71 Preventing and Reporting Fraud, Waste, and Abuse
Approved by Board of Trustees
Effective Date: June 5, 2017
Responsible Division: President
Responsible Office: Audit and Consulting Services
Responsible Officer: Director of Internal Audit and Consulting Services
Middle Tennessee State University (MTSU or University) is committed to the responsible stewardship of its resources. Management is responsible for maintaining a work environment that promotes ethical and honest behavior. Additionally, it is the responsibility of management to establish and implement internal control systems and procedures to prevent and detect irregularities, including fraud, waste, and abuse. Management at all levels should be aware of the risks and exposures inherent in their areas of responsibility and should establish and maintain proper internal controls to provide for the security and accountability of all resources entrusted to them.
A. Fraud. An intentional act to deceive or cheat, ordinarily for the purpose or result of causing a detriment to another and/or bringing about some benefit to oneself or others. Fraudulent activities may include, but are not limited to, the following:
1. Theft, misappropriation, misapplication, destruction, removal, or concealment of any University assets or resources, including, but not limited to, funds, securities, supplies, equipment, real property, intellectual property, or data.
2. Improper use or assignment of any University assets or resources, including, but not limited to, personnel, services, or property.
3. Improper handling or reporting of financial transactions, including use, acquisitions, and divestiture of state property, both real and personal.
4. Authorization or receipt of compensation for hours not worked.
5. Inappropriate or unauthorized use, alteration or manipulation of data, computer files, equipment, software, networks, or systems, including personal or private business use, hacking, and software piracy.
6. Forgery or unauthorized alteration of documents.
7. Falsification of reports to management or external agencies.
8. Pursuit of a personal benefit or advantage in violation of Policy 12 Conflict of Interest.
9. Concealment or misrepresentation of events or data.
10. Acceptance of bribes, kickbacks, or any gift, rebate, money, or anything of value whatsoever, or any promise, obligation, or contract for future reward, compensation, property, or item of value, including intellectual property.
B. Waste. Involves behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary business practice given the facts and circumstances. Waste is a thoughtless or careless act, resulting in the expenditure, consumption, mismanagement, use, or squandering of University assets or resources to the detriment or potential detriment of the University. Waste may also result from incurring unnecessary expenses due to inefficient or ineffective practices, systems, or controls. Waste does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.
C. Abuse. Involves behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interest or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, or noncompliance with provisions of laws, regulations, contracts, or grant agreements. (U.S. Government Accountability Office, Government Auditing Standards)
III. Preventing Fraud, Waste, or Abuse
A. Maintaining an Ethical Work Environment.
1. Management is responsible for maintaining a work environment that promotes ethical and honest behavior on the part of all employees, students, contractors, vendors, and others.
2. To do so, management, at all levels, must behave ethically and communicate to employees and others that they are expected to behave ethically.
3. Management must demonstrate through words and actions that unethical behavior will not be tolerated.
B. Implementing Effective Internal Control Systems.
1. Management has the responsibility to establish and implement internal control systems and procedures to prevent and detect irregularities, including fraud, waste, and abuse.
2. Internal controls are processes performed by management and employees to provide reasonable assurance of:
a. Safeguards over University assets and resources, including, but not limited to, cash, securities, supplies, equipment, property, records, data, or electronic systems;
b. Effective and efficient operations;
c. Reliable financial and other types of reports; and
d. Compliance with laws, regulations, contracts, grants, and policies.
3. To determine whether internal controls are effective, management should perform periodic risk and control assessments, which should include the following activities:
a. Review the operational processes of the unit under consideration.
b. Determine the potential risk of fraud, waste, or abuse inherent in each process.
c. Identify the controls included in the process (or controls that could be included) that result in a reduction in the inherent risk.
d. Assess whether there are internal controls that need to be improved or added to the process under consideration.
e. Implement controls or improve existing controls that are determined to be the most efficient and effective for decreasing the risk of fraud, waste, or abuse.
