Access controls
Limit access to systems, data, information, physical documents, offices and assets.
This control targets internal fraud risks.
Examples
Examples of this control include:
- login identification, biometrics and/or password requirements to access systems
- approving a request from employees before providing access to internal systems
- two-factor authentication to access an online account
- restricting access to different parts of a building
- restricting access to an online provider system to registered providers only
- ensuring employees can only access emails on work devices, not personal or public devices
- classified documents being stored in secure lockable cabinets.
Risks from control gap
Failing to implement effective access controls can lead to:
- employees or contractors accessing or manipulating systems and information without authority
- fraudulent payments, claims or requests being processed
- unauthorised access, use or disclosure of information or assets, leading to privacy or security breaches
- theft or misappropriation of monetary, data or physical assets for personal or third-party gain.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- confirming that controls comply with the Protective Security Requirements
- reviewing access control procedures to ensure employees know which rules apply in different situations and do not rely on judgement or workarounds
- confirming that requests for access processes are robust and that approvals are consistently applied
- confirming that only those who need access have been granted access
- reviewing processes that distinguish between requests from individuals who do not need access and those who do
- confirming that access is removed in a timely manner
- confirming that employees understand how to process access controls correctly and consistently
- confirming that employees cannot bypass process requirements, even when pressure or coercion is applied
- reviewing past access breaches to identify how they occurred and how they can be prevented in the future.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The exploiter
|
The impersonator
|
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Find out more about the seven common personas that fraudsters use when committing financial crimes
- See examples of effective, low-cost counter fraud messaging your organisation can use
- Read case studies about New Zealand organisations that have been victims of fraud
- Explore our range of free online tools to strengthen your organisation’s fraud and corruption controls