Fraud Reporting and Response Procedures

Purpose

The purpose of the Fraud Reporting and Response Procedures is to provide instructions for the reporting and investigation of suspected or known incidents of Fraud.

Procedure

1.    Procedures for Reporting Suspected and Known Incidents of Fraud

1.1    Suspected and known incidents of Fraud as defined in the Fraud Policy must be reported to the Director, Internal Audit in a timely manner. The following notifications normally apply:

1.1.1    Employees may report suspected or known incidents of Fraud either to their manager or directly through the channels of reporting in section 1.2 below. It is the responsibility of the manager to ensure that suspected and known incidents of Fraud are reported to the Director, Internal Audit. 

1.1.2    Students and other third parties, including volunteers and vendors, are encouraged to report suspected and known incidents of Fraud impacting the university through any of the channels of reporting in section 1.2 below.

1.1.3    If the suspected or known incident of Fraud involves the Director, Internal Audit, the incident must be reported to the Vice-Principal (Finance and Administration).

1.1.4    If the suspected or known incident of Fraud involves a Vice-Principal or equivalent, the incident must be reported to the Principal. The Director, of Internal Audit will be notified of such report.

1.1.5    If the suspected or known incident of Fraud involves the Principal, the incident must be reported to the Chair of the Audit and Risk Committee of the Board of Trustees. The report can be made in writing to the Chair of the Audit and Risk Committee of the Board of Trustees care of (c/o) the Office of the University Secretariat and Legal Counsel.

The Director, Internal Audit will be notified of such report.

1.2    Channels for reporting suspected or known incidents of Fraud:

Reports can be made verbally or in writing, and can be made openly, confidentially, or anonymously in the following manner:

1.2.1    The university has established an anonymous reporting mechanism through the Confidence Line.

The Confidence Line is available on a 24-hour, 7-day per week and 365-day per year basis for the purpose of receiving concerns, complaints and information about Fraud misconduct involving university assets.

1.2.2    Contact Internal Audit directly by email, letter, or telephone.

1.2.3    Contact University Secretary by email, letter, or telephone under the Improper Acts Reporting Policy.

The University Secretary will forward the report to Internal Audit for investigation under the Fraud Policy.

Refer to section 1.3 for information required for anonymous reporting.  

Confidentiality will be maintained to the fullest extent possible. The university fosters a work environment free from Reprisals and takes swift and appropriate action in cases in which retaliation occurred. Any Reporter who believes they have experienced a reprisal as a result of making a report of a suspected or known Fraud should document the details and report the incident to the Director, Internal Audit under the Reprisals Complaint Procedure contained in Appendix II below.

1.3    Anonymous reports must contain enough information, details and accompanying documents (if any) to permit the university to commence an investigation.  As such, every individual making a report of suspected or known instances of Fraud (whether anonymously or not) should provide the following information, if available:

  • nature of the suspected improper activity involving University Assets
  • name of the person(s) believed to have engaged in the activity
  • location/ unit where the activity occurred
  • dates of the incidents, if known
  • description of how the concerns came to light 
  • any documentation that may support the allegation 
  • policies, laws, or regulations alleged to be breached
  • contact information if the allegation is not anonymous

2.    Response to Reports of Suspected Incidents of Fraud

2.1    Upon receiving a report, the Director, Internal Audit will notify the University Counsel, the Vice-Principal (Finance and Administration), the Associate Vice-Principal (Faculty Relations) if the report involves a faculty member, and the Vice-Principal of the portfolio where the suspected or known Fraud occurred.

2.2    Internal Audit will conduct a preliminary review to determine whether to proceed with an investigation. The preliminary review will consider whether the
         a.    allegations, if true, would constitute Fraud
         b.    information provided is specific enough to be investigated, and 
         c.    subject matter is within the university’s authority to investigate, i.e., the financial irregularity is within the jurisdiction of the university to audit.

