Investigation Protocol - Fraud & Financial Misconduct

Individuals who reasonably suspect the occurrence of fraud or financial misconduct in the context of the University’s activities should report their concerns as soon as possible through the following channels:

●    via email to counterfraud@admin.ox.ac.uk  

Where the individual wishing to make a report is a member of the University’s staff or an associated person, they may also discuss their concerns with the following personnel:

●    their line manager; 
●    their relevant local leadership including but not limited to Head of Administration and Finance, Head of Department, HR Business Partner, Finance Manager, Divisional Financial Controller etc.);
●    the Senior Counter Fraud Lead and Financial Compliance Manager;
●    the Head of Risk, Compliance and Assurance;
●    Financial Assurance Team; or
●    the Registrar.

Following discussions with the above personnel, where the suspicion of fraud or financial misconduct remains it should then be reported directly to the Senior Counter Fraud Lead and Financial Compliance Manager, via an email to counterfraud@admin.ox.ac.uk

Details on the protection and confidentiality available to any reports made through the University’s whistleblowing process are included in the University’s Public Interest Disclosure (Whistleblowing) Code of Practice. 

Reports may be made anonymously but this may limit the ability of the University to undertake investigations and provide feedback effectively. Further, where there is no documentary evidence linking an anonymous person to the disclosure, any staff or associated persons, who submit a report anonymously, may not qualify for the protections received as a whistleblower.

Reports submitted should include, to the extent known, the following information:

●    a brief description of the alleged irregularity (including any detail available about the potential monetary or reputational impacts);
●    any evidence that supports the allegations;
●    the identity of the individual(s) responsible; and
●    a description of the risks around potential further damage / loss and timescales for this – including potential impacts on third parties as applicable.

In the case of complaints concerning a student or students, these reports will be reviewed by the Proctor, instead of the Registrar.

Reference to the Registrar shall be taken to mean a Pro-Vice-Chancellor where the disclosure involves the Registrar.

Any concerns regarding the financial or business decisions taken by the University, where these don’t involve instances of suspected misconduct, should not be reported using the University’s whistleblowing procedures, as described. Additional procedures have been determined by the University to address these concerns and there is advice on how to raise an issue of concern on the Council website. 
 

2.1 All reports will be treated as a disclosure under the University’s Public Interest Disclosure (Whistleblowing) Code of Practice and will be brought to the attention of the Registrar and / or Proctor. 

Subjecting people who have reported reasonably held concerns or suspicions to any detriment will be regarded as a disciplinary issue. Malicious or vexatious complaints may also result in disciplinary action.

2.2 Triage and immediate incident response

On receipt, all reports will be processed through the University’s triage process.

Depending on the topic, either the Head of Risk, Compliance and Assurance or the Senior Counter Fraud Lead and Financial Compliance Manager will be the first to review all reports received via counterfraud@admin.ox.ac.uk  or compliance@admin.ox.ac.uk email accounts or from other relevant parties (detailed in Section 1).

They will consult with a limited group of stakeholders as needed in order to: 

•    assess the potential scale and impact of the report; 
•    identify and manage any relevant stakeholders;
•    identify the necessary regulatory and law enforcement reporting requirements to be considered; 
•    where appropriate take initial steps to secure and review relevant evidence related to the report, which may include email communications and other documentation; and
•    where appropriate, take steps to prevent further risk to or loss of financial or other assets.

The stakeholders consulted will vary case-by-case but would typically include one or more of Legal Services, relevant HAFs/HODs, the Proctors, Director of Purchasing, Deputy Chief Information Officer, Head of Financial Processes, Systems and Assurance, Head of HR Policy, Director of Technical Accounting and Reporting or Internal Audit.

For allegations of staff misconduct HR will be consulted (see “staff involvement and suspension” below). For allegations of student misconduct, or where students are involved, the Proctors will be consulted and, in line with policy, may then take over the review (see “student involvement” below).

An initial assessment will be performed to categorise the report as either low/medium risk cases or high risk cases. 

The criteria used for this initial assessment is consistent with those used by the University for its fraud risk assessment, as detailed in Appendix 2 “Risk Assessment Criteria”.

2.3 Investigation

Low/medium risk cases

1.    Mobilisation and planning

Further investigation into reports classified as low/medium risk will be managed by the Head of Risk, Compliance and Assurance/Senior Counter Fraud Lead and Financial Compliance Manager, together with the relevant key stakeholders. 

As part of the initial assessment, the University will determine the independence and objectivity of each stakeholder to identify any potential conflicts of interest. Where any actual or perceived conflicts of interest are identified from this assessment, the University will ensure sufficient safeguards are put in place to maintain the integrity of the investigation, including where necessary the appointment of independent persons to oversee the investigation.

2.    Investigation

For low/medium risk reports, the investigation team will undertake necessary investigative procedures, in line with the principles set out in Appendix 1. Such procedures may include: 

• undertaking interviews with relevant stakeholders;
• securing and preserving evidence (i.e. electronic and hard copy data); and
• document review procedures. 

