Go back

1:016 Preventing and Reporting Fraud, Waste, or Abuse

 

Austin Peay State University Preventing and Reporting Fraud, Waste, or Abuse


POLICIES

Issued:  May 19, 2017
Responsible Official:  Director of Internal Audit
Responsible Office:  Office of Internal Audit
 

 


Policy Statement


It is the policy of Austin Peay State University that university officers, members of management, and all other employees have a responsibility to help prevent fraud, waste, or abuse of university resources. In particular, management at all levels is responsible for designing and implementing internal controls for the purpose of preventing irregularities of all kinds, including fraud, waste, or abuse. University officers, managers, employees, contractors, vendors, students, and others are responsible for behaving in an ethical and honest manner. University officers and members of management are also responsible for maintaining a work environment that generally promotes ethical and honest behavior. Management at all levels should be aware of the risks and exposures inherent in their areas of responsibility, and should establish and maintain proper internal controls to provide for the security and accountability of all resources entrusted to them.


Purpose


To describe the role of officers, managers, and all other employees in helping to prevent fraud, waste, or abuse of university resources.


Contents


Definitions
-Fraud
-Waste
-Abuse
-Resources

Procedures
-Preventing Fraud, Waste, or Abuse
-Reporting Fraud, Waste, or Abuse
-Investigations/Actions
-Reporting and Resolution of Institutional Losses
-Reporting and Resolution Process
-Requirements Regarding Losses and Shortages
-Property Claim Process
-Actions

Links
-APSU Policy 1:013
-APSU Policy 5:011
-APSU Policy 5:020
-Exhibit 1 – Notification of Loss Report
-Exhibit 2 – Quarterly Property Loss Report
-Exhibit 3 – Case Resolution Report
-Exhibit 4 – Reporting Matrix


Definitions


Fraud An intentional act to deceive or cheat, ordinarily for the purpose or result of causing a detriment to another and/or bringing about some benefit to oneself or others. Fraudulent activities may include, but are not limited to the following:
  • Theft, misappropriation, misapplication, destruction, removal, or concealment of any university assets or resources, including but not limited to funds, securities, supplies, equipment, real property, intellectual property or data.
  • Improper use or assignment of any university assets or resources, including but not limited to personnel, services or property.
  • Improper handling or reporting of financial transactions, including use, acquisitions and divestiture of state property, both real and personal.
  • Authorization or receipt of compensation for hours not worked.
  • Inappropriate or unauthorized use, alteration or manipulation of data, computer files, equipment, software, networks, or systems, including personal or private business use, hacking and software piracy.
  • Forgery or unauthorized alteration of documents.
  • Falsification of reports to management or external agencies.
  • Pursuit of a personal benefit or advantage in violation of the university’s Conflict of Interest Policy.
  • Concealment or misrepresentation of events or data.
  • Acceptance of bribes, kickbacks or any gift, rebate, money or anything of value whatsoever, or any promise, obligation or contract for future reward, compensation, property or item of value, including intellectual property.
Waste Waste involves behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary business practice given the facts and circumstances. Waste is a thoughtless or careless act, resulting in the expenditure, consumption, mismanagement, use, or squandering of university assets or resources to the detriment or potential detriment of the university. Waste may also result from incurring unnecessary expenses due to inefficient or ineffective practices, systems, or controls. Waste does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.

Abuse Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interest or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement. (U.S. Government Accountability Office, Government Auditing Standards, July 2007.) 

Resources As used herein, shall refer to assets such as cash or other financial resources, supplies, inventories, equipment and other fixed assets, real property, intellectual property, or data.