The preliminary review will be conducted in a timely and confidential manner. During the preliminary review and any subsequent investigation, the Reporter may be contacted for additional information. When the preliminary review is complete, the Director, Internal Audit, will recommend, in writing, to the University Counsel, the Vice-Principal (Finance and Administration), and the Vice-Principal of the portfolio where the suspected Fraud occurred whether there is sufficient evidence of Fraud to warrant proceeding with a formal investigation.

2.3    Should a decision not to proceed be made, the Director, Internal Audit will communicate the decision to the Reporter, unless the allegation was reported through an anonymous channel.

2.4    The Director, Internal Audit may convene a cross-functional advisory group with relevant skills to support the formal investigation. This advisory group may be comprised of the university's General Counsel, representatives from the Office of the Provost, Associate Vice-Principal (Human Resources), Associate Vice-Principal (Faculty Relations), or others as deemed appropriate. In most instances, a detailed Investigation Plan should be developed to assist in the investigation (see Appendix I for typical elements of an investigation plan).

2.5    If specialist skills are required, external specialists can be consulted/engaged to augment or conduct the investigation.

2.6    If the matter falls outside of the scope of the Fraud Policy and should be dealt with under a different university policy or procedure, the Director, Internal Audit will notify the Reporter of the policy and/or procedure under which the matter should be dealt with. The Director, Internal Audit will report the matter to the appropriate office which administers said policy and/or procedure.

2.7    For potential research misconduct involving mismanagement or misuse of research funds, the Director, Internal Audit will coordinate with the Vice-Principal (Research) prior to proceeding with the investigation under the terms of the Fraud Policy.

2.8    Should the Principal, a Vice-Principal, or the Director, Internal Audit be the subject(s) of a report, the Chair of the Audit and Risk Committee will assume responsibility for oversight of any investigation.

2.9    During an investigation, the investigator may contact and interview any individual as deemed necessary to the investigation. 

2.10    Investigations shall be conducted responsibly and adhere to the principles of procedural fairness, in a manner that is respectful of individuals and that ensures appropriate and acceptable evidence is obtained. Collection of evidence, including university information and assets, may be required in some situations. Under the direction and guidance of the Director, Internal Audit, the investigator will have the authority to examine, copy, and/or secure the contents of files, desks, cabinets, and other storage facilities on campus, including electronic files and devices, with the exception of personal property. As time is of the essence when it comes to preserving relevant documentation, the investigator will move quickly to develop a plan to preserve relevant documentation.

2.11    During an investigation, interim measures such as placing an employee on administrative leave or modification of employment duties may occur. The appropriate interim measures may be implemented - in consultation with Internal Audit, the University Counsel and Human Resources or Faculty Relations - by the Vice-Principal (Finance and Administration), the Provost and Vice-Principal (Academic) or the Vice-Principal of the portfolio where the suspected Fraud occurred. These interim measures shall not be construed as evidence of either a finding or non-finding of a violation of the Fraud Policy.

3.    Reporting of Results of Investigation of Suspected Incidents of Fraud

3.1    At the conclusion of an investigation under the Fraud Policy, the Director, Internal Audit will issue a report to the University Counsel, the Vice-Principal (Finance and Administration), and the Vice-Principal of the portfolio where the reported suspected or known Fraud occurred. The Principal, and the Chair of the Audit and Risk Committee of the Board of Trustees will be promptly informed of any cases where the investigation has concluded that a Fraud has occurred.

3.2    The Reporter will be contacted (if the report was not made anonymously) by the Director, Internal Audit, and informed that the investigation has been completed.

3.3    On a quarterly basis, the Director, Internal Audit will compile a summary of all the reports of suspected or known Fraud received in the period for the Senior Leadership Team and the Audit and Risk Committee of the Board of Trustees. The report will note the results of the investigations but maintain the confidentiality of the individuals involved.

3.4    Any recommendations for improvements to internal controls that will assist in the prevention and detection of similar incidents in the future will be provided to the Vice-Principal (Finance and Administration), the Vice-Principal of the portfolio where the reported suspected or known Fraud occurred for review, and to the Senior Leadership Team and the Audit and Risk Committee, as necessary.

