Internal escalation procedures
Non-standard requests or claims are escalated, e.g. for review by a policy team or ICT helpdesk.
Some examples of this type of countermeasure include:
- Claims that exceed a certain threshold are escalated for further scrutiny.
- Non-standard or late claims must be reviewed and actioned by a separate policy team.
Purpose of this countermeasure
Someone can provide false or misleading information or evidence to support a request or claim, or fail to disclose information that would affect their entitlement.
Additionally, a staff member can abuse their position of trust to process fraudulent requests or claims for themselves or another person or entity.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Not having processes in place to escalate non-standard requests or claims can lead to:
- disorganised, inconsistent practices and decision-making, and
- other control weaknesses.
Fraudsters can deliberately use confusion and deception to exploit these weaknesses to:
- receive payments or services they are not entitled to, or
- access information or systems without a business need.
This type of control is supported by:
- Procedural instructions or guidance
- Staff are trained to apply correct processes and decisions
- A specific form, process or system must be used
- Prompts and alerts
- Requests or claims are processed by a limited number of staff
- System or physical access controls
- User permissions
- Privileged access restrictions and monitoring
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Review the policies and procedures for escalating requests or claims.
- Confirm non-standard requests and claims are escalated to someone with sufficient delegation, independence or expertise.
- Confirm escalation processes are consistently applied.
- Undertake quantitative analysis of non-standard requests or claims. What percentage of claims fall in this category? Does this align with the number of escalations?
- Review a sample of non-standard requests or claims to confirm correct escalation processes were followed.
- Ask staff about internal escalation processes to ensure they have a consistent and correct understanding.
- Undertake testing or a process walk-through to confirm that escalation processes cannot be bypassed (even when pressure or coercion is applied).
- Identify how escalation requirements are communicated to staff.
- Confirm that someone cannot bypass escalation processes or systems, even when subject to pressure or coercion.
- Review the training staff receive to ensure it includes information about escalation procedures.