Procedures



Preventing Fraud,
Waste or Abuse
  1. Maintaining an Ethical Work Environment
    1. Management is responsible for maintaining a work environment that promotes ethical and honest behavior on the part of all employees, students, contractors, vendors and others.
    2. To do so, management at all levels must behave ethically and communicate to employees and others that they are expected to behave ethically.
    3. Management must demonstrate through words and actions that unethical behavior will not be tolerated.
  2. Implementing Effective Internal Control Systems
    1. Management of the university has the responsibility to establish and implement internal control systems and procedures to prevent and detect irregularities, including fraud, waste and abuse.
    2. Internal controls are processes performed by management and employees to provide reasonable assurance of:
      1. Safeguards over university assets and resources, including but not limited to cash, securities, supplies, equipment, property, records, data or electronic systems;
      2. Effective and efficient operations;
      3. Reliable financial and other types of reports; and
      4. Compliance with laws, regulations, contracts, grants and policies.
    3. To determine whether internal controls are effective, management should perform periodic risk and control assessments, which should include the following activities:
      1. Review the operational processes of the unit under consideration.
      2. Determine the potential risk of fraud, waste, or abuse inherent in each process.
      3. Identify the controls included in the process (or controls that could be included) that result in a reduction in the inherent risk.
      4. Assess whether there are internal controls that need to be improved or added to the process under consideration.
      5. Implement controls or improve existing controls that are determined to be the most efficient and effective for decreasing the risk of fraud, waste or abuse.
    4. Most managers will find that processes already include a number of internal controls, but these controls should be monitored or reviewed for adequacy and effectiveness on a regular basis and improved as needed. Typical examples of internal controls may include, but are not limited to:
      1. Adequate separation of duties among employees.
      2. Sufficient physical safeguards over cash, supplies, equipment and other resources.
      3. Appropriate documentation of transactions.
      4. Independent validation of transactions for accuracy and completeness.
      5. Documented supervisory review and approval of transactions or other activities.
      6. Proper supervision of employees, processes, projects or other operational functions.
  3. Reviews of Internal Control Systems
    1. Audits or other independent reviews may be performed on various components of the internal control systems.
  4. Internal Audit
    1. Internal Audit is responsible for assessing the adequacy and effectiveness of internal controls that are implemented by management and will often recommend control improvements as a result of this assessment.
    2. During an audit of a department or process, Internal Audit will also perform tests designed to detect fraud, waste or abuse that may have occurred.
  5. External Audits
    1. The Tennessee Comptroller of the Treasury, Department of Audit, Division of State Audit, performs periodic financial audits of the university.
    2. One purpose of this type audit is to evaluate the university’s internal controls, which will often result in recommendations for control improvements.
    3. State Audit will also perform tests designed to detect fraud, waste or abuse that may have occurred.
  6. Other Reviews
    1. Various programs may be subject to audits or reviews by federal, state or other outside agencies based on the type of program, function or funding.
    2. Although audits and reviews may include assessments of internal controls, the primary responsibility for prevention and detection of fraud, waste or abuse belongs to management.
    3. Therefore, management should take steps to review internal controls whether or not audits are to be performed.

Reporting Fraud,
Waste or Abuse
  1. Responsibility for Reporting Fraud, Waste or Abuse
    1. Any official of the university having knowledge that a theft, forgery, credit card fraud, or any other act of unlawful or unauthorized taking, or abuse of, public money, property, or services, or other shortages of public funds has occurred shall report the information immediately to the office of the Comptroller of the Treasury (T.C.A. § 8-19-501(a)). To ensure compliance with this statute, the university provides a means for employees and others to report such matters, which are subsequently reported to the Comptroller's Office.
      1. University administration with knowledge of fraud, waste or abuse will report such incidents immediately.
      2. Others, including university management, faculty and staff with a reasonable basis for believing that fraud, waste or abuse has occurred are strongly encouraged to immediately report such incidents (T.C.A. § 8-50-116).
      3. Students, citizens and others are also encouraged to report known or suspected acts of fraud, waste or abuse.
      4. Although proof of an improper activity is not required at the time the incident is reported, anyone reporting such actions must have reasonable grounds for doing so.
      5. Employees with knowledge of matters constituting fraud, waste or abuse, that fail to report it or employees who knowingly make false accusations may be subject to disciplinary action.
  2. Protection from Retaliation
    1. State law (T.C.A. § 8-50-116) prohibits discrimination or retaliation against employees for reporting allegations of dishonest acts or cooperating with auditors conducting an investigation.
    2. The Higher Education Accountability Act of 2004 directs that a person who knowingly and willingly retaliates or takes adverse action of any kind against any person for reporting alleged wrongdoing pursuant to the provisions of this part commits a Class A misdemeanor.
  3. Confidentiality of Reported Information
    1. According to T.C.A. § 49-14-103, detailed information received pursuant to a report of fraud, waste or abuse or any on-going investigation thereof shall be considered working papers of the internal auditor and shall be confidential.
    2. Although every attempt will be made to keep information confidential, circumstances such as an order of a court or subpoena may result in disclosure.
    3. Also, if the university has a separate legal obligation to investigate the complaint (e.g. complaints of illegal harassment or discrimination), the university cannot ensure anonymity or complete confidentiality.
  4. Methods for Reporting Fraud, Waste or Abuse
    1. Any employee who becomes aware of known or suspected fraud, waste or abuse should immediately report the incident to an appropriate departmental official. Incidents should be reported to one of the following officials or offices:
      1. A supervisor or department head;
      2. A university official;
      3. The university internal auditor;
      4. or The Tennessee Comptroller of the Treasury’s Hotline for fraud, waste and abuse at 1-800-232-5454.
    2. If the incident involves their immediate supervisor, the employee should report the incident to the next highest-level supervisor or one of the officials or offices listed above. Employees should not confront the suspected individual or initiate an investigation on their own since such actions could compromise the investigation.
    3. A department official or other supervisor who receives notice of known or suspected fraud, waste or abuse must immediately report the incident to the following:
      1. President/Vice President for Finance and Administration
      2. Internal Audit Department
      3. Campus Police/Public Safety (when appropriate)
    4. The President/Vice President or designee receiving such notice will immediately notify the Director of Internal Audit regarding the acknowledged or suspected fraud or misconduct.
    5. The Director of Internal Audit will notify the Comptroller of the Treasury of instances of fraud, waste or abuse.