4. Most managers will find that processes already include a number of internal controls, but these controls should be monitored or reviewed for adequacy and effectiveness on a regular basis and improved as needed. Typical examples of internal controls may include, but are not limited to:
a. Adequate separation of duties among employees.
b. Sufficient physical safeguards over cash, supplies, equipment, and other resources.
c. Appropriate documentation of transactions.
d. Independent validation of transactions for accuracy and completeness.
e. Documented supervisory review and approval of transactions or other activities.
f. Proper supervision of employees, processes, projects, or other operational functions.
C. Reviews of Internal Control Systems. Audits or other independent reviews may be performed on various components of the internal control systems.
D. Internal Audit.
1. Audit and Consulting Services is responsible for assessing the adequacy and effectiveness of internal controls that are implemented by management and will often recommend control improvements as a result of this assessment.
2. During an audit of a department or process, Audit and Consulting Services will also perform tests designed to detect fraud, waste, or abuse that may have occurred.
E. External Audits.
1. The Tennessee Department of Audit, Division of State Audit, performs periodic financial audits of public universities.
2. One purpose of this type audit is to evaluate the University’s internal controls, which will often result in recommendations for control improvements.
3. State Audit will also perform tests designed to detect fraud, waste, or abuse that may have occurred.
F. Other Reviews.
1. Various programs may be subject to audits or reviews by federal, state, or other outside agencies based on the type of program, function, or funding.
2. Although audits and reviews may include assessments of internal controls, the primary responsibility for prevention and detection of fraud, waste, or abuse belongs to management.
3. Therefore, management should take steps to review internal controls whether or not audits are to be performed.
IV. Reporting Fraud, Waste, or Abuse
A. Responsibility for Reporting Fraud, Waste, or Abuse. Any official of any agency of the State, having knowledge that a theft, forgery, credit card fraud, or any other act of unlawful or unauthorized taking, or abuse of, public money, property, or services, or other shortages of public funds has occurred, shall report the information immediately to the office of the Comptroller of the Treasury. T.C.A. § 8-19-501(a). To promote compliance with this statute, the University provides a means for University employees and others to report such matters to Audit and Consulting Services, who subsequently report these matters to the Comptroller's Office.
1. University administration with knowledge of fraud, waste, or abuse must report such incidents immediately.
2. Others, including University management, faculty, and staff, with a reasonable basis for believing that fraud, waste, or abuse has occurred, are strongly encouraged to immediately report such incidents. T.C.A. § 8-50-116.
3. Students, citizens, and others are also encouraged to report known or suspected acts of fraud, waste, or abuse.
4. Although proof of an improper activity is not required at the time the incident is reported, anyone reporting such actions must have reasonable grounds for doing so.
5. Employees with knowledge of matters constituting fraud, waste, or abuse who fail to report it or employees who knowingly make false accusations may be subject to disciplinary action.
B. Protection from Retaliation
1. State law T.C.A. § 8-50-116 prohibits discrimination or retaliation against employees for reporting allegations of dishonest acts or cooperating with auditors conducting an investigation.
2. The Higher Education Accountability Act of 2004 directs that a person who knowingly and willingly retaliates or takes adverse action of any kind against any person for reporting alleged wrongdoing pursuant to the provisions of this part commits a Class A misdemeanor.
C. Confidentiality of Reported Information
1. According to T.C.A. § 49-14-103, detailed information received pursuant to a report of fraud, waste, or abuse or any on-going investigation thereof shall be considered working papers of the internal auditor and shall be confidential.
2. Although every attempt will be made to keep information confidential, circumstances, such as an order of a court or subpoena, may result in disclosure.
3. If the University has a separate legal obligation to investigate the complaint (i.e., complaints of illegal harassment or discrimination), the University cannot ensure anonymity or complete confidentiality.
