Make sure only the appropriate decision-maker can approve requests, claims or activities

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Use system workflows to make sure all requests, claims or activities are only approved by the appropriate decision-maker.

Why does this countermeasure matter?

Allowing requests, claims or activities to be approved by someone other than the appropriate decision-maker can lead to:

staff processing fraudulent requests or claims for themselves or for another person
staff abusing a position of trust to access and disclose official information
staff entitlements such as leave or overtime being approved without the knowledge or approval of the manager or delegate
processes becoming uncertain or not working properly
poor management of decision-making and risk.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

having the system automatically assign payment requests to the correct decision-maker for approval
automatically assigning assets requests to the requester's manager
the requirement that all travel spending must be approved by the appropriate approver
having the system automatically assigns higher value claims to a specified approver, such as a central delegate
the finance system automatically assigns purchase orders to the procurement team and spending approvers.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

Consult staff about approval processes to confirm they have a correct understanding.
Identify how approval requirements are communicated to staff.
Confirm the existence of approval workflows within the system.
Review procedures or guidance to confirm it clearly specifies approval processes.
Review requirements on how approvals are obtained.
Confirm approval processes are consistently applied.
Confirm that someone cannot override or bypass approval processes even when pressure or coercion is applied.
Review a sample of completed requests/claims to confirm appropriate approval was obtained on all occasions.
Review reports of completed requests/claims or activities to confirm approval is obtained on all occasions.
Undertake pressure testing or a process walk-through to confirm that approval processes are enforced.
Confirm the existence of a review and reconciliation process, and review the reports.
Review any past fraud cases to identify how they were allowed to occur.

Related countermeasures

Create legislation and policies that help prevent, detect and respond to fraud

Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.

Create procedural instructions or guidance

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Clearly define decision-making powers

Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.

Require a specific form, process or system to be used

Make sure requests or claims use a specific form, process or system for consistency.

Authenticate identity during each interaction

Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.

Require mandatory information to complete requests or claims

Make sure forms or system controls require mandatory information to support claims or requests.

Set up internal escalation procedures

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Set limits on requests, claims or processes

Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.

Set up automatic prompts and alerts

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Use system or physical access controls to limit access

Limit access to systems, data, information, physical documents, offices and assets.

Set up user permissions

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.

Set up controls for sensitive information

Limit access to sensitive information and records.

Limit the number of staff who process requests or claims

Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.

Set up privileged access restrictions and monitoring

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Set up change management processes

Change management processes make sure that changes do not create risks or weaken existing countermeasures.

Conduct system testing

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Properly dispose of old or unnecessary systems, records and assets

Have processes in place to properly archive or dispose of old or unnecessary systems, assets, staff positions and accesses, client accounts and records.

Conduct quality assurance checks

Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.

Report on activities

Prepare summary reports on activities for clients, managers or responsible staff.

Establish exception reporting

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Conduct internal or external audits or reviews

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Set up automatic notifications of high-risk events and transactions

Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.

Apply fraud detection software programs and processes

Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal, or expected and may indicate fraud or corruption.