Change management
Summary
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Why this countermeasure matters
Changes to systems outside a transparent change management process can lead to:
- new or increased fraud and corruption risks
- unintended removal of existing countermeasures
- vulnerabilities in existing countermeasures
- fraudsters hiding changes in systems to create loopholes (defects) for:
- facilitating fraudulent payments
- accessing, manipulating or releasing sensitive information
- erasing records of their activities.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- engaging with staff and/or clients before, during and after changes
- undertaking and updating fraud risk assessments when there is a substantial change in the structure, functions or activities of the entity or program
- making sure changes must go through a rigorous and transparent change management process
- consulting fraud control teams about program and system changes
- undergoing a change impact assessment when major changes occur to consider the potential impacts on existing fraud controls
- logging all system changes through a change management system
- controlling all updates to access controls and source code through layered environments
- adhering to the requirements under the Protective Security Policy Framework for any system changes
- referring to the Australian Government Information Security Manual for guidelines on system and change management.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- undertake a desktop review of change management policies and processes to confirm that clear and consistent processes exists
- confirm that change management processes align with existing policies
- confirm that change impact assessments and risk plans are completed, and review the documentation
- confirm that risk plans are actually used and updated
- consult subject matter experts on change processes to evaluate their understanding and thoughts about fraud risk
- confirm that change processes would effectively identify and manage fraud risks
- confirm that fraud control teams are engaged as a stakeholder during change processes
- confirm that risks are properly treated
- review how changes are reported, such as asking if change management plans are reviewed and signed-off by a project board
- confirm that post-implementation reviews occur
- undertake a staff census and include questions relevant to change management
- review APSC Census Results if you are Commonwealth entity.
Related countermeasure
Adequately resourced prevention and compliance areas enable entities to perform effective countermeasures.
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard and/or that material or goods are what they are claimed to be.
Quality assurance checks not only improve processing standards, they can also detect potentially fraudulent activity and are a significant deterrent to fraud.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Related Fraudster Personas
This countermeasure helps prevent, detect or respond to the following Fraudster Personas:
