Requests or claims are processed by a limited number of staff
Requests or claims can only be processed by staff with a specific type of user permission/skillset.
Some examples of this type of countermeasure include:
- One centralised team processes international travel.
- High value, high risk claims are managed by a small-dedicated team.
- Only a centralised team can create vendors in the system.
Purpose of this countermeasure
A staff member can abuse their position of trust to process fraudulent requests or claims for themselves or another person. A staff member can also be coerced to process a fraudulent request or claim for another person or entity, e.g. pressured to pay a fraudulent invoice.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Allowing a large number of staff to process requests or claims without authority or a business need increases the risk of:
- staff deliberately processing fraudulent requests or claims, or
- staff being coerced to process fraudulent requests or claims.
This type of control is supported by:
- Procedural instructions or guidance
- Decision-making powers are clearly defined
- Staff and contractor rotation
- A specific form, process or system must be used
- User permissions
- Segregation of duties are applied
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- Quality assurance checks
- Exception reporting
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm that the specific type of request can only be allocated to a limited number of staff.
- Confirm a specific type of user permission, skillset or position is required to process the request or claim.
- Quantitative analysis of who processes specific requests or claims.
- Undertake vulnerability testing or a process walk-through to confirm that requests or claims cannot processed by staff without a specific type of user permission, skillset or position.
- Confirm the existence of monitoring and reporting. Would this identify anomalous processing?
- Confirm there is a regular review of user permissions, skillsets or positions.