D. Methods for Reporting Fraud, Waste, or Abuse
1. Any employee who becomes aware of known or suspected fraud, waste, or abuse should immediately report the incident to an appropriate departmental official. Incidents should be reported to one of the following officials or offices:
a. A supervisor or department head;
b. a University official;
c. Audit and Consulting Services at 615-898-2914 or firstname.lastname@example.org; or
d. the Tennessee Comptroller of the Treasury’s Hotline for fraud, waste, and abuse at 1-800-232-5454.
2. If the incident involves an immediate supervisor, the employee should report the incident to the next highest level supervisor or one of the officials or offices listed above. Employees should not confront the suspected individual or initiate an investigation on their own, since such actions could compromise the investigation.
3. A department official or other supervisor who receives notice of known or suspected fraud, waste, or abuse must immediately report the incident to the following:
a. President or Vice President for Business and Finance;
b. Audit and Consulting Services;
c. University Police (when appropriate).
4. The Director of Audit and Consulting Services will notify the Comptroller of the Treasury of instances of fraud, waste, or abuse.
5. After initial notification, Policy 610 Reporting and Resolution of Institutional Losses will be reviewed for additional reporting procedures.
A. Cooperation of Employees
1. Individuals involved with suspected fraud, waste, or abuse should assist with and cooperate in any authorized investigation, including providing complete, factual responses to questions, and either providing access to or turning over relevant documentation immediately upon request by any authorized person.
2. The refusal by an employee to provide such assistance may result in disciplinary action.
B. Remedies Available
1. Audit and Consulting Services will evaluate the information provided and make a determination concerning external reporting obligations, if any, and the feasibility of pursuing available legal remedies against persons or entities involved in fraud, waste, or abuse against the University.
2. Actions that may be taken against University employees include, but are not limited to;
a. terminating employment,
b. requiring restitution, and
c. forwarding information regarding the suspected fraud to appropriate external authorities for criminal prosecution.
3. In those cases where disciplinary action is warranted, Office of Human Resource Services, Office of the University Counsel, and other appropriate offices shall be consulted prior to taking such action, and applicable University policies related to imposition of employee discipline shall be observed.
C. Resignation of Suspected Employee
1. An employee suspected of gross misconduct may not resign as an alternative to discharge after the investigation has been completed.
2. Exceptions to this requirement can only be made by the President, and require advance consultation with, and approval by, the Vice President for Business and Finance.
3. If the employee resigns during the investigation, the employment records must reflect the situation as of the date of the resignation and the outcome of the investigation. See Policy 800 General Personnel.
D. Effect on Annual Leave. An employee who is dismissed for gross misconduct, or who resigns or retires to avoid dismissal for gross misconduct, shall not be entitled to any payment for accrued but unused annual leave at the time of dismissal. See Policy 825 Leave Policies. T.C.A. § 8-50-807.
E. Student Involvement. Students found to have participated in fraud, waste, or abuse as defined by this policy will be subject to disciplinary action pursuant to Policy 540 Student Conduct.
F. Confidentiality during Investigation
1. All investigations will be conducted in as strict confidence as possible, with information sharing limited to persons on a need to know basis.
2. The identities of persons communicating information or otherwise involved in an investigation or allegation of fraud, waste, or abuse will not be revealed beyond the offices of the President, University Counsel, Business and Finance, and Audit and Consulting Services unless necessary to comply with federal or state law, or if legal action is taken.
G. Management’s Follow-up Responsibility
1. Administrators at all levels of management must implement, maintain, and evaluate an effective compliance program to prevent and detect fraud, waste, and abuse.
2. Once such activities have been identified and reported, the overall resolution should include an assessment of how it occurred, an evaluation of what could prevent recurrences of the same or similar conduct, and implementation of appropriate controls, if needed.
References: T.C.A. §§ 8-19-501(a); 8-50-116; 8-50-807; 49-14-103; U.S. Government Auditing Standards; Higher Education Accountability Act of 2004; Policies 12 Conflict of Interest; 540 Student Conduct; 610 Reporting and Resolution of Institutional Losses; 800 General Personnel; 825 Leave Policies.