Skip to main content

Coronavirus (COVID-19) and the Attorney-General’s Department: Find out how our services are being delivered and how you can access them. For the latest COVID-19 news, updates and advice from the Australian Government, visit

Change management processes


Previous page


Next page


Change management processes are applied to ensure changes do not create risks or weaken existing controls.


Some examples of this type of countermeasure include:

  • Fraud risk assessments are undertaken or updated when there is a substantial change in the structure, functions or activities of the entity/programme.
  • Changes must go through a rigorous and transparent change management process.
  • Fraud control teams are consulted about programme and system changes.
  • Major changes undergo a change impact assessment, which consider the potential impacts on existing fraud controls.
  • All system changes are logged through a change management system.
  • All updates to access controls and source code are controlled through layered environments.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • process fraudulent requests or claims for themselves or another person, and
  • access, manipulate or disclose official information without authority.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity, e.g. coerced to provide information or pay a claim.

Abuse of public office, acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Allowing changes to systems outside a transparent change management process can lead to:

  • dysfunctional and obscure processes, and
  • poor management of fraud and corruption risks.

Fraudsters could make covert changes in systems to create loopholes (defects) for:

  • facilitating fraudulent payments,
  • accessing, manipulating or releasing sensitive information, and
  • erasing records of their activities.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Undertake a desktop review of change management policies and processes. Confirm that a clear and consistent processes exists.
  • Confirm that change management processes align with existing policies.
  • Confirm that change impact assessments and risk plans are completed. Review the documentation.
  • Confirm that risk plans are actually used and updated.
  • Consult subject matter experts on change processes. Evaluate their understanding and thoughts about fraud risk.
  • Confirm that change processes would effectively identify and manage fraud risks.
  • Confirm that fraud control teams are engaged as a stakeholder during change processes.
  • Confirm that risks are properly treated.
  • Review how changes are reported, e.g. are change management plans reviewed and signed-off by a project board?
  • Confirm that post-implementation reviews occur.
  • Undertake a staff census and include questions relevant to change management. Commonwealth entities can review APSC Census results.


Previous page


Next page



Commonwealth Fraud Prevention Centre logo