Set limits on requests, claims or processes
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
What this countermeasure matters
Not putting limits or boundaries in place, such as maximum claim amounts or time periods can lead to:
- insiders exploiting processes to commit fraud or gain access to sensitive information
- fraudsters receiving larger payments than they otherwise would
- fraudsters continuing to receive payments or services they are no longer entitled to receive.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- not allowing payments to be paid above a certain limit
- not allowing particular items/payments to be claimed together
- setting transaction limits for credit cards
- setting claiming limits for program payments
- requiring staff to book the cheapest available fare for work travel
- only allowing clients or their registered nominee to change bank account details
- only allowing Australian bank accounts to be recorded for program payments.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Confirm the existence of set limits.
- Confirm that the limits are always applied.
- Review reports to confirm that all payments are within limits/boundaries.
- Review a sample of completed requests or claims to confirm set limits were applied.
- Ask staff about processes to make sure they have a consistent and correct understanding of the set limits.
- Undertake pressure testing or a process walk-through to confirm that set limits are enforced.
- Confirm that someone cannot override or bypass parameters even when pressure or coercion is applied.
- Check if reporting or reconciliation processes exist to identify anything outside normal parameters.
This type of countermeasure is supported by:
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Make sure requests or claims use a specific form, process or system for consistency.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.