Make sure only the appropriate decision-maker can approve requests, claims or activities
Use system workflows to make sure all requests, claims or activities are only approved by the appropriate decision-maker.
Why does this countermeasure matter?
Allowing requests, claims or activities to be approved by someone other than the appropriate decision-maker can lead to:
- staff processing fraudulent requests or claims for themselves or for another person
- staff abusing a position of trust to access and disclose official information
- staff entitlements such as leave or overtime being approved without the knowledge or approval of the manager or delegate
- processes becoming uncertain or not working properly
- poor management of decision-making and risk.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- having the system automatically assign payment requests to the correct decision-maker for approval
- automatically assigning assets requests to the requester's manager
- the requirement that all travel spending must be approved by the appropriate approver
- having the system automatically assigns higher value claims to a specified approver, such as a central delegate
- the finance system automatically assigns purchase orders to the procurement team and spending approvers.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Consult staff about approval processes to confirm they have a correct understanding.
- Identify how approval requirements are communicated to staff.
- Confirm the existence of approval workflows within the system.
- Review procedures or guidance to confirm it clearly specifies approval processes.
- Review requirements on how approvals are obtained.
- Confirm approval processes are consistently applied.
- Confirm that someone cannot override or bypass approval processes even when pressure or coercion is applied.
- Review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions.
- Review reports of completed requests/claims or activities to confirm approval is obtained on all occasions.
- Undertake pressure testing or a process walk-through to confirm that approval processes are enforced.
- Confirm the existence of a review and reconciliation process, and review the reports.
- Review any past fraud cases to identify how they were allowed to occur.