Skip to main content

Coronavirus (COVID-19) and the Attorney-General’s Department: Find out how our services are being delivered and how you can access them. For the latest COVID-19 news, updates and advice from the Australian Government, visit

System testing


Previous page



Next page



Specific testing undertaken to identify vulnerabilities prior to release into production.


Some examples of this type of countermeasure include:

  • All new systems or system updates must undergo a multiple phases of testing as part of the development lifecycle or change management process.
  • User Acceptance Testing is performed by the business owners, which tests for fraud risks or control vulnerabilities.
  • Vulnerability Assessments and Penetration Testing is performed on systems.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • process fraudulent requests or claims for themselves or another person, and
  • access, manipulate or disclose official information without authority.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity, e.g. coerced to provide information or pay a claim.

Abuse of public office, acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Untested systems can allow vulnerabilities to be released into production environments.

Fraudsters could take advantage of untested systems to create loopholes (defects) for:

  • facilitating fraudulent payments,
  • accessing, manipulating or releasing sensitive information, and
  • avoiding detection.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Undertake a desktop review of testing policies and processes. Confirm that a clear and consistent process exists.
  • Confirm that testing processes meet accepted policies and standards.
  • Confirm that the results of system testing is documented. Review the documentation.
  • Consult subject matter experts on testing processes and systems. Evaluate their understanding and thoughts about fraud control.
  • Confirm that testing processes would identify specific types of vulnerabilities, malicious code etc.
  • System testing walkthrough – have staff show you the process.
  • Review who has access to perform testing.
  • Review the system permissions needed to perform testing.
  • Confirm that testing environments replicate production environments. What type data is used?
  • Review how the results of system testing is reported.
  • Confirm that defects or other issues are adequately resolved.
  • Confirm that post-production testing also occurs.


Previous page



Next page




Commonwealth Fraud Prevention Centre logo