System testing

This control targets internal fraud risks.

Examples

Examples of this control include:

testing all new systems or system updates as part of the ICT system lifecycle or change management process
conducting user acceptance testing to test for fraud risks or control vulnerabilities
performing vulnerability assessments and penetration testing on systems.

Fraudsters could take advantage of untested systems to create loopholes for:

Methods to evaluate the effectiveness of this control include:

undertaking a desktop review of testing policies and processes to confirm that clear and consistent processes exist
confirming that testing processes meet approved policies and accepted standards
confirming that the results of system testing are documented and reviewing the documentation
consulting subject matter experts on testing processes and systems to evaluate their understanding and thoughts about fraud control
confirming that testing processes would identify specific types of vulnerabilities, e.g. malicious code
conducting a system walkthrough by having employees show you a process
reviewing who has access to perform testing
reviewing the system permissions needed to perform testing
confirming that testing environments accurately replicate production environments
reviewing how the results of system testing are reported and rectified as required
confirming that defects or other issues are adequately resolved
confirming that post-production testing also occurs.

Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:

Types of behaviour this control is designed to mitigate:

Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.