Investigations/Actions
  1. Cooperation of Employees
    1. Individuals involved with suspected fraud, waste or abuse should assist with and cooperate in any authorized investigation, including providing complete, factual responses to questions and either providing access to or turning over relevant documentation immediately upon request by any authorized person.
    2. The refusal by an employee to provide such assistance may result in disciplinary action.
  2. Remedies Available
    1. The university will evaluate the information provided and make a determination concerning external reporting obligations, if any, and the feasibility of pursuing available legal remedies against persons or entities involved in fraud, waste or abuse against the university.
    2. Remedies include, but are not limited to;
      1. terminating employment,
      2. requiring restitution, and
      3. forwarding information regarding the suspected fraud to appropriate external authorities for criminal prosecution.
    3. In those cases where disciplinary action is warranted, the Office of Human Resources, University Attorney, and other appropriate offices shall be consulted prior to taking such action, and the university’s policies related to imposition of employee discipline shall be observed.
  3. Resignation of Suspected Employee
    1. An employee suspected of gross misconduct may not resign as an alternative to discharge after the investigation has been completed.
    2. Exceptions to this requirement can only be made by the President.
    3. If the employee resigns during the investigation, the employment records must reflect the situation as of the date of the resignation and the outcome of the investigation (Personnel Policy, 5:011.)
  4. Effect on Annual Leave
    1. An employee who is dismissed for gross misconduct or who resigns or retires to avoid dismissal for gross misconduct shall not be entitled to any payment for accrued but unused annual leave at the time of dismissal (Leave Policy, 5:020; T.C.A. § 8-50-807).
  5. Student Involvement
    1. Students found to have participated in fraud, waste or abuse as defined by this guideline will be subject to disciplinary action pursuant to the APSU Policy 1:013, Student Code of Conduct. The Dean of Students/Vice President of Student Affairs will be responsible for adhering to applicable due process procedures and administering appropriate disciplinary action.
  6. Confidentiality during Investigation
    1. All investigations will be conducted in a strict confidence as possible, with information sharing limited to persons on a “need to know” basis.
    2. The identities of persons communicating information or otherwise involved in an investigation or allegation of fraud, waste or abuse will not be revealed beyond the university unless necessary to comply with federal or state law, or if legal action is taken.
  7. Management’s Follow-up Responsibility
    1. Administrators at all levels of management must implement, maintain, and evaluate an effective compliance program to prevent and detect fraud, waste and abuse.
    2. Once such activities have been identified and reported, the overall resolution should include an assessment of how it occurred, an evaluation of what could prevent recurrences of the same or similar conduct, and implementation of appropriate controls, if needed.

Reporting and
Resolution of
Institutional Losses
  1. Administrators at all levels of management should be aware of the risks and exposures inherent in their areas of responsibility, and should establish and maintain proper internal controls to provide for the security and accountability of all assets and other resources entrusted to them.
  2. It is the responsibility of the University to establish a process to identify, report and investigate losses of state or institutional funds, property or other resources, whether by malfeasance or misfeasance.
  3. This policy includes requirements for reporting suspected instances of fraud, waste or abuse to the Comptroller of the Treasury (T.C.A. § 8-19-501(a)).

