Exception reports identify anomalies for further interrogation. For example, an exception report on payroll would identify unusually high pays.
Some examples of this type of countermeasure include:
- An exception report of large salary changes and payments.
- A report is automatically generated to flag unusually high programme payments.
- A report would highlight excessive ordering of assets.
- A report is automatically generated to show claimants who have made more than 10 claims within a month.
Purpose of this countermeasure
Someone can make fraudulent claims or requests by acting dishonestly or providing false or misleading information or evidence. Additionally, a staff member can abuse their position of trust to process fraudulent requests or claims, or access information without authority.
Acting dishonestly or providing false or misleading statements or information to commit fraud are offences under the Criminal Code Act 1995.
Not reporting on anomalies for further interrogation can lead to:
- dysfunctional and obscure processes,
- reduced transparency, and
- poor management of fraud and corruption risks.
Exception reporting increases transparency and reduces the opportunity for fraud.
This type of countermeasure is supported by:
- Governance, accountability and oversight
- Managerial, independent or expert oversight
- Collaboration with strategic partners
- A specific form, process or system must be used
- Requests, claims or processes are limited by parameters
- Data matching
- Data protected from manipulation or misuse
- Data analytics
- Staff are trained and supported to identify and report fraud and corruption
- Tip-offs and Public Interest Disclosures
- Activity reporting
- Incident reporting
- Internal or external audits or reviews
- Audit logging
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm that the exception tolerances or parameters are appropriate.
- Confirm that the exception parameters or thresholds are not widely known.
- Confirm that exception reports are actually produced and used. Is the process is adequate?
- Confirm that exception reports go to the most appropriate staff/team for review.
- Process walk through - sit with a staff member while they review the report and respond to anomalies.
- Review a sample of reports to determine if it would help detect fraud. Is the report clear and relevant to the user?
- Undertake quantitative analysis of data related to reports. E.g. how many exceptions are reported? How often?
- Review who has access to exception reports.
- Confirm that someone cannot manipulate reports (including the data that underlies them). Test this if required.
- Confirm that reviews of exceptions is segregated from processing staff/teams.
- Check what other reporting occurs, e.g. do executives review exception reports during committee meetings?