3.5    The Vice-Principal (Finance and Administration) will be responsible for the recovery of lost funds and assets, where reasonably possible, resulting from a Fraud.

3.6    The Vice-Principal (Finance and Administration) will determine whether and when to contact appropriate law enforcement and/or regulatory agencies. Provided that if an alleged Fraud appears to constitute an offence under the Criminal Code, the university shall notify the appropriate authorities.

4.    Confidentiality

4.1    All participants in a fraud investigation shall keep the details and results of the investigation confidential. The details and results of investigations are not to be disclosed or discussed with anyone other than those personnel associated with the university who have a legitimate need to know such results in order to perform their duties and responsibilities. 

It is recognized that investigators of incidents may share information with senior management, the Board of Trustees, University Counsel and/or law enforcement agencies.

5.    Retention of Evidence / Record Keeping

5.1    Internal Audit shall become the custodian of all original files and documents pertaining to the investigation in order to identify and preserve potential evidence. Any documents generated by the investigator, the advisory group, and external consultant during the investigation shall forward these documents to Internal Audit for safekeeping. As may be required by law, the university may relinquish these original documents (after obtaining a photocopy) to authorized representatives of law enforcement and/or regulatory agencies where appropriate. The retention and disposals of these documents will be made in accordance with Internal Audit’s record retention policy.

5.2    In all cases, records will be maintained as required by the nature of the investigation undertaken and any action to be taken in compliance with provisions of any relevant collective or employee agreement, or university policy.


Appendix I - Typical Elements of an Investigation Plan

Investigation Plans typically include the following elements:

1.    Defining the scope - Ensure the investigation scope is sufficient to develop a full understanding of the facts surrounding the allegations

2.    Information Gathering - Identify the sources of internal and external information to be gathered relevant to the investigation.  This could include sources, such as:
       a.    Hard copy documents
       b.    Electronic user data (e.g., email, electronic user files, mobile device data, etc.)
       c.    Financial system data
       d.    Information available from third parties

3.    Business Intelligence research - Identify relevant sources of web-based information, e.g., corporate registration databases, land/property registration databases, social media, traditional media, etc. 

4.    Interviews - Identify potential interviews of persons of interest, or those with direct knowledge of the matters under review.

5.    Analysis - Identify the nature and extent of analysis to be conducted using the above noted information.  This could include activities such as:
       a.    Analysis of hard copy and electronic documents
       b.    Forensic recovery and review of electronic user data (e.g., email, mobile device data, user files, etc.)
       c.    Data analytics and visualization
       d.    Mapping relationships between individuals and entities

6.    Reporting - Identify the nature and extent of reporting required.

7.    Consideration of other factors that may be relevant to the investigation, such as:
       a.    Other expertise required - Requirements for specific subject matter expertise (e.g., internal/external legal counsel, Human Resources, Information Technology, Engineers, etc.)
       b.    Notification - Notification required to third parties, if any (e.g., external auditors, funding organizations, insurers, law enforcement, etc.)
       c.    Time sensitivity - Time limitations placed on the investigation, if applicable (e.g., to mitigate losses, due to legal requirements, insurance claim time limits, etc.)
 


Appendix II – Reprisals Complaint Procedure

Definitions:

Complaint - A formal complaint submitted under this Procedure by an individual (“Complainant”) who feels they have experienced Reprisal.

Intake Assessment Team - the group, chaired by the Director, Internal Audit, responsible for the initial determination of whether the allegations in a Complaint, if proven to be true, would constitute a Reprisal as defined under the Fraud Policy (i.e., whether the allegations establish a prima facie case), and if so, for the referral to the appropriate Receiving Office for investigation. 

The core of the Intake Assessment Team is comprised of: 

  • the Director, Internal Audit, as Chair
  • the University Counsel 
  • the Associate Vice-Principal (Human Resources) 
  • the Associate Vice-Principal (Faculty Relations) if a Complaint alleges conduct by a faculty member
  • the Vice Principal (Finance and Administration), or delegate 

or an assigned delegate authorized to act on behalf of any of these individuals. 

