Make sure only the appropriate decision-maker can approve requests, claims or activities
Summary
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Why does this countermeasure matter?
Allowing requests, claims or activities to be approved by someone other than the appropriate decision-maker can lead to:
- staff processing fraudulent requests or claims for themselves or for another person
- staff abusing a position of trust to access and disclose official information
- staff entitlements such as leave or overtime being approved without the knowledge or approval of the manager or delegate
- processes becoming uncertain or not working properly
- poor management of decision-making and risk.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- having the system automatically assign payment requests to the correct decision-maker for approval
- automatically assigning assets requests to the requester's manager
- the requirement that all travel spending must be approved by the appropriate approver
- having the system automatically assigns higher value claims to a specified approver, such as a central delegate
- the finance system automatically assigns purchase orders to the procurement team and spending approvers.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Consult staff about approval processes to confirm they have a correct understanding.
- Identify how approval requirements are communicated to staff.
- Confirm the existence of approval workflows within the system.
- Review procedures or guidance to confirm it clearly specifies approval processes.
- Review requirements on how approvals are obtained.
- Confirm approval processes are consistently applied.
- Confirm that someone cannot override or bypass approval processes even when pressure or coercion is applied.
- Review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions.
- Review reports of completed requests/claims or activities to confirm approval is obtained on all occasions.
- Undertake pressure testing or a process walk-through to confirm that approval processes are enforced.
- Confirm the existence of a review and reconciliation process, and review the reports.
- Review any past fraud cases to identify how they were allowed to occur.
Related countermeasures
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Make sure requests or claims use a specific form, process or system for consistency.
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.
Make sure forms or system controls require mandatory information to support claims or requests.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Limit access to sensitive information and records.
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Have processes in place to properly archive or dispose of old or unnecessary systems, assets, staff positions and accesses, client accounts and records.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Prepare summary reports on activities for clients, managers or responsible staff.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.