Home / Privacy and policies / Fraud

Fraud Policy

Effective Date:1 April 2024 Last Updated:19 May 2026 Owner:Tudor Brad, Managing Director

1.Scope

This policy applies to every person acting on behalf of Better Quality Assurance S.R.L. ("BetterQA," "the company"), in every country we operate in: employees, contractors, freelancers, directors, the Administrator (Tudor Brad), agents, and any supplier or partner whose conduct is attributable to BetterQA. It covers both internal fraud (committed by people within BetterQA, against BetterQA, its clients, or third parties) and external fraud (committed by outsiders against BetterQA or its clients, but flowing through our systems, our people, or our deliverables).

2.Our Position

BetterQA does not tolerate fraud. We take a low-tolerance, evidence-driven approach: we expect strong internal controls, segregation of duties, and reviewable records, and we act decisively when something is wrong. We also acknowledge that fraud risk is real in a fast-moving services company with international clients, remote staff, and frequent invoicing - and we'd rather find issues early through controls than late through losses.

Examples of fraud in our context. Falsified timesheets billed to clients; expense claims with fictitious receipts; misuse of client production data; tampering with test evidence to hide failed runs; payroll or banking-detail-change scams ("CEO fraud"); fake invoices from suppliers we never engaged; misappropriation of client credentials; intentional misrepresentation in a sales proposal or CV submitted to a client.

3.Specific Obligations

Internal controls everyone is responsible for.

  • Segregation of duties. The person who approves a payment must be different from the person who initiates it. The person who runs a test must, for material releases, be different from the person who signs off the result. The person who hires must be different from the person who approves payroll changes
  • Banking detail changes. Any request from a client, employee, or supplier to change bank account details (new IBAN, new beneficiary, new currency) must be verified through an independent channel - a phone number on file, not one in the requesting email. Email-only confirmation is not enough
  • Expenses. Submit only expenses you actually incurred, with the original receipt. Do not split a single expense to keep it under an approval threshold. Do not claim per-diems for days you were not on the assignment
  • Timesheets. Submit only hours you actually worked, against the correct project and client. Do not pad hours, do not back-fill weeks you forgot, do not record time on a project you did not work on
  • Test evidence. Test results, screenshots, logs, and pass/fail flags are records of fact. They must not be altered, deleted, or "smoothed" after the run. Re-run a test if you need a new result; never edit the old one
  • Client credentials. Credentials given to BetterQA for testing belong to the client. Use them only on the engagement they were issued for. Store them in the agreed credential manager. Do not share them outside the agreed access list, and do not export client data to personal devices

Mandatory reviews.

  • Expense claims and reimbursement runs are reviewed by the Managing Director at least quarterly
  • Outbound payment runs (supplier payments, contractor payments, payroll) are reviewed by the Managing Director at least quarterly, with a sample audit of supporting documents
  • Bank account change requests are 100% reviewed in real time before execution, not in arrears
  • Client billing reconciliations - hours billed vs hours recorded in BetterFlow - are run monthly by the assigned project lead

4.Reporting Channel

If you suspect fraud - internal or external, committed, attempted, or threatened - report it.

  • Email: [email protected] (anonymous reporting permitted)
  • Acknowledgement within 7 days, outcome within 90 days, in line with EU Directive 2019/1937 and Romanian Law 361/2022
  • If you suspect a payment fraud is about to be executed, raise it directly with the Managing Director by phone immediately; do not wait for the email channel
  • Reports made in good faith are protected from retaliation; see the separate Whistleblowing Policy

For external fraud affecting a client (for example, a phishing attack received via a BetterQA-managed mailbox), the client is notified by the Managing Director within 24 hours of confirmation, in line with the relevant Data Processing Agreement.

5.Consequences

Fraud is treated as gross misconduct. Consequences may include:

  • Immediate suspension pending investigation
  • Termination of employment or contract
  • Recovery of misappropriated funds, including through civil action
  • Personal criminal liability under Romanian Criminal Code articles on deception, forgery, and embezzlement, the UK Fraud Act 2006 (where applicable), and the EU PIF Directive 2017/1371 where EU funds are involved
  • Reporting to the relevant police authority, ANAF (tax authority) where applicable, and the affected client
  • Forfeiture of any unvested bonuses, commissions, or contract fees

6.Review Cadence

This policy is reviewed at least annually by the Managing Director, or sooner if a fraud incident is detected, if the company's payment or expense systems change, or if a new control gap is identified. The annual review covers the previous year's incidents (if any), the quarterly review findings, and the segregation-of-duties matrix.

7.Owner

Policy Owner
Tudor Brad
Managing Director (Administrator), Better Quality Assurance S.R.L.
[email protected] - [email protected]

Related Policies

Anti-Bribery and Corruption Anti-Money Laundering Whistleblowing Gifts and Hospitality Privacy and Terms

Need help with software testing?

BetterQA provides independent QA services with 50+ engineers across manual testing, automation, security audits, and performance testing.

Explore our services Get in touch