Properly dispose of old or unnecessary systems, records and assets
Have processes in place to properly archive or dispose of old or unnecessary:
- ICT systems
- staff position numbers and access controls
- client account
This control is supported by the National Archives of Australia's Information Management Standards and the Protective Security Policy Framework.
Why this countermeasure matters
Keeping old or unnecessary ICT systems, staff position numbers and access controls, client accounts, assets or records may allow fraudsters to:
- use old HR position numbers to make fraudulent payroll payments
- receive payments for deceased customers
- impersonate government officials
- steal surplus assets
- access and release information held in old or unused systems or hardware
- use stolen records to make fraudulent requests or claims.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- archiving information or ceasing a client identity
- disposing of documents in accordance with the relevant records authority
- making sure expired building passes are surrendered to the issuing authority
- regularly reviewing vacant HR position numbers and removing them if no longer required
- appropriately handling and destroying returned unclaimed mail
- effectively disposing of redundant ICT stock
- withdraw access to ICT systems and resources upon separation of personnel
- withdraw privileged access to ICT systems when no longer required
- protecting deceased client records from misuse such as by making them read-only
- protecting redundant provider/supplier accounts from misuse such as by making them read-only.
How do I know if my countermeasures are effective?
Measure the effectiveness of this countermeasure by using the following methods:
- Review policies and processes to confirm that clear and consistent processes exists.
- Consult subject matter experts on processes and systems to evaluate their understanding and thoughts about fraud control policies.
- Conduct a process walkthrough by having staff show you the archive or disposal process.
- Review who has access to perform archive or disposal processes.
- Confirm that archived records cannot be manipulated and test this if required.
- Analyse data or reports to confirm old or unnecessary systems, staff positions and accesses, client accounts, assets or records are being properly archived or disposed of.
- Review a sample of documentation to confirm compliance with policies and processes.
- Check if and how archive or disposal processes are reported.
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Make sure a manager, independent person or expert oversees actions and decisions. Involving multiple people in actions and decisions increases transparency and reduces the opportunity for fraud.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Make sure requests or claims use a specific form, process or system for consistency.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Reconcile records to make sure that 2 sets of records (usually the balances of 2 accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.