Change management processes
Implement change management processes to ensure changes do not create vulnerabilities or weaken existing fraud controls.
This control targets internal and external fraud risks.
Examples
Examples of this control include:
- engaging with employees and/or clients before, during and after changes are implemented
- undertaking and updating fraud risk assessments when there is a substantial change in the structure, functions or activities of the organisation or programme
- making sure changes go through a rigorous and transparent change management process
- consulting fraud control teams about programme and system changes
- undergoing a change impact assessment to consider the potential impacts on existing fraud controls when major changes occur
- logging all system changes through a change management system
- controlling all updates to access controls and source codes through layers of security, such as biometrics and transaction monitoring.
Risks from control gap
Changes to systems outside a transparent change management process can lead to:
- new or increased fraud and corruption risks
- unintended removal of existing controls
- vulnerabilities in existing controls
- employees and contractors being coerced to commit fraud for the benefit of another person or organisation
- fraudsters hiding changes in systems to create loopholes or defects to:
- facilitate fraudulent payments
- access, manipulate or release sensitive information
- erase records of their activities.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- undertaking a desktop review of change management policies and processes to confirm that clear and consistent processes exist
- confirming that change management processes align with existing policies
- confirming that change impact assessments and risk plans are completed and reviewing the documentation
- confirming that risk plans are used and updated
- consulting subject matter experts on change processes to evaluate their understanding and thoughts about fraud risk
- confirming that change processes would effectively identify and manage fraud risks
- confirming that fraud control teams are engaged as a stakeholder during change processes
- confirming that risks are properly treated
- reviewing how changes are reported, e.g. ask if change management plans are reviewed and signed off by a project board
- confirming that post-implementation reviews occur
- undertaking an employee survey and including questions relevant to change management.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The enabler
|
The exploiter
|
The organised
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Learn what gaps and weaknesses to watch out for in contracting and supplier management processes
- See what bespoke fraud prevention support services the Counter Fraud Centre could offer your public sector organisation
- Gain insights into employee perceptions of their organisation’s fraud exposure and fraud management actions
- Complete our online learning modules to strengthen your fraud awareness