The Intake Assessment Team may be adjusted from time to time at the discretion of the Director, Internal Audit, to include individuals who may inform the proper assessment of a Complaint. For example, if a Complaint alleges conduct by a student the Intake Assessment Team may include the Assistant Dean (Support Services and Community Engagement).

Receiving Office - the university office to which a Complaint has been referred by the Intake Assessment Team. This generally includes, but is not necessarily limited to, any of: Employee and Labour Relations Unit in Human Resources, Faculty Relations, Campus Security and Emergency Services. 

Respondent - refers to anyone who is alleged to have engaged in behaviours of Reprisal in a Complaint. 

Complaint Procedures

1.    Complaints shall be directed to the Director, Internal Audit.

2.    When the Director, Internal Audit receives a Complaint, the Director, Internal Audit will assemble the Intake Assessment Team promptly, to determine whether the matter will be referred for investigation and if so, to determine the appropriate Receiving Office.

3.    A Complaint must contain a detailed account of all facts alleged and must attach any documents on which the Complainant(s) relies and to which they have access.

4.    The Intake Assessment Team may decline to refer a Complaint for investigation if:

       a.    the Complaint is about a matter or issues not governed by the Fraud Policy
       b.    the allegations, if proven to be true, would not constitute a Reprisal
       c.    the substance of the Complaint is already the subject matter of another internal university proceeding (e.g., a grievance under a collective agreement)
       d.    the Complaint does not contain sufficient information. The Chair of the Intake Assessment Team may appoint a member of the Team to make appropriate follow-up inquiries and to report back to the Team to determine if the Complaint, amended with additional information, should be referred for investigation
       e.    the Respondent is no longer a member of the University Community. The Intake Assessment Team may accept a Complaint in these circumstances, which it will assess on a case-by-case basis. The university’s ability to investigate may be limited in such circumstances
        f.    the Complaint is made more than one year after the incident(s) to which the Complaint relates.  The Intake Assessment Team may accept a Complaint after the one-year period, if it is satisfied that the delay was incurred in good faith and no substantial prejudice will result to any person affected by the delay

5.    If the Intake Assessment Team decides not to refer a Complaint for investigation, the Director, Internal Audit will, on behalf of the Intake Assessment Team, advise the Complainant(s) in writing: 
       a.    of the reason(s) that the Intake Assessment Team decided not to refer the Complaint for investigation
       b.    that the Intake Assessment Team will reconsider its decision if the Complainant(s) submits significant new information, and 
       c.    about appropriate alternative(s) for seeking recourse or support 

6.    Complaints that the Intake Assessment Team refers for investigation will normally be referred as follows:
       a.    to Human Resources or Faculty Relations, as appropriate, to be investigated if the Respondent(s) is an employee
       b.    if the Complaint involves a Respondent(s) who is both a student and an employee, the Intake Assessment Team will determine which office (i.e., Human Resources, Faculty Relations, or Student Conduct) will be the lead office for investigation and the Complaint will be referred to that office

Record Keeping
7.    The Director, Internal Audit will keep a record of all Complaints for the purpose of administering this Procedure and for the purpose of reporting on statistics and trends. 

8.    The Receiving Office will report back to the Director, Internal Audit as to the disposition of the Complaint. 

9.    The Receiving Office creates a Complaint file that will include all related communications, memoranda, reports, statements, and evidence. The Receiving Office is responsible for securing the file and all documentation in the file and for the retention and disposition of the file in accordance with its processes and record retention schedule(s).
 


Appendix III - Fraud Reporting and Response Procedures 

Process Flowchart (PDF, 148 KB)


Appendix IV - Reprisal Complaint Procedure 

Process Flowchart (PDF, 152 KB)


Contact Officer: Director, Internal Audit

Date for Next Review: Month/Day/Year

Approval Authority: Vice-Principal (Finance and Administration)

Date of Commencement: May 13, 2022

Amendment Dates: March, 2024

Related Policies, Procedures, and Guidelines   

Policies Superseded by This Policy    N/A