Fraud mitigation calls for vigilance

Two recent cases of theft and fraud at UCT, the larger (in 2005)involving the theft of R1.1 million and the other (discovered this year) R538 000, have highlighted the need for effective financial controls at all levels of the university, from petty cash to the purchase of goods and scientific equipment.

A third more recent case has again emphasised the need for effective controls, and adherence to process, where cash is taken. The importance of this is underscored by the volume of cash handling on campus, where many departments take in cash (individually in small sums, but cumulatively significant amounts).

Council, as recently reported in Monday Paper, has decided that from 2008 any person paying cash for more than R400 for fees (or traffic tokens or traffic fines) will have to pay at the university's bank on an approved deposit form. This measure has been taken principally to reduce the risks associated with having large amounts of cash on campus.

In the first two instances cited above, the perpetrators were charged criminally. One resigned and the other was dismissed. Their cases have yet to reach the courts. In both cases (the latter case a long-serving financial manager in the Faculty of Engineering and the Built Environment) the loss has been recovered from pension payouts due to the former staff members.

Call it the second oldest profession in the world, but fraud is with us in many forms. In the case of the R1.1 million stolen from the student fees office, the perpetrator used sophisticated methods to siphon money from various accounts.

By the very nature of its business, UCT deals with some weighty budgets with large sums of money flowing into fee and faculty coffers, this through funding or partnerships with commerce and industry.

Does this make the institution particularly prey to fraudsters? Registrar Hugh Amoore doesn't believe so.

"Most large organisations have multiple sources of revenue and objects of expenditure and unless adequate controls are instituted, fraud is possible. The key is to ensure that effective controls are in place."

Internal auditor Guy Murcott and his team have five fraud cases open, the result of forensic work by his department, following complex paper trails. Amoore emphasises that internal audit's prinicipal role is to help line management have effective controls in place; a secondary function of internal audit is to conduct forensic investigations where these controls have proved ineffective, and in these cases to recommend control steps.

With 34 years' experience at UCT, Murcott says the typical fraudster is usually someone who has been with the institution for some years.

"They're often in positions of trust and they're often long-servers; people who are perhaps frustrated, who capitalise on poor management, finding and working loopholes in our financial system."

UCT management continually review the control environment. For example, the University's Audit Committee has decided that financial managers must review all expenditure on purchase cards - and may themselves not have a purchase card, thus ensuring the necessary separation of roles.

But when one or more people collude, it makes the manager's (and subsequently internal auditor's) job more difficult. Controls must assume the possibility of collusion.

Financial abuse takes many forms, Murcott says. It might be abuse of a UCT purchasing cards - a form of credit card - issued on behalf of a department or faculty.

It can be as minor as changing the agreed rate of cell phone allowance, which, in one case, amounted to nearly R48 000 over four years. It my be the theft of gift vouchers used for student awards or even "dummied up" vouchers for petty cash retrieval.

Collusion with service providers for kickbacks is corruption, and a criminal offence.

Murcott points to the need for training of line managers who must review expenditure: do managers in academic or PASS departments have the training to make sense of figures on SAP?

"Many fund-holders have never grappled with SAP, passing responsibility for their funds to secretaries of financial administrators," Murcott said. "The biggest frauds take place when there is plenty of money in a fund and too little supervisor intervention."

There are three fundamentals when dealing with fraud, says Amoore. First, UCT must report every incident, both to our insurers and to the police - even if the loss is recovered.

Second, perpetrators must face disciplinary action, which will often lead to dismissal, recovery of the loss and police charges.

"We do not sweep it under the carpet and let the perpetrator go quietly."

Third, people in positions of trust must exercise that trust.

"Our students and staff and the public at large expect probity from a university. It would be wrong for us - on the argument that we are a microcosm of society in which fraud is rife - to accept any level of fraud," Amoore said.