Automatic change notifications

This control targets both internal and external fraud risks.

Examples

Examples of this control include:

• system-generated notifications of high-risk events or transactions, e.g. when:
  • contact details are changed
  • bank accounts are changed
  • system accesses are updated
  • payments are made
  • claims or requests are processed.

Risks from control gap 

Allowing high-risk events or transactions to occur without automatically notifying clients or employees can lead to:

• fraudulent activity going unnoticed
• fraudsters feeling more confident their actions will not be detected
• delays in investigations and responses
• additional opportunities for fraud.

Assessing effectiveness

Methods to evaluate the effectiveness of this control include:

• testing high-risk activities and transactions to confirm that notifications are being sent
• analysing data related to automatic notifications and comparing it to events or transactions
• evaluating the method and destination of notifications to determine if they are sent to the most appropriate person using the best method
• confirming that notifications cannot be modified, stopped, redirected or prevented from arriving, and testing the controls if required
• considering the timeliness of notifications, e.g. when they are sent or when they would be received, and if this would provide sufficient time to respond to potential fraud
• reviewing the notification to determine if messages are clear and relevant to the receiver.

Related fraudster personas

Types of behaviour this control is designed to mitigate:

More information

• Explore our free online tools to help strengthen your organisation’s fraud and corruption controls
• Assess your organisation’s fraud exposure and weaknesses to inform an effective fraud prevention programme
• Learn how to reduce the risk of fraud and corruption in procurement
• Find out more about the seven common personas that fraudsters use when committing financial crimes