Back to school

Universities need remedial anti-fraud measures

By Dominic Peltier-Rivest, Ph.D., CFE
Most universities often are fraud victims because of their unique control environments. An atmosphere of openness and collegiality, and faculty members who don’t want to be controlled, can lead to a lack of segregation of duties and independent oversight. Learn how universities, and other nonprofit organizations, can overcome entrenched ideologies to prevent and deter fraud and reputational damage.

The author presented material from this article at the 2012 Annual Conference of the Canadian Association of University Business Officers and the 2013 Annual Meeting of the Canadian Council of Deans of Science. — ed

Many university frauds never make the headlines because some institutions of higher learning don’t report these incidents to law enforcement authorities. They fear they’ll tarnish their reputations with students, alumni and donors. One such case involved a graduate student hired to grade final exams for undergraduate courses who solicited bribes from students. The grader would ask for $500 for a 90 percent mark, $400 for 85 percent, $300 for 80 percent and so on. He delivered on his promise by making occasional intentional mistakes when grading the paying students’ exams.

This actual fraud exemplifies the sensitivity of some cases, regardless of the size of their immediate financial impact on a university. Frequently, the damage to the institution’s reputation — and in this particular case, the value of the degrees it confers — is much worse. Eventually, it may lead to significant financial repercussions on revenues from reduced student enrollments and donor contributions. 

Occupational frauds — crimes that occur in the workplace — are quite common. Nearly every organization has been a victim of fraud or will be one in the future, according to Dr. Joseph T. Wells, CFE, CPA, founder and Chairman of the ACFE. (See “Fraud Casebook: Lessons from the Bad Side of Business,” page XIII, by Dr. Wells, 2007, John Wiley & Sons Publishing.) 

Small nonprofit organizations are particularly vulnerable to occupational fraud because of their limited resources to prevent and detect fraud on a timely basis. (See “Determinants of fraud losses in nonprofit organizations,” by Kristy Holtfreter, in Nonprofit Management & Leadership, volume 19, issue 1, 2008.) 

On the other hand, larger nonprofit organizations, like most universities, whose mission is to lead society and educate tomorrow’s leaders, may also be victims of fraud because of their unique control environments. Most North American and European universities are nonprofit public institutions that report to federal, provincial or state ministries (or departments) of education. While public universities are usually large in size, many common internal controls may be absent to prevent or detect fraud. (See “Embezzlement Epidemic,” by Christopher T. Marquet, in University Business, July 2011.) 

Faculty members and staff administrators, who support openness and collegiality, are usually responsible for processing academic purchases and payments and safeguarding institutional assets. This decentralized control environment may lead to a lack of segregation of duties and independent oversight, which can result in an increased risk of fraud. (See “Canadian Universities are Victims of Fraud,” by M. Britt & al., in University Manager, Winter 2011.) 

Educational institutions’ greatest asset is clearly their organizational and academic reputations. However, those reputations often go out the window when they face public frauds, which can affect alumni relations, endowment growth and student enrollment. (See “Embezzlement Epidemic,” by Christopher T. Marquet, in University Business, July 2011.) 

Most internal audit experts agree that nonprofit institutions’ greatest fraud-related challenge is mitigating reputational risk. Good faculty members and students won’t join fraudulent universities. Governments and donors won’t financially contribute to organizations they don’t trust. (See “Reputations at Risk,” by R.A. Jackson, in Internal Auditor, June 2008.) 

My article discusses how to prevent occupational fraud in universities and draws lessons from four actual cases of fraud in North American universities, which I helped investigate as an external advisor. (To preserve the confidentiality of these cases, I’ve changed details and omitted the names of the universities and the identities of those involved. Any resemblance with the actual institutions and individuals is purely coincidental.) 

Through a discussion of preventive measures, this article will assist universities (and other nonprofits) in implementing tools that will not only help prevent fraud and reputational damage but will also facilitate the advancement of their strategic missions. These measures are: 
  • Encouraging senior administrators to exercise ethical leadership.  
  • Performing regular fraud risk assessments and implementing targeted internal controls.  
  • Educating faculty and staff members about a university’s ethics policy and instituting anti-fraud training. 
  • Implementing an anonymous reporting mechanism (such as a hotline) and feedback processes among all stakeholders and senior administration.  
  • Aligning faculty members’ incentives with a university’s mission and goals. 

Federal, provincial and state governments, as well as donors, have recently increased the pressure on universities to implement better governance practices and on their boards of governors to exercise their fiduciaries responsibilities more efficiently. (See “Reputations at Risk.”) 

Institutions of higher learning, of course, aren’t immune to fraud. The risks they face are similar to those in other industries. However, the probability of occurrence of fraud risks may be higher for universities because of their promoted environment of collegiality, which may lead to more decentralization and lack of basic internal controls. (See “Canadian Universities are Victims of Fraud,” by M. Britt & al., in University Manager, Winter 2011.)

According to the ACFE’s 2012 Report to the Nations on Occupational Fraud and Abuse, 6.4 percent of worldwide fraud cases occur in the education sector, which represents the fifth most-targeted industry by fraudsters out of 23 industries. (See Report to the Nations, page 28.) Furthermore, the three most frequent fraud schemes perpetrated in the education sector are billing schemes, fraudulent expense reimbursements and corruption schemes. (See Report to the Nations, page 30.) 

Appropriate governance and financial accountability calls for senior university administrators to exercise their professional duties with loyalty and reasonable care. They should be implementing internal controls and investigating all credible allegations of fraud, regardless of their size, to prevent financial and reputational damage to their organizations.


