It’s not every day you open the ASQA newsletter to read nine people were arrested, but many of us got just that when we returned to work this January.

Just before Christmas last year, nine people were arrested by the Joint Strike Force Petrie, which included staff from the NSW Police and ASQA, for allegedly fraudulent qualifications and money laundering.

This included three ex-employees of a former RTO, Daily Update Pty Ltd.

The RTO employees were being held personally accountable and arrested. Pretty scary.

I wondered if those staff members knew what was happening - did they do this knowing it was fraud? Or did they think it was ok because that’s what their bosses told them to do? Imagine if you got arrested for following what you believed was a compliant process. It would be devastating.

More so because the RTO’s deregistration was back in April 2015, but warrants were not issued until late 2018. More than three years later.

An event like this brings home the importance of knowing what you need to do to be compliance and having effective, compliant systems.

In my time working in the VET sector, I’ve encountered many cases of fraud, from students, tutors and employees. The most troubling for me in terms of processes were

  • Students who attempt to use fake Statements of Attainment to get Credit Transfers
  • A Student who access an RTO employee’s computer and printed themselves a phoney certificate
  • A Tutor who was bribed to provide false documents to the RTO to issue a certificate
  • An employee issued fake statements of attainment for themselves and their spouse

Some of these cases were caught by the RTO and dealt with. Some were identified by police and notified to the RTO. Some were identified by ASQA during the audit.

At least one of the above cases was cited to the RTO in ASQA’s decision to deregister.

That’s another scary thought.

There are ways to manage these risks.

So what are the main ways that RTOs can to protect against fraud?

Firstly, it’s important to note that these above arrests (and other cases I know of where criminal charges were laid) were deliberate, systematic use of fake or false documents, for profit or to the benefit to the perpetrators.

Genuine failure of the system may trigger deregistration but is not likely to get an employee arrested.

Genuine errors issuing a certificate in an otherwise robust system is unlikely to trigger deregistration, particularly if it’s a once off.

The trick is to make sure that you have an otherwise robust system.

That means the RTO needs layers of preventions and controls to demonstrate a robust system, and diligence in preventing fraud.

(On a side note, Fraud is distinct from Plagiarism because it’s about statements, documents etc. being false or fake, whereas plagiarism is about passing other people’s work off as your own.)

Minimising Student Fraud

Credit Transfer or Recognition of Prior Learning (RPL)

A student may attempt to use false documents when applying for Credit Transfers or RRL, such as fake Statement of Attainments (SOA), or ‘made up’ evidence for RPL such as false Third Party Reports or Resumes.

In your policy

The best defence if a good offence with a clear statement about false or misleading documents.

Clearly stated policies and processes with information on what will occur if the student attempts to use falsified documents helps to reduce intentional ‘mistakes’. onCourse can help you automate this using email templates and the Editor.

  • create a webpage for you RPL and CT policy as a static page
  • add your policy documents to this page using the ‘attachment’ feature
  • Create an email template in onCourse with your process for CT & RPL application and include a link to the CT/RPL page.
  • include a warning in the email template, webpage and policy about falsifying documents
  • reply to all RPL or CT application using the email template, so you have a record you have advised the student regarding falsifying documents

In your process

When you receive a Credit Transfer or RPL application, you will need to have internal procedures to validate and authenticate. This can be done by checking the Student’s USI records, contacting the issuing training provider, or contacting the employers to verify resume statements. This can be challenging if the employers are no longer operating, the training before the USI was in use.

If the other provider issue the SOA or Certificate using onCourse, you can use the Certificate Verification Process.

We recommend you add the details of the CT or RPL application on the documents tab for the student, and add details of how you verified and authenticated the document in the Notes tab. That way, you have an ongoing record of the “what” and “why”.

Access violations

One case of student fraud I am aware of involved the student accessing the staff member’s computer while they were out of their room. The student used the computer accessed the Certificate Template in MS Word. They added their name, printed the certificate, and voila, a fake qualification is only a few minutes.

In your policy

Simple steps like locking your computer if you’re not using it will go a long way to prevent unauthorised access.

You should also use onCourse’s built-in Two Factor Authentication. Two Factor Authentication sends a code to the staff member’s phone before letting them log in. This prevents unauthorised access as the student or other parties. A fraudster would need to have access to the staff member’s computer AND mobile phone to fake a certificate.

In your process

Create your certificate and SOAs in onCourse and use the digital security features, like QR codes and Certificate Verification Process.

Even if they do get into the system, they would have to know the process to print the certificate - it’s not as simple as adding a name. onCourse has layered of processes and/or checks in the Certificate workflow. If you don’t complete all the steps, you won’t be able to print a certificate or SOA, including

  • enrolment
  • payment
  • outcomes
  • USI

Fraudsters would need to know how to use onCourse, and the processing would take a lot longer than a few minutes. That makes it very difficult for a student to access the system while someone goes for a coffee.

onCourse provides further security with it’s Send Certificate Created script - the Certificate is located on the portal, via a PDF, and not attached in an email, making it more difficult for a student to access another student’s certificate.

Minimising Staff Fraud

Issuing Certificate without evidence of training

onCourse has built-in Audit features that track who made changes to the system, making it easier to locate and address staff fraud.

In your policy

Establish and review your user access policy and user roles regularly. Do all your users have access to create certificates? Do they need to print certificates in their roles? Should you limit some users to enrolment only?

In onCourse, you can apply user roles to limit staff access, or, on higher level subscriptions, create you own access controls.

Log in should be specific to the individual staff member, and staff member should not ‘share’ a login. onCourse does not limit the number of users accounts, just the number on the system at any one time. So you can have an account for each staff member. We do not recommend ‘general’ accounts, like ‘admin’, that are shared by multiple users. Each staff member should have their own account with their own password, and users should not give their passwords to others. This ensures that the audit logs track the staff member who carried out a task, and allows you to review all tasks by that users if there is cause for concern.

In your process

New Users

When you set up new users, make each account a unique login name, email and full name.

After an employee leaves the organisation

When staff members leave the organisation, it’s important to go to their user account in onCourse toggle off ‘active’ to deactivate the account.