Limit the number of staff who process requests or claims
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Why this countermeasure matters
Allowing all staff to process any type of request or claim increases the risk of:
- staff deliberately processing fraudulent requests or claims
- staff being coerced to process fraudulent requests or claims by others.
Some ways to implement this countermeasure include having:
- one centralised team to process international travel
- a small-dedicated team to manage high value high risk claims
- only one centralised team with the ability to create vendors in the system.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm the specific type of request can only be allocated to a limited number of staff
- confirm a specific type of user permission, skillset or position is required to process the request or claim
- review reports of who processes specific requests or claims
- undertake pressure testing or a process walk-through to confirm that requests or claims cannot be processed by staff without a specific type of user permission, skillset or position
- confirm the existence of monitoring and reporting, and confirm this will identify actions that are different from what is standard, normal or expected
- confirm there is a regular review of user permissions, skillsets or positions.
This type of countermeasure is supported by: