considered;
• where appropriate take initial steps to secure and review relevant evidence related to the report, which may include email communications and other documentation; and
• where appropriate, take steps to prevent further risk to or loss of financial or other assets.
The stakeholders consulted will vary case-by-case but would typically include one or more of Legal Services, relevant HAFs/HODs, the Proctors, Director of Purchasing, Deputy Chief Information Officer, Head of Financial Processes, Systems and Assurance, Head of HR Policy, Director of Technical Accounting and Reporting or Internal Audit.
For allegations of staff misconduct HR will be consulted (see “staff involvement and suspension” below). For allegations of student misconduct, or where students are involved, the Proctors will be consulted and, in line with policy, may then take over the review (see “student involvement” below).
An initial assessment will be performed to categorise the report as either low/medium risk cases or high risk cases.
The criteria used for this initial assessment is consistent with those used by the University for its fraud risk assessment, as detailed in Appendix 2 “Risk Assessment Criteria”.
Low/medium risk cases
1. Mobilisation and planning
Further investigation into reports classified as low/medium risk will be managed by the Head of Risk, Compliance and Assurance/Senior Counter Fraud Lead and Financial Compliance Manager, together with the relevant key stakeholders.
As part of the initial assessment, the University will determine the independence and objectivity of each stakeholder to identify any potential conflicts of interest. Where any actual or perceived conflicts of interest are identified from this assessment, the University will ensure sufficient safeguards are put in place to maintain the integrity of the investigation, including where necessary the appointment of independent persons to oversee the investigation.
For low/medium risk reports, the investigation team will undertake necessary investigative procedures, in line with the principles set out in Appendix 1. Such procedures may include:
- undertaking interviews with relevant stakeholders;
- securing and preserving evidence (i.e. electronic and hard copy data); and
- document review procedures.
3. Reporting and investigation response
On completion of the investigation:
- Relevant parties should be should be notified so as initiate or take appropriate action under appropriate procedures e.g. HR for staff and Proctoral for students ; and
- a written report will be provided to the Financial Misconduct Review Group on how the report was dealt with and any action taken.
This report would be included as part of the termly reporting process and included in the Financial Misconduct Register (see ‘Records’, below).
The Audit and Scrutiny Committee and the General Purposes Committee will be informed of the number of low/medium risk cases and any additional details as deemed necessary.
Where, the results of the investigation identify new information which indicates that the case should be escalated to a high risk investigation, a report will be provided to the Financial Misconduct Review Group for their assessment. Where the Financial Misconduct Review Group conclude that the case should be escalated to high risk, the investigation would follow the processes laid out in this policy.
See the “Final report” section of the principles in Appendix 1 for the content of the final report.
High risk cases
1. Mobilisation and planning
Where the Head of Risk, Compliance and Assurance/Senior Counter Fraud Lead and Financial Compliance Manager assess the report to represent a high risk (Where the report is assessed as being possible, likely or almost certain to have a ‘moderate’, ‘major’ or ‘critical’ impact this is a ‘high’ risk case for the purposes of this document (see Appendix 2 for criteria) they will request that the Registrar convene the Financial Misconduct Review Group.
The Registrar will review the evidence presented. If the Registrar determines the case is actually low/medium risk, the process for low/medium risk cases (as above) will be followed.
Where the Registrar determines that it is indeed a high risk case, the Financial Misconduct Review Group (FMRG) will be convened. The FMRG comprises:
● the Registrar;
● the CFO;
● the Director of Assurance;
● the Director of Legal Services and General Counsel;
● the Internal Auditor; and
● representatives from the relevant division/department and HR as applicable.
With the agreement of all other members of the Group, the officers named may send nominated delegates on those occasions when they are unavailable to participate. Meetings may take place either remotely or in person.
As part of the initial assessment, the University will determine the independence and objectivity of each stakeholder to identify any potential conflicts of interest. Where any actual or perceived conflicts of interest are identified from this assessment, the University will ensure sufficient safeguards are put in place to maintain the integrity of the investigation. See Appendix 1 for further details of the policies to be applied in this instance.
The FMRG will determine the necessary actions to be taken to initiate and execute the investigation; including:
● who the investigation lead/support team should be and appropriate timeframes for reporting back to the FMRG;
● notifying relevant authorities (i.e. regulatory bodies or law enforcement), in particular considering:
o whether there are issues that should be referred to the appropriate funding body under the terms of any grant to which the allegations relate;
o whether the incident should be reported to the OfS as a breach of the University’s conditions of registration; and
o whether the matter should be reported to HMRC, SFO or other regulatory body.
● establishing and securing evidence necessary for criminal and disciplinary action based on recommendations from the investigation team;
● taking any steps necessary to prevent further financial loss or other detriment based on recommendations from the investigation team.
Investigations will normally be carried out by the Internal Auditor or an alternative agreed by the FMRG, taking account of appropriate professional practice, and any relevant guidance issued from time to time by OfS, the Charity Commission or any other relevant regulatory body. The FMRG may call upon the advice of any other person with specialist, technical or professional knowledge that may be relevant to the case under consideration.
The process undertaken by the Investigation team will follow the principles set out in Appendix 1.
3. Reporting and investigation response
The FMRG will notify the Vice-Chancellor and the Chair of the Audit and Scrutiny Committee that a matter has been referred to it for investigation under this procedure and will provide such further confidential interim reports as are deemed necessary.
The investigator will prepare a written report of their investigation for submission to the FMRG.
The FMRG will be responsible for considering the findings, and notifying relevant parties so as initiate or take appropriate action under appropriate procedures e.g. HR for staff and Proctoral for students, and making recommendations to the Vice-Chancellor. The final report will be provided in strict confidence to the Vice-Chancellor and to the Chair of the Audit and Scrutiny Committee. The Chair of the Audit and Scrutiny Committee may, at their discretion, share the final report in strict confidence with the Audit and Scrutiny Committee.
See the “Final report” section of the principles in Appendix 1 for the content of the final report. The outcome of the review will be reported to the Registrar and included in the Register (see “Records”, below).
The additional principles on how any investigation must be conducted (whether for high risk reports or medium/low risk reports) are included in Appendix 1.