Establish exception reporting
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Why this countermeasure matters
Lack of exception reporting may lead to:
- disorganised or inconsistent practices and decision-making
- less transparency over actions and outcomes
- poor management of fraud and corruption risks
- less action and accountability to prevent, detect and respond to fraud and corruption
- fraud or corrupt activity going unnoticed or unchallenged.
How to put this countermeasure in place
Some ways to implement this countermeasure include generating exception reports to identify:
- unusually high pays
- large salary changes
- unusually high program payments
- excessive ordering of assets
- staff who have made more claims than usual within a month.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure using the following methods:
- Confirm that the exception tolerances or parameters are appropriate.
- Confirm that the exception parameters or thresholds are not widely known.
- Confirm that exception reports are actually produced, used and the process is adequate.
- Confirm that exception reports go to the most appropriate staff/team for review.
- Walk through processes with staff members while they review reports and respond to anomalies.
- Review a sample of reports to see if they are clear, relevant to the user and would help detect fraud.
- Review statistics related to reports, such as how many exceptions are reported and how often.
- Review who has access to exception reports.
- Confirm that someone cannot manipulate reports or the data they are based on.
- Confirm that those who review exceptions are separate from processing staff/teams.
- Check what other reporting occurs, such as if executives review exception reports during committee meetings.
This type of countermeasure is supported by: