Requests, claims or processes are limited by parameters
Requests or claims are limited by certain parameters; for example, claim periods or limits.
NB: Strong controls are enforced by systems, e.g. the system does not allow amounts to be paid above a certain limit, or particular items/payments to be claimed together.
Some examples of this type of countermeasure include:
- Transaction limits for credit cards.
- Claiming limits for programme payments.
- Staff must book the cheapest available fare for work travel.
- Only customers or nominees can change bank account details.
- Only Australian bank accounts can be recorded for programme payments.
Purpose of this countermeasure
Someone can make fraudulent claims or requests by acting dishonestly or providing false or misleading information or evidence. Additionally, a staff member can abuse their position of trust to process fraudulent requests or claims, or access information without authority.
Acting dishonestly or providing false or misleading statements or information to commit fraud are offences under the Criminal Code Act 1995.
Not having clear parameters in place to keep requests, claims or processes within certain boundaries can lead to:
- disorganised, inconsistent practices and decision-making, and
- other control weaknesses.
Fraudsters can exploit dysfunctional processes to:
- receive payments or services they are not entitled to, or
- access information or systems without a business need.
This type of control is supported by:
- Legislation and Policy
- Procedural instructions or guidance
- Decision-making powers are clearly defined
- A specific form, process or system must be used
- User permissions
- Prompts and alerts
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- Exception reporting
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm the existence of parameters.
- Confirm parameters are always applied.
- Undertake quantitative analysis of outcomes to check they are within limits/boundaries.
- Review a sample of completed requests or claims to confirm parameters were applied.
- Ask staff about processes to ensure they have a consistent and correct understanding of the parameters.
- Undertake vulnerability testing or a process walk-through to confirm that parameters are enforced.
- Confirm that someone cannot override or bypass parameters, even when pressure or coercion is applied.
- Check if reporting/reconciliation processes exist to confirm claim or request outcomes are within limit /boundaries.