Requests or claims are randomly allocated for processing
Requests or claims are randomly allocated to staff for processing. This removes the option for staff to select which claims to process.
Some examples of this type of countermeasure include:
- Systems or processes ensure work is randomly allocated to processing staff.
Purpose of this countermeasure
A staff member can abuse their position of trust to process fraudulent requests or claims for themselves or another person or entity. A staff member can also be coerced to process a fraudulent request or claim for another person or entity, e.g. pressured to pay a fraudulent invoice.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Allowing staff to 'cherry-pick' requests or claims from the queue can increase the risk of:
- staff deliberately processing fraudulent requests or claims, or
- staff being coerced to process fraudulent requests or claims.
This type of control is supported by:
- Procedural instructions or guidance
- A specific form, process or system must be used
- User permissions
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm random allocation processes are always applied.
- Review workload management specifications and system requirements.
- Undertake quantitative analysis of allocations by location and staff user ID.
- Undertake vulnerability testing or a process walk-through to confirm that allocation processes cannot be circumvented (even when pressure or coercion is applied).
- Review approvals process and ensure there is a segregation of duties.
- Confirm monitoring and reporting processes exists for allocation. Would this identify anomalous allocation and processing patterns?