Universities around the world must perform regular fraud risk assessments and implement targeted internal controls, such as proper segregation of duties and surprise audits. Of course, as with all organizations, universities can prevent fraud by segregating a task of requesting a financial transaction from those of approving it, processing the payment, reconciling the transaction to the accounts and safeguarding the involved asset. Surprise audits must be just that: unannounced supervisory reviews. This creates not just an atmosphere of collegiality and support but one in which the perceived opportunity to commit fraud is low. 


This case involved invigilators (test monitors) who were hired to proctor final exams in a large undergraduate department at the pay rate of $50 for a three-hour exam. This department didn’t have proper controls to verify who showed up for work and who didn’t on exam days. Therefore, as long as the correct number of invigilators showed up, those who had registered and accepted the jobs in advance with the department administrator were all paid using time sheets, which that administrator had prepared. The department chair would then approve the time sheets. The administrator didn’t verify attendance of the invigilators with the professors who’d supervised the exams.

The invigilators began to exploit the lack of proper controls. Believe it or not, parents of some younger invigilators would show up on exam days to do the work of their offspring, but the university would still pay their kids because the students’ names appeared on time sheets. The children then gave their gross salaries to their parents because these students’ annual taxable incomes were too low to pay any income taxes. 

In this fraud scheme, the university paid the “ghost invigilators” for services they never rendered. Even though the university didn’t lose any money, it made individual payments to the wrong people. The governmental revenue agency was the actual victim of this fraud, which is a clear case of tax evasion. However, the fraud really occurred because the university hadn’t identified invigilation activities as high risk, and some invigilators took advantage of internal control deficiencies. The university has the ethical and legal responsibility to pay the right people and implement proper controls to prevent and detect fraud whether the victim is itself or an outside entity.

The department chair detected the fraud by chance when a parent of an invigilator let slip that he’d worked an exam the previous weekend, while the chair didn’t have his time sheet to approve. Investigators from the security department discovered that this was far from volunteer work because the parent’s son was the one getting paid for the work. They later found that four more parents were also using the same scheme to avoid paying income taxes. The university warned the parents and invigilators that any further misconduct would lead to formal legal and disciplinary actions and potential dismissal, but it didn’t take any formal action.

Lessons learned
Following this case, I recommended a thorough fraud risk assessment and establishment of targeted internal controls. The undergraduate department implemented a simple and effective control; it required professors who supervise exams to maintain signature sheets that all invigilators must sign at the beginning and the end of their work shifts. Any new or unknown invigilator must show identification to the supervising professor. Afterwards, the chair’s assistant must validate each signature sheet with the registration sheet prepared by the department administrator. A proper segregation of duties requires that someone independent from the department administrator must validate and prepare time sheets. 


Educating faculty, staff members and students about the university’s ethics (or anti-fraud) policies is important, of course, to prevent fraud and preserve the institution’s reputation. It’s also important to develop ethics policies carefully and implement them in accordance with the culture of the institution. 

Culturally, universities, like most nonprofit educational institutions, don’t like heavy-handed policies, or controls, because faculty members perceive them as impediments to their research and teaching activities. (See “Reputations at Risk.”)

After going through an appropriate anti-fraud training program, every employee and faculty member (many higher-education institutions actually view faculty above the instructor level as quasi-independent contractors) should understand the nature and role of internal controls as well as the negative consequences associated with fraud. 

University administrators, faculty and staff members should be motivated to prevent fraud because its occurrence might affect their chances of promotions and salary increases and tarnish the external reputation of the university, which could then affect its financial situation.


This case implicated two executives of a university’s student association. Student associations at this university were legally independent, but they received financial subsidies from the institution and special student contributions from an automatic levy on tuition fees. 

The university allowed student association executives to seek reimbursement for expenses for the many extracurricular activities they organized throughout the academic year. Each association would reimburse executives after they submitted receipts or paid invoices.

The two association executives committed fraud by submitting fictitious, altered and mischaracterized expense receipts and invoices. For example, one submitted a fictitious receipt for $600 that she drew and signed on a paper place mat. She claimed the expenses were for “marketing activities.” Her association actually reimbursed her. 

Another student exec submitted a scanned valid hotel invoice on which he had added with Photoshop two fictitious nights plus additional food and mini-bar items. He also submitted another hotel invoice for a meeting room that he claimed was for a student recruitment event, but it actually was for the wedding reception of a family member. Both the recruitment event and the wedding reception had been on the same day at the same hotel. 

The student association is obviously the victim of these frauds because it lost most of its funds. However, the university is ethically and legally responsible to ensure it doesn’t invest taxpayers’ money in ventures that it should know are fraudulent.

The newly elected executives of the same student association discovered the fraud, which had grown to more than $100,000. One of the new executives was concerned because the association didn’t have any money left in its bank account at the start of the new academic year. He had also heard some students bragging about “how easy it is to forge invoices on Photoshop.” The executive asked for the university’s help in investigating. 

The university expelled the two crooked student executives from their programs of study, and the university referred the case to the local police department. All parties reached an out-of-court settlement.

Lessons learned
I recommended that the university require student associations to undergo annual financial audits as a condition to receiving financial support. Universities should also educate student associations’ executives about ethics and basic internal controls to prevent and detect such frauds. 

The absence of an independent party’s verifications and the lack of training fostered students’ perceptions that they could easily commit fraud and get away with it. Independent and thorough reviews of expense reimbursement claims could have easily detected most expense reimbursement frauds. 


Managers and auditors normally can detect fictitious receipts and invoices by observing missing vendor information and relevant registration numbers. Management can usually discover electronically altered expense receipts and invoices by inspecting for slight differences in font size, style and page format, and calculation mistakes in fictitious items and their sales taxes. If an invoice is addressed to the student association itself or the university, contacting the vendor can be an effective method for confirming amounts while not infringing on the claimant’s privacy rights. 

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.