Establish exception reporting
Summary
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Why this countermeasure matters
Lack of exception reporting may lead to:
- disorganised or inconsistent practices and decision-making
- less transparency over actions and outcomes
- poor management of fraud and corruption risks
- less action and accountability to prevent, detect and respond to fraud and corruption
- fraud or corrupt activity going unnoticed or unchallenged.
How to put this countermeasure in place
Some ways to implement this countermeasure include generating exception reports to identify:
- unusually high pays
- large salary changes
- unusually high program payments
- excessive ordering of assets
- staff who have made more claims than usual within a month.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure using the following methods:
- Confirm that the exception tolerances or parameters are appropriate.
- Confirm that the exception parameters or thresholds are not widely known.
- Confirm that exception reports are actually produced, used and the process is adequate.
- Confirm that exception reports go to the most appropriate staff/team for review.
- Walk through processes with staff members while they review reports and respond to anomalies.
- Review a sample of reports to see if they are clear, relevant to the user and would help detect fraud.
- Review statistics related to reports, such as how many exceptions are reported and how often.
- Review who has access to exception reports.
- Confirm that someone cannot manipulate reports or the data they are based on.
- Confirm that those who review exceptions are separate from processing staff/teams.
- Check what other reporting occurs, such as if executives review exception reports during committee meetings.
Related countermeasures
This type of countermeasure is supported by:
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Make sure a manager, independent person or expert oversees actions and decisions. Involving multiple people in actions and decisions increases transparency and reduces the opportunity for fraud.
Collaborate with strategic partners such as other government entities, committees, working groups and taskforces. This allows you to share capability, information and intelligence and to prevent and disrupt fraud.
Make sure requests or claims use a specific form, process or system for consistency.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Put protections in place to prevent data from being manipulated or misused.
Collect and analyse data to improve processes and controls, increase payment accuracy and find and prevent non-compliance, fraud and corruption.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Put in place processes for staff or external parties to lodge tip-offs or Public Interest Disclosures.
Prepare summary reports on activities for clients, managers or responsible staff.
Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Audit logging is system-generated audit trails of staff, client or third-party interactions that help with fraud investigations.
Related Fraudster Personas
This countermeasure helps prevent, detect or respond to the following Fraudster Personas:
