Skip to main content

Coronavirus (COVID-19) and the Attorney-General’s Department: Find out how our services are being delivered and how you can access them. For the latest COVID-19 news, updates and advice from the Australian Government, visit

Requests or claims are processed by a limited number of staff


Previous page



Next page



Requests or claims can only be processed by staff with a specific type of user permission/skillset.


Some examples of this type of countermeasure include:

  • One centralised team processes international travel.
  • High value, high risk claims are managed by a small-dedicated team.
  • Only a centralised team can create vendors in the system.

Purpose of this countermeasure

A staff member can abuse their position of trust to process fraudulent requests or claims for themselves or another person. A staff member can also be coerced to process a fraudulent request or claim for another person or entity, e.g. pressured to pay a fraudulent invoice.

Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Allowing a large number of staff to process requests or claims without authority or a business need increases the risk of:

  • staff deliberately processing fraudulent requests or claims, or
  • staff being coerced to process fraudulent requests or claims.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Confirm that the specific type of request can only be allocated to a limited number of staff.
  • Confirm a specific type of user permission, skillset or position is required to process the request or claim.
  • Quantitative analysis of who processes specific requests or claims.
  • Undertake vulnerability testing or a process walk-through to confirm that requests or claims cannot processed by staff without a specific type of user permission, skillset or position.
  • Confirm the existence of monitoring and reporting. Would this identify anomalous processing?
  • Confirm there is a regular review of user permissions, skillsets or positions.


Previous page



Next page




Commonwealth Fraud Prevention Centre logo