Prevention controls

Prevention controls are designed to proactively reduce the likelihood of fraud and corruption occurring by strengthening the organisation’s control environment and minimising opportunities for misconduct. These controls focus on addressing the root causes of fraud risk, such as weak processes, unclear expectations or insufficient oversight.

A range of prevention controls can be implemented, and clear policies and procedures also play a critical role in setting expectations and guiding ethical behaviour across the organisation.

Prevention controls should be tailored to the organisation’s specific fraud risk profile, operating environment and risk tolerance. This ensures that controls are proportionate, practical and targeted to higher-risk areas. Regular review and adjustment of these controls helps maintain their effectiveness as risks evolve, supporting a proactive and resilient approach to fraud prevention.

Limit access to systems, data, information, physical documents, offices and assets

Access controls
Collect accurate and relevant information to help process claims; make decisions; check, verify and analyse data; and investigate potential fraud

Accurate information collection
Create policies, rules, processes and systems that check, update and verify information and data where possible

Accurate information maintenance
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision maker

Approval workflows
Set up system prompts and alerts to warn users when information is inconsistent or irregular

Automatic prompts and alerts
Implement change management processes to ensure changes do not create vulnerabilities or weaken existing fraud controls

Change management processes
Require clients, employees and third parties to have ongoing compliance, performance and contract reviews

Compliance, performance and contract reviews
Develop contractual clauses to help prevent, detect and respond to fraud or non-compliance

Contractual clauses
Use strong counter fraud messaging to encourage would-be fraudsters to think twice before committing fraud and explain how people should respond to suspicious activity in the workplace

Counter fraud messaging
Protect data from being manipulated or misused

Data protection
Use declarations to communicate and confirm that a person understands their obligations and the consequences of non-compliance

Declarations
Have processes in place to properly archive or dispose of old or unnecessary information and communications technology (ICT) systems, assets, documents and records

Decommissioning and disposal
Require and support employees and third parties to disclose gifts, benefits, incidents, mistakes, and real or perceived conflicts of interest

Disclosure and reporting
Put processes in place to prevent, identify and correct duplicate records, identities, requests or claims

Duplicate prevention

Have clear and specific eligibility requirements and only approve requests or claims that meet the criteria

Eligibility requirements
Rotate employees and contractors to reduce over-familiarity with systems and limit opportunities for malicious activity

Employee and contractor rotation
Escalate non-standard requests or claims for further review or scrutiny

Escalation procedures
Train and support employees to identify red flags so they know how to detect and report any suspected fraud

Fraud awareness training
Authenticate client or third-party identities during each interaction by testing the credentials supplied by the person making the claim

Identity verification
Assess and confirm the integrity and suitability of new employees, contractors or third parties

Integrity checks and suitability assessments
Require mandatory information to be collected to support claims or requests

Mandatory information
Apply parameters or limits to requests, claims or processes and enforce these limits using system controls

Parameters and limits
Establish, maintain and communicate clear, enforceable and accessible policies that set expectations for lawful, ethical and transparent behaviour across the organisation

Policies
Limit and monitor privileged system access that allows employees, contractors and providers to perform special functions or override system and application controls

Privileged system access
Provide clear, documented processes and guidance related to activities or processes to employees

Procedural instructions or guidance
Publish information on your organisation’s decision-making processes, decisions made, successful tenderers or grantees, incidents and breaches

Public transparency

Randomly allocate requests or claims to employees to remove the option for employees to select which claims to process

Random allocation
Share tasks and permissions for a specific business process among multiple employees

Segregation of duties
Limit access to sensitive information and records

Sensitive information access
Control sensitive or official information to ensure it cannot leave your organisation's network without authority or detection

Sensitive information control
Ensure requests or claims use a specific form, process or system for consistency

Specific and consistent processes
Conduct system testing to identify vulnerabilities prior to release

System testing
Assign permissions to users based on specific business needs

User permissions
Restrict access by blocking items on a designated list until additional verification is completed

Watchlists

Know your options

Organisations can use the information for each control to:

identify and understand available fraud control options
see examples of the control in action
understand the risks of control gaps
assess whether existing controls are operating effectively
identify complementary controls to strengthen the control environment
identify controls relevant to specific fraudster personas.

Download the complete fraud control catalogue

Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.

Download PDF

Prevention controls

Limit access to systems, data, information, physical documents, offices and assets

Collect accurate and relevant information to help process claims; make decisions; check, verify and analyse data; and investigate potential fraud

Create policies, rules, processes and systems that check, update and verify information and data where possible

Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision maker

Set up system prompts and alerts to warn users when information is inconsistent or irregular

Implement change management processes to ensure changes do not create vulnerabilities or weaken existing fraud controls

Require clients, employees and third parties to have ongoing compliance, performance and contract reviews

Develop contractual clauses to help prevent, detect and respond to fraud or non-compliance

Use strong counter fraud messaging to encourage would-be fraudsters to think twice before committing fraud and explain how people should respond to suspicious activity in the workplace

Protect data from being manipulated or misused

Use declarations to communicate and confirm that a person understands their obligations and the consequences of non-compliance

Have processes in place to properly archive or dispose of old or unnecessary information and communications technology (ICT) systems, assets, documents and records

Require and support employees and third parties to disclose gifts, benefits, incidents, mistakes, and real or perceived conflicts of interest

Put processes in place to prevent, identify and correct duplicate records, identities, requests or claims

Have clear and specific eligibility requirements and only approve requests or claims that meet the criteria

Rotate employees and contractors to reduce over-familiarity with systems and limit opportunities for malicious activity

Escalate non-standard requests or claims for further review or scrutiny

Train and support employees to identify red flags so they know how to detect and report any suspected fraud

Authenticate client or third-party identities during each interaction by testing the credentials supplied by the person making the claim

Assess and confirm the integrity and suitability of new employees, contractors or third parties

Require mandatory information to be collected to support claims or requests

Apply parameters or limits to requests, claims or processes and enforce these limits using system controls

Establish, maintain and communicate clear, enforceable and accessible policies that set expectations for lawful, ethical and transparent behaviour across the organisation

Limit and monitor privileged system access that allows employees, contractors and providers to perform special functions or override system and application controls

Provide clear, documented processes and guidance related to activities or processes to employees

Publish information on your organisation’s decision-making processes, decisions made, successful tenderers or grantees, incidents and breaches

Randomly allocate requests or claims to employees to remove the option for employees to select which claims to process

Share tasks and permissions for a specific business process among multiple employees

Limit access to sensitive information and records

Control sensitive or official information to ensure it cannot leave your organisation's network without authority or detection

Ensure requests or claims use a specific form, process or system for consistency

Conduct system testing to identify vulnerabilities prior to release

Assign permissions to users based on specific business needs

Restrict access by blocking items on a designated list until additional verification is completed

Know your options

Download the complete fraud control catalogue

More information