Requests, claims or activities are approved by the appropriate decision-maker
All requests, claims or activities must be approved by an appropriate decision-maker.
NB: Strong workflow controls are enforced by systems.
Some examples of this type of countermeasure include:
- Programme payments automatically workflow through to the correct delegate for approval.
- All asset requests are approved by the requester's line manager.
- All travel expenditure must be approved by the appropriate spending approver.
- Payments exceeding a certain threshold must be approved by a specified approver.
- Purchase orders automatically workflow through to the procurement team and spending approvers in the finance system.
Purpose of this countermeasure
Staff or contractors can abuse their position of trust to process fraudulent requests or claims for themselves or another person. Staff or contractors can also be coerced to process fraudulent requests or claims for another person or entity, e.g. pressured to pay a fraudulent invoice.
Staff or contractors can also abuse their position of trust to access and disclose official information without authority.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Allowing someone other than the appropriate decision-maker to approve a requests, claim or activity can lead to:
- dysfunctional and obscure processes, and
- poor management of decision-making and risk.
For example, staff could collude to approve leave or overtime without the knowledge or approval of the manager or central delegate.
This type of control is supported by:
- Legislation and Policy
- Procedural instructions or guidance
- Decision-making powers are clearly defined
- A specific form, process or system must be used
- Identity is authenticated for each interaction
- Mandatory information is required to complete the request or claim
- Internal escalation procedures
- Requests, claims or processes are limited by parameters
- Prompts and alerts
- System or physical access controls
- User permissions
- Sensitive information controls
- Requests or claims are processed by a limited number of staff
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- End of life processes
- Quality assurance checks
- Activity reporting
- Exception reporting
- Internal or external audits or reviews
- Automatic notification of high-risk activities and transactions
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Consult staff approval processes. Confirm they have a correct and consistent understanding.
- Identify how approval requirements are communicated to staff.
- Confirm the existence of approval workflows within the system.
- Review procedures or guidance to confirm it clearly specifies approval processes.
- Obtain and review requirements for how approvals are obtained.
- Confirm approvals processes are consistently applied.
- Confirm that someone cannot override or bypass approval processes, even when pressure or coercion is applied.
- Review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions.
- Quantitative analysis of completed requests/claims or activities to confirm approval is obtained on all occasions.
- Undertake vulnerability testing or a process walk-through to confirm that approval processes are enforced.
- Confirm the existence of a review and reconciliation process. Review the reports.
- Review any past fraud cases to identify how they were allowed to occur.