Set up automatic notifications of high-risk events and transactions
Summary
Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.
Why this countermeasure matters
Allowing high-risk events or transactions to occur without automatically notifying clients or staff may cause:
- fraudulent activity to go unnoticed
- delays in investigations and responses
- additional opportunities for fraud.
How to put this countermeasure in place
Some ways to implement this countermeasure include setting up system generated notifications of high-risk events or transactions, such as when:
- online accounts are accessed
- claims or requests are submitted
- contact details are changed
- bank accounts are changed
- system accesses are updated
- claims or requests are processed.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this type of countermeasure using the following methods:
- Analyse data related to automatic notifications and compare it to events or transactions.
- Evaluate the method and destination of notifications to determine if they are sent to the best person using the best method.
- Confirm that notifications cannot be modified, stopped, redirected or prevented from arriving and test controls if required.
- Consider the timeliness of notifications, such as when they are sent or when they would be received and if this would provide sufficient time to respond to potential fraud.
- Review the notification to determine if messages are clear and relevant to the receiver.
- Test high-risk activities and transactions to confirm that notifications are sent.
Related countermeasures
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.
Make sure requests or claims use a specific form, process or system for consistency.
Limit access to sensitive information and records.
Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Put protections in place to prevent data from being manipulated or misused.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Allow clients, staff and third parties to lodge complaints about actions or decisions they disagree with. This may help identify fraud or corruption, such as failure to receive an expected payment.
Put in place processes for staff or external parties to lodge tip-offs or Public Interest Disclosures.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.