3.    Reporting and investigation response

On completion of the investigation:

• Relevant parties should be should be notified so as initiate or take appropriate action under appropriate procedures e.g. HR for staff and Proctoral for students ; and
• a written report will be provided to the Financial Misconduct Review Group on how the report was dealt with and any action taken. 

This report would be included as part of the termly reporting process and included in the Financial Misconduct Register (see ‘Records’, below).

The Audit and Scrutiny Committee and the General Purposes Committee will be informed of the number of low/medium risk cases and any additional details as deemed necessary.

Where, the results of the investigation identify new information which indicates that the case should be escalated to a high risk investigation, a report will be provided to the Financial Misconduct Review Group for their assessment. Where the Financial Misconduct Review Group conclude that the case should be escalated to high risk, the investigation would follow the processes laid out in this policy.

See the “Final report” section of the principles in Appendix 1 for the content of the final report.

High risk cases

1.    Mobilisation and planning

Where the Head of Risk, Compliance and Assurance/Senior Counter Fraud Lead and Financial Compliance Manager assess the report to represent a high risk (Where the report is assessed as being possible, likely or almost certain to have a ‘moderate’, ‘major’ or ‘critical’ impact this is a ‘high’ risk case for the purposes of this document (see Appendix 2 for criteria) they will request that the Registrar convene the Financial Misconduct Review Group.  

The Registrar will review the evidence presented. If the Registrar determines the case is actually low/medium risk, the process for low/medium risk cases (as above) will be followed.

Where the Registrar determines that it is indeed a high risk case, the Financial Misconduct Review Group (FMRG) will be convened. The FMRG comprises:

●    the Registrar;
●    the CFO;
●    the Director of Assurance;
●    the Director of Legal Services and General Counsel;
●    the Internal Auditor; and
●    representatives from the relevant division/department and HR as applicable.

With the agreement of all other members of the Group, the officers named may send nominated delegates on those occasions when they are unavailable to participate. Meetings may take place either remotely or in person. 

As part of the initial assessment, the University will determine the independence and objectivity of each stakeholder to identify any potential conflicts of interest. Where any actual or perceived conflicts of interest are identified from this assessment, the University will ensure sufficient safeguards are put in place to maintain the integrity of the investigation. See Appendix 1 for further details of the policies to be applied in this instance.

The FMRG will determine the necessary actions to be taken to initiate and execute the investigation; including: 

●    who the investigation lead/support team should be and appropriate timeframes for reporting back to the FMRG;
●    notifying relevant authorities (i.e. regulatory bodies or law enforcement),  in particular considering:
       o    whether there are issues that should be referred to the appropriate funding body under the terms of any grant to which the allegations relate;
       o    whether the incident should be reported to the OfS as a breach of the University’s conditions of registration; and
       o    whether the matter should be reported to HMRC, SFO or other regulatory body.
●    establishing and securing evidence necessary for criminal and disciplinary action based on recommendations from the investigation team;
●    taking any steps necessary to prevent further financial loss or other detriment based on recommendations from the investigation team.

2.    Investigation

Investigations will normally be carried out by the Internal Auditor or an alternative agreed by the FMRG, taking account of appropriate professional practice, and any relevant guidance issued from time to time by OfS, the Charity Commission or any other relevant regulatory body. The FMRG may call upon the advice of any other person with specialist, technical or professional knowledge that may be relevant to the case under consideration. 

The process undertaken by the Investigation team will follow the principles set out in Appendix 1. 

3.    Reporting and investigation response

The FMRG will notify the Vice-Chancellor and the Chair of the Audit and Scrutiny Committee that a matter has been referred to it for investigation under this procedure and will provide such further confidential interim reports as are deemed necessary. 

The investigator will prepare a written report of their investigation for submission to the FMRG.

The FMRG will be responsible for considering the findings, and notifying relevant parties so as initiate or take appropriate action under appropriate procedures e.g. HR for staff and Proctoral for students, and making recommendations to the Vice-Chancellor. The final report will be provided in strict confidence to the Vice-Chancellor and to the Chair of the Audit and Scrutiny Committee. The Chair of the Audit and Scrutiny Committee may, at their discretion, share the final report in strict confidence with the Audit and Scrutiny Committee.

See the “Final report” section of the principles in Appendix 1 for the content of the final report. The outcome of the review will be reported to the Registrar and included in the Register (see “Records”, below). 

The additional principles on how any investigation must be conducted (whether for high risk reports or medium/low risk reports) are included in Appendix 1.

Non-involvement in the investigation by those against whom allegations are made 

Any person who is the subject of a report of financial misconduct must not be involved in the corresponding investigation. If that person is the Head of Risk, Compliance and Assurance/Senior Counter Fraud Lead and Financial Compliance Manager the Director of Assurance/CFO will propose alternates. If that person is the Registrar the Vice Chancellor will propose an alternate to fulfil the relevant role. If that person is any other member of the FMRG, the Registrar will propose an alternate.

Timings

Reports should be investigated, reporters responded to, and any remedial action required taken, as quickly as is reasonably practical to do so.

