Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Why does this countermeasure matter?
Allowing requests, claims or activities to be approved by someone other than the appropriate decision-maker can lead to:
- staff processing fraudulent requests or claims for themselves or for another person
- staff abusing a position of trust to access and disclose official information
- staff entitlements such as leave or overtime being approved without the knowledge or approval of the manager or delegate
- processes becoming uncertain or not working properly
- poor management of decision-making and risk.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- having the system automatically assign payment requests to the correct decision-maker for approval
- automatically assigning assets requests to the requester's manager
- the requirement that all travel spending must be approved by the appropriate approver
- having the system automatically assigns higher value claims to a specified approver, such as a central delegate
- the finance system automatically assigns purchase orders to the procurement team and spending approvers.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- consult staff about approval processes to confirm they have a correct understanding
- identify how approval requirements are communicated to staff.
- confirm the existence of approval workflows within the system
- review procedures or guidance to confirm it clearly specifies approval processes
- review requirements on how approvals are obtained
- confirm approval processes are consistently applied
- confirm that someone cannot override or bypass approval processes even when pressure or coercion is applied
- review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions
- review reports of completed requests/claims or activities to confirm approval is obtained on all occasions
- undertake pressure testing or a process walk-through to confirm that approval processes are enforced
- confirm the existence of a review and reconciliation process, and review the reports
- review any past fraud cases to identify how they were allowed to occur.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.