Incident reports or breach reporting to identify circumstances where further investigation is required.
Some examples of this type of countermeasure include:
- The CFO reports financial breaches, e.g. failure to acquit a credit card on time.
- ICT reports incidents and breaches.
- Staff must report lost, stolen or damaged assets.
- Staff are required and supported to report security incidents, e.g. loss of classified documents.
Purpose of this countermeasure
Not reporting incidents or breaches for further investigation can lead to:
- dysfunctional and obscure processes,
- reduced transparency, and
- poor management of performance, decision-making and risk.
Customers, public officials or contractors can take advantage of the obscurity to commit fraud, act corruptly, and avoid exposure.
Abuse of public office or acting dishonestly to commit fraud are offences under the Criminal Code Act 1995.
Activity reporting increases transparency and reduces the opportunity for fraud.
This type of countermeasure is supported by:
- Governance, accountability and oversight
- Managerial, independent or expert oversight
- A specific form, process or system must be used
- Requests, claims or processes are limited by parameters
- Internal escalation procedures
- Quality assurance checks
- Automatic notification of high-risk activities and transactions
- Complaints about poor or anomalous outcomes
- Tip-offs and Public Interest Disclosures
- Reconciliation (accounting)
- Activity reporting
- Exception reporting
- Documentation and evidence storage
- Major incident response plan
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm that the reporting requirements for incidents are appropriate.
- Confirm that reports are actually produced and used.
- Review a sample of reports determine if they: a. are clear and relevant, and b. would help someone detect fraud.
- Confirm that the process for reporting incidents is easy to locate and use.
- Confirm the options for reporting incidents are clearly communicated.
- Undertake quantitative analysis of data related to reports. E.g. how many incidents are reported? How often?
- Confirm that incident reports go to the most appropriate staff/team.
- Review who has access to incident reports.
- Check what other reporting occurs, e.g. do executives review reports during committee meetings?