Skip to main content

Make sure only the appropriate decision-maker can approve requests, claims or activities

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Use system workflows to make sure all requests, claims or activities are only approved by the appropriate decision-maker.

Why does this countermeasure matter?

Allowing requests, claims or activities to be approved by someone other than the appropriate decision-maker can lead to:

  • staff processing fraudulent requests or claims for themselves or for another person
  • staff abusing a position of trust to access and disclose official information
  • staff entitlements such as leave or overtime being approved without the knowledge or approval of the manager or delegate
  • processes becoming uncertain or not working properly
  • poor management of decision-making and risk.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

  • having the system automatically assign payment requests to the correct decision-maker for approval
  • automatically assigning assets requests to the requester's manager
  • the requirement that all travel spending must be approved by the appropriate approver
  • having the system automatically assigns higher value claims to a specified approver, such as a central delegate
  • the finance system automatically assigns purchase orders to the procurement team and spending approvers.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Consult staff about approval processes to confirm they have a correct understanding.
  • Identify how approval requirements are communicated to staff.
  • Confirm the existence of approval workflows within the system.
  • Review procedures or guidance to confirm it clearly specifies approval processes.
  • Review requirements on how approvals are obtained.
  • Confirm approval processes are consistently applied.
  • Confirm that someone cannot override or bypass approval processes even when pressure or coercion is applied.
  • Review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions.
  • Review reports of completed requests/claims or activities to confirm approval is obtained on all occasions.
  • Undertake pressure testing or a process walk-through to confirm that approval processes are enforced.
  • Confirm the existence of a review and reconciliation process, and review the reports.
  • Review any past fraud cases to identify how they were allowed to occur.

Related countermeasures

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Prepare summary reports on activities for clients, managers or responsible staff.

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Related Fraudster Personas

Was this page helpful?