Skip to main content

Limit the number of staff who process requests or claims

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative  prevention countermeasures


Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.

Why this countermeasure matters

Allowing all staff to process any type of request or claim increases the risk of:

  • staff deliberately processing fraudulent requests or claims
  • staff being coerced to process fraudulent requests or claims by others.

How to put this countermeasure in place

Some ways to implement this countermeasure include having:

  • one centralised team to process international travel
  • a small-dedicated team to manage high value high risk claims
  • only one centralised team with the ability to create vendors in the system.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Confirm the specific type of request can only be allocated to a limited number of staff.
  • Confirm a specific type of user permission, skillset or position is required to process the request or claim.
  • Review reports of who processes specific requests or claims.
  • Undertake pressure testing or a process walk-through to confirm that requests or claims cannot be processed by staff without a specific type of user permission, skillset or position.
  • Confirm the existence of monitoring and reporting, and confirm this will identify actions that are different from what is standard, normal or expected.
  • Confirm there is a regular review of user permissions, skillsets or positions.

Related countermeasures

This type of countermeasure is supported by:

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.

Rotate staff and contractors in and out of roles to avoid familiarity. Staff and contractors can become too familiar with processes, customers or vendors, which can lead to insider threats.

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Related Fraudster Personas

Was this page helpful?