Parameters and limits
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
What this countermeasure matters
Not putting limits or boundaries in place, such as maximum claim amounts or time periods can lead to:
- insiders exploiting processes to commit fraud or gain access to sensitive information
- fraudsters receiving larger payments than they otherwise would
- fraudsters continuing to receive payments or services they are no longer entitled to receive.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- not allowing payments to be paid above a certain limit
- not allowing particular items/payments to be claimed together
- setting transaction limits for credit cards
- setting claiming limits for program payments
- requiring staff to book the cheapest available fare for work travel
- only allowing clients or their registered nominee to change bank account details
- only allowing Australian bank accounts to be recorded for program payments
- requiring someone to choose from an approved list of providers or vendors (otherwise known as whitelisting).
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm the existence of set limits
- confirm that the limits are always applied
- review reports to confirm that all payments are within limits/boundaries
- review a sample of completed requests or claims to confirm set limits were applied
- ask staff about processes to make sure they have a consistent and correct understanding of the set limits
- undertake pressure testing or a process walk-through to confirm that set limits are enforced
- confirm that someone cannot override or bypass parameters even when pressure or coercion is applied
- check if reporting or reconciliation processes exist to identify anything outside normal parameters.
This type of countermeasure is supported by: