User permissions
Assign permissions to users based on specific business needs.
This control targets internal fraud risks.
Examples
Examples of this control include:
- limiting access to certain functions to specific permissions within systems
- requiring a business case and approval to obtain specific permissions
- making sure only teams who require it have access to certain functions, e.g. only payroll employees having access to payroll functions and information
- blocking employees from accessing their own records
- only allowing authenticated clients or authorised representatives to perform functions on a client’s record.
Risks from control gap
Not controlling user permissions can lead to:
- employees facilitating fraudulent payments
- employees accessing, manipulating and disclosing information without a business need
- employees processing fraudulent requests or claims for themselves or another person
- criminals coercing employees into providing information.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- confirming the existence of permissions and limits within the system
- reviewing procedures or guidance to confirm they clearly specify where permissions should be limited
- obtaining and reviewing requirements for who should have certain user permissions
- confirming the existence of a request and approvals process for obtaining specific permissions
- confirming request and approvals processes are consistently applied
- confirming that employees moving roles within the organisation do not automatically take their access or permissions with them
- reviewing procedures for requesting user permissions, confirming the request processes are robust and actively testing them if required
- confirming that someone cannot circumvent standard process requirements, even when subject to pressure or coercion
- confirming that user permissions consider segregation of duties requirements
- reviewing the need for security clearances for some permissions
- reviewing reports of user permissions to confirm only those who require them have the permissions
- undertaking testing or a process walkthrough to confirm that permissions within systems work correctly and cannot be circumvented
- confirming the existence of a review and reconciliation process and reviewing the reports
- reviewing any past access breaches to identify how they occurred
- checking that permissions for employees who have resigned or changed roles are promptly removed.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The enabler
|
The exploiter
|
The impersonator
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- See what bespoke fraud prevention support services the Counter Fraud Centre could offer your public sector organisation
- Register for counter fraud workshops and webinars, free for public sector employees
- Find out more about the seven common personas that fraudsters use when committing financial crimes
- Complete our online learning modules to strengthen your fraud awareness