Skip to main content

Conduct system testing

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Why this countermeasure matters

Fraudsters could take advantage of untested systems to create loopholes (defects) for:

  • facilitating fraudulent payments
  • accessing, manipulating or releasing sensitive information
  • erasing records of their activities to avoid detection.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

  • testing all new systems or system updates as part of the ICT systems lifecycle or change management process
  • conducting user acceptance testing to test for fraud risks or control vulnerabilities
  • adhering to the requirements under the Protective Security Policy Framework
  • referring to the Australian Government Information Security Manual for guidelines on system and change management
  • performing vulnerability assessments and penetration testing on systems.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Undertake a desktop review of testing policies and processes to confirm that clear and consistent processes exists.
  • Confirm that testing processes meet accepted policies and standards.
  • Confirm that the results of system testing is documented and review the documentation.
  • Consult subject matter experts on testing processes and systems to evaluate their understanding and thoughts about fraud control.
  • Confirm that testing processes would identify specific types of vulnerabilities such as malicious code.
  • Conduct a system walkthrough by having staff show you the process.
  • Review who has access to perform testing.
  • Review the system permissions needed to perform testing.
  • Confirm that testing environments accurately replicate production environments.
  • Review how the results of system testing is reported.
  • Confirm that defects or other issues are adequately resolved.
  • Confirm that post-production testing also occurs.

Related countermeasures

Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Reconcile records to make sure that two sets of records (usually the balances of two accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.

Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Audit logging is system-generated audit trails of staff, client or third party interactions that help with fraud investigations.

Related Fraudster Personas

Was this page helpful?