You are here: Skip breadcrumbAttorney-General's Department >> Integrity >> Counter fraud >> Fraud countermeasures >> System or physical access controls

 System or physical access controls

Prevention shield icon Previous page Next page


Access to systems, data, information, physical documents, offices and assets is limited.

The Protective Security Policy Framework articulates the government protective security policies that underpin this control.


Some examples of this type of countermeasure include:

  • Log-on ID and password to access systems.
  • Staff must provide an approved business case to receive access to internal systems.
  • Two-factor authentication to access their online account.
  • Restricted access to different parts of the building.
  • Only registered providers have access to the online provider system.
  • Staff are unable to access online email servers on work computers.
  • Classified documents are stored in secure cabinets.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • process fraudulent requests or claims for themselves or another person,
  • access, manipulate or disclose official information without authority, and
  • steal monetary or physical assets.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity, e.g. coerced to provide information or pay a claim.

Abuse of public office, obtaining property by deception or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Failing to control access to systems, data, information, physical documents, offices and assets can lead to fraudsters:

  • accessing or manipulating systems and information without authority,
  • facilitating fraudulent payments, or
  • stealing data, information, physical documents or assets to benefit themselves or others.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • Sensitive and classified information
    • Access to information
    • Safeguarding information from cyber threats
    • Robust ICT systems
    • Physical security for entity resources
    • Entity facilities
  • Obtain and review requirements for who can access systems, data, information, documents or offices.
  • Review procedures for requesting access. Confirm the request processes are robust. Actively test them if required.
  • Review accesses to confirm only those who require access have the access.
  • Confirm accesses are regularly reported on and reconciled. Confirm that this process would identify and remove unneeded access.
  • Undertake testing or a process walk-through to confirm that access controls cannot be circumvented.
  • Confirm access controls are consistently applied.
  • Identify how access request and reconciliation processes are communicated.
  • Confirm that someone cannot bypass standard process requirements even when subject to pressure or coercion.
  • Confirm the existence of a Blacklist/Whitelist and that this is regularly reviewed and reconciled.
  • Review any past access breaches to identify how they were allowed to occur.
  • Perform or review the results of technical tests, e.g. Penetration Testing.

Back to top

Previous page Next page​​

​​​​Commonwealth Fraud Prevention Centre logo​​​​​