Decommissioning and disposal
Have processes in place to properly archive or dispose of old or unnecessary information and communications technology (ICT) systems, assets, documents and records.
This control is supported by the Protective Security Requirements and the information and records management standard under the Public Records Act 2005.
This control targets both internal and external fraud risks.
Examples
Examples of this control include:
- archiving information or ceasing a client identity
- disposing of documents in accordance with the relevant records authority
- making sure expired building passes are surrendered to the issuing authority
- regularly reviewing vacant human resources position numbers and removing them if no longer required
- appropriately handling and destroying returned unclaimed mail
- effectively disposing of redundant ICT stock
- withdrawing access to ICT systems and resources when employees leave
- withdrawing privileged access to ICT systems when no longer required
- protecting deceased client records from misuse, e.g. by making them read-only
- protecting redundant provider or supplier accounts from misuse, e.g. by making them read-only
- checking physical assets, e.g. safes and furniture, before disposal.
Risks from control gap
Keeping old or unnecessary ICT systems, employee position numbers and access, controls, client accounts, assets or records may allow fraudsters to:
- use old human resources position numbers to make fraudulent payroll payments
- receive payments for deceased customers
- impersonate public officials
- steal surplus assets
- access, exploit and/or release information held in old or unused systems or hardware
- access, exploit and/or release information held in old physical storage
- use stolen records to make fraudulent requests or claims.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- reviewing policies and processes to confirm that clear and consistent processes exist
- consulting subject matter experts on processes and systems to evaluate their understanding and thoughts about fraud control policies
- conducting a process walkthrough by having employees show you the archive or disposal process
- reviewing who has access to perform archive or disposal processes
- testing and confirming that archived records cannot be manipulated
- analysing data or reports to confirm old or unnecessary systems, employee positions and accesses, client accounts, assets or records are being properly archived or disposed of
- reviewing a data sample to confirm compliance with policies and processes
- checking if and how archive or disposal processes are reported.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The deceiver
|
The exploiter
|
The fabricator
|
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Register for counter fraud workshops and webinars, free for public sector employees
- Emergency relief programmes can be an attractive target for fraudsters – address the fraud risk before an emergency occurs
- Learn what gaps and weaknesses to watch out for in contracting and supplier management processes
- See how a robust and well-structured procurement process is the first line of defence against procurement fraud and corruption