Reporting and
Resolution Process
  1. Reporting Losses – For each reportable incident, the institution must complete a “Notification of Loss Report” (Exhibit 1) or “Property Loss Report” (Exhibit 2).
    1. The Notification of Loss Report should be used to report single incidents of shortages or losses of any asset, resource or data immediately upon occurrence or discovery. This report should be used to report the loss or shortage of any amount which is the result of acknowledged or suspected fraud, waste or abuse by either an employee or a non-employee (for example, a vendor, contractor, or student).
    2. The Property Loss Report may be used to report property losses in any quarter in which losses occur and may include more than one incident or loss of property. However, see above if the property loss is a result of fraud, waste or abuse.
    3. The institution must also report covered property losses to the State of Tennessee, Department of Treasury, and Office of Risk Management.
  2. Reporting Resolution – The investigation unit identified on the notification report will file a “Case Resolution Report” (Exhibit 3) at the conclusion of the investigation. Depending upon the nature and extent of the investigation, an Internal Audit Report may be issued in lieu of a Case Resolution Report.
  3. Distribution of Reports – Each notification and resolution report should be submitted to the following officials or offices:
    1. President
    2. Vice President for Business and Finance
    3. Internal Audit Director
    4. Office of Campus Police (as appropriate)

Requirements
Regarding Losses
and Shortages
  1. Cash or Other Financial Resources – The University maintains cash, procurement cards, credit cards and other financial resources to facilitate its business needs. Cash shortages or losses equal to or greater than $500 should be reported immediately.
    1. Some cash shortages result from human error and are the cost associated with doing business. However, objective reviews must be completed to eliminate misconduct and provide assurance that controls are effective.
    2. Regardless of amount, management should routinely perform objective reviews of shortages or other losses to identify any unusual items, recurring issues or a pattern of financial shortages.
  2. Property – The University maintains inventory records for capitalized property and sensitive minor equipment, as required by APSU Policy 4:035, Fixed Assets and Sensitive Minor Equipment.
    1. Losses of physical property due to inventory shrinkage, vandalism, unexplained events, natural disasters, or acts of God should be reported on a quarterly basis on the Property Loss Report (Exhibit 2). A Case Resolution Report (Exhibit 3) is not required to be submitted for such losses.
    2. However, unexplained losses and those due to shrinkage or vandalism should be objectively reviewed by management to identify any unusual items, recurring issues or a pattern of losses.
    3. Occurrences that are potentially serious situations that would create public concern regardless of amount (e.g., the loss of certain chemicals) must be reported to the Office of Risk Management immediately, followed by a written report.
Property Claim
Process
Property Claims – Individual occurrences exceeding $25,000 must be reported to Physical Plant and the Office of Risk Management immediately, followed by a written report.
  1. The Office of Risk Management website at http://treasury.tn.gov/risk/ contains contact information under the “Contact Us” link and details of the insurance claim process under the “Claims Process” link.
  2. Each report of damage for a claim should include a detailed description of the loss and the estimated cost. In addition to the reporting requirements noted above, the department where the loss occurred should also receive a copy of this report.


Actions

  1. Management will evaluate the information provided and make a determination concerning external reporting obligations, if any, and the feasibility of pursuing available legal remedies in cases of misconduct, including fraud, waste or abuse.

Links


APSU Policy 1:013

https://www.apsu.edu/policy/student-code-conduct-1013

APSU Policy 5:011

https://www.apsu.edu/policy/personnel-policy-5011

APSU Policy 5:020

https://www.apsu.edu/policy/leave-policies-5020

Exhibit 1 – Notification
of Loss Report

Exhibit 1 – Notification of Loss Report

Exhibit 2 – Quarterly
Property Loss Report

Exhibit 2 – Quarterly Property Loss Report

Exhibit 3 – Case
Resolution Report

Exhibit 3 – Case Resolution Report

Exhibit 4 – Reporting
Matrix

Exhibit 4 – Reporting Matrix


Revision Dates


APSU Policy 4:003 – Issued: March 28, 2017


Subject Areas:

Academic Finance General Human
Resources 
Information
Technology 
Student
Affairs 
  X        

 


Approved


President: signature on file