In any case of high risk where immediate action is required, the Registrar or Director of Assurance may take reasonable steps, within their power, as they deem necessary. Where such action is taken, the Registrar or Director of Assurance as appropriate shall report their actions and reasoning to the FMRG as soon as possible thereafter.

Confidentiality

The principle of the minimum number of people being informed of the case and investigation should always be followed for confidentiality purposes and also to allow as efficient an investigation as possible. All persons involved with the investigation must treat all information shared with them in strict confidence. Where necessary, information will be transmitted in confidence to relevant regulatory bodies. An unwarranted breach of confidence may be the subject of disciplinary action.

Suspicion of unlawful conduct

If at any point there is a suspicion that the conduct complained of includes unlawful conduct, the appropriate professional advice will be secured immediately regarding the steps required to be taken before proceeding further.

Police involvement 

In all cases where the police are involved, the University reserves the right, where it would be reasonable to do so, to proceed with its own disciplinary procedures and/or with civil proceedings.

Student involvement

In cases which involve or may involve students, the Proctors will be informed at the outset of the investigation. If a student is the subject of an allegation of financial misconduct, this will be dealt with by the Proctors under the disciplinary procedures applicable to students.

Staff involvement and suspension

Where an allegation of financial misconduct concerns a member of staff, University HR must be consulted.

Subject to advice from HR, any member of staff suspected of financial misconduct may be suspended (without deduction of pay) pending a full investigation. No one person, acting on his or her own volition, may move to suspend a member of staff in such circumstances. The suspension of a member of staff does not constitute a finding of misconduct against them. Any member of staff suspended as a result of suspected financial misconduct will be informed of the reason for the suspension.

Individuals suspended for suspected financial misconduct, and individuals suspended to enable a proper investigation to be carried out, will normally be required to leave University premises immediately and will be denied access to the University’s IT facilities. During the period of any suspension they will not be permitted to return to the premises, to make contact with staff or witnesses, or to act on behalf of the University, unless given express permission to do so by the relevant University authorities. Any infringement of this requirement may be treated as a disciplinary offence. Suspended individuals will be signposted to appropriate sources of support.

Involvement of associated persons

Allegations of financial misconduct by third parties acting on behalf of the University will be investigated under these procedures.

Data protection

Data collected during the course of the investigation (including personal and special category data) will be treated in line with Data Protection regulations.

Duty to notify OfS or other regulatory bodies of serious incidents

The University will notify OfS of any serious incidents of fraud, impropriety or financial misconduct  as required by the terms of OfS’s Conditions of Registration, and will likewise notify other relevant regulatory bodies as required. Such reports are required to be made to all of the following: 
-    the chair of the University’s audit committee
-    the chair of the University’s governing body
-    the University’s head of internal audit
-    the external auditor
-    the OfS at regulation@officeforstudents.org.uk

Records

The Registrar shall maintain a register (the ‘Register’) of all allegations of financial misconduct which are reported within the University (except Oxford University Press and the independent colleges, which maintain their own records), including those where there was found to be no case to answer or where the case was not referred to the FMRG for investigation.

The Register will be maintained and will be available for inspection, subject to the requirements of the UK General Data Protection Regulation and Data Protection Act 2018 and the Freedom of Information Act 2000.

The Register shall specify the following, in an anonymised form, in relation to each case of financial misconduct:

●    what the suspected or actual incident was;
●    whether the incident was suspected or actual;
●    when the suspected or actual incident occurred;
●    what the actual and/or potential impact of the incident on the University was/could have been;
●    what inquiries were made and/or action was taken, including any reports to regulators or the police;
●    how any decision to terminate the investigation of the incident was made, and why;
●    what policies and procedures were in place that applied to the incident, whether they were followed, and if not, why; 
●    whether policies and procedures need to be introduced or revised, and if so, how and by when;
●    for ‘high risk cases’ the date that the final report was provided to the Vice-Chancellor and Chair of the Audit and Scrutiny Committee and, if relevant, to the Audit and Scrutiny Committee; and
●    for ‘medium / low risk cases’ the date the final report was provided to the FMRG.

Final Reports
Final reports for both high risk cases and medium/low risk cases will contain:
●    a description of the allegations and the steps taken to investigate them;
●    a conclusion as to whether the allegations made had substance and if so the extent of any adverse impact on the University;
●    a description of any steps taken in relation to the individual or individuals concerned together with recommendations as to any disciplinary action;
●    the measures taken to minimise the risk of a recurrence; and
●    any action needed to improve the University’s ability to respond to future incidents of financial misconduct, which may include provision for a follow-up report within a specified time frame.

Communication with parties involved
Subject to the findings of the final report and agreement of recommended actions, the individual or individuals involved will be informed of the outcome as soon as possible after its presentation to the Vice-Chancellor and Chair of the Audit and Scrutiny Committee and, if relevant, to the Audit and Scrutiny Committee.

The complainant will be informed in broad terms of the outcome of the investigation, having due regard to the confidentiality of information relating to the individual or individuals accused and others identified in the report.