Approval workflows
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision maker.
This control targets both internal and external fraud risks.
Examples
Examples of this control include:
- a system automatically assigning requests to the correct decision maker for approval
- requiring all travel spending to be approved by the appropriate decision maker
- a system automatically assigning higher-value claims to a specified approver, e.g. a central delegate
- the finance system automatically assigning purchase orders to the procurement team and spending approvers.
Risks from control gap
Allowing requests, claims or activities to be approved by someone other than the appropriate decision maker can lead to:
- employees processing fraudulent requests or claims for themselves or another person
- employee entitlements, e.g. leave or overtime, being approved without the knowledge or approval of the manager or delegate
- processes becoming uncertain or not working properly
- poor management of decision making and risk.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- confirming the existence of approval workflows within the system
- consulting employees about approval processes to confirm they have a correct understanding
- identifying how approval requirements are communicated to employees
- reviewing procedures or guidance to confirm they clearly specify approval processes
- reviewing requirements on how approvals are obtained
- confirming approval processes are consistently applied
- confirming that someone cannot override or bypass approval processes, even when pressure or coercion is applied
- reviewing a sample of completed requests or claims to confirm appropriate approval was obtained on all occasions
- reviewing reports of completed requests, claims or activities to confirm approval is obtained on all occasions
- undertaking fraud control testing or a process walkthrough to confirm that approval processes are enforced
- confirming the existence of a review and reconciliation process and reviewing the reports
- reviewing any past fraud cases to identify how they were allowed to occur.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The enabler
|
The exploiter
|
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Check out our range of guidance to see where to start your counter fraud journey
- Learn how employees, contractors, vendors or business partners can harm an organisation from within
- See how a robust pre-employment screening process is one of the most effective ways to reduce the risk of employee fraud and corruption in your organisation
- Emergency relief programmes can be an attractive target for fraudsters – address the fraud risk before an emergency occurs