Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Why this countermeasure matters
Lack of exception reporting may lead to:
- disorganised or inconsistent practices and decision-making
- less transparency over actions and outcomes
- poor management of fraud and corruption risks
- less action and accountability to prevent, detect and respond to fraud and corruption
- fraud or corrupt activity going unnoticed or unchallenged.
How you might apply this countermeasure
Some ways to implement this countermeasure include generating exception reports to identify:
- unusually high pays
- large salary changes
- unusually high program payments
- excessive ordering of assets
- staff who have made more claims than usual within a month
- prices that do not match market variations
- payments or claims repeatedly below reporting thresholds
- increased scrutiny for claims over a certain threshold or frequency
- data analysis of what constitutes a standard claim
- payments or claims that do not match expected behaviour or trends.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm that the exception tolerances or parameters are appropriate
- confirm that the exception parameters or thresholds are not widely known
- confirm that exception reports are actually produced, used and the process is adequate
- confirm that exception reports go to the most appropriate staff/team for review
- walk through processes with staff members while they review reports and respond to anomalies
- review a sample of reports to see if they are clear, relevant to the user and would help detect fraud
- review statistics related to reports, such as how many exceptions are reported and how often
- review who has access to exception reports
- confirm that someone cannot manipulate reports or the data they are based on
- confirm that those who review exceptions are separate from processing staff/teams
- check what other reporting occurs, such as if executives review exception reports during committee meetings.
This type of countermeasure is supported by:
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Match data with the authoritative source and verify relevant details or supporting evidence. Services such as the Identity Matching Service can be used to verify identity credentials back to the authoritative source when the information is an Australian or state and territory government issued identity credential. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Whole-of-Government policies require us to have a high level of confidence in data when providing government services and payments. Create policies, rules, processes and systems to collect accurate and relevant data to help: • process claims • make decisions • check and verify data • analyse data to detect fraud • investigate potential fraud • define new indicators of fraud.
Prepare summary reports on activities for clients, managers or responsible staff.
Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.