Skip to main content

Set up change management processes

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative  prevention countermeasures

Summary

Change management processes make sure that changes do not create risks or weaken existing countermeasures.

Why this countermeasure matters

Changes to systems outside a transparent change management process can lead to:

  • new or increased fraud and corruption risks
  • unintended removal of existing countermeasures
  • vulnerabilities in existing countermeasures
  • fraudsters hiding changes in systems to create loopholes (defects) for:
    • facilitating fraudulent payments
    • accessing, manipulating or releasing sensitive information
    • erasing records of their activities.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

  • undertaking and updating fraud risk assessments when there is a substantial change in the structure, functions or activities of the entity or program
  • making sure changes must go through a rigorous and transparent change management process
  • consulting fraud control teams about program and system changes
  • undergoing a change impact assessment when major changes occur to consider the potential impacts on existing fraud controls
  • logging all system changes through a change management system
  • controlling all updates to access controls and source code through layered environments
  • adhering to the requirements under the Protective Security Policy Framework for any system changes
  • referring to the Australian Government Information Security Manual for guidelines on system and change management.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this type of countermeasure by using the following methods:

  • Undertake a desktop review of change management policies and processes to confirm that clear and consistent processes exists.
  • Confirm that change management processes align with existing policies.
  • Confirm that change impact assessments and risk plans are completed, and review the documentation.
  • Confirm that risk plans are actually used and updated.
  • Consult subject matter experts on change processes to evaluate their understanding and thoughts about fraud risk.
  • Confirm that change processes would effectively identify and manage fraud risks.
  • Confirm that fraud control teams are engaged as a stakeholder during change processes.
  • Confirm that risks are properly treated.
  • Review how changes are reported, such as asking if change management plans are reviewed and signed-off by a project board.
  • Confirm that post-implementation reviews occur.
  • Undertake a staff census and include questions relevant to change management.
  • Review APSC Census Results if you are Commonwealth entity.

Related countermeasure

Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Reconcile records to make sure that 2 sets of records (usually the balances of 2 accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.

Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.

Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Audit logging is system-generated audit trails of staff, client or third-party interactions that help with fraud investigations.

Related Fraudster Personas

Was this page helpful?