The third edition of the Australian Standard AS 8001:2021 – Fraud & Corruption Control was released in June 2021. This better practice Standard is arguably the benchmark guide for how organisations should manage and mitigate fraud and corruption risks.
The first release of AS 8001 was in 2003 after a spate of corporate collapses that included Enron, WorldCom, One.Tel and HIH in the early 2000’s. AS 8001 was updated again in 2008, right in the middle of the Global Financial Crisis. But a lot has happened since then, especially around information technology, and the 2021 refresh of AS 8001 reflects some of these major changes.
Why is AS 8001 so important?
Whilst many standards are not legally binding unless they are specifically included in legislation, they are considered better practice guides.
AS 8001 is a very good standard. It’s very popular and has a strong following. This means it is widely used as a reference point by many organisations in the public and private sector to help set the foundations of their fraud and corruption policy and framework. It is also currently the backbone of other better practice fraud and corruption prevention guidelines. There are many instances where regulators and government agencies use standards like AS 8001 as a reference point to guide and encourage organisations to adopt them. For example:
- the Audit Office of New South Wales’ Fraud Control Improvement Kit closely aligns to AS 8001:2008; and
- the Australian Prudential Regulation Authority (APRA) makes reference to AS 8001:2008 in prudential practice guide SPG 223 – Fraud Risk Management.
As many organisations have adopted AS 8001:2008 for fraud & corruption control, they are likely to migrate and adopt the new 2021 edition. Therefore it is important every organisation reviews the new Standard and makes changes to their policies, plans, systems and processes to realign with the new AS 8001:2021.
A word of warning, the changes are far from ‘cosmetic’ and will require a well planned and executed approach. You will need to involve more stakeholders to realign to the 2021 edition. Lets look closely at some of these major changes.
So what does the Standard aim to achieve? The objective of the Standard is to “…provide minimum requirements and additional guidance for organisations wishing to develop, implement and maintain an effective fraud and corruption control system (FCCS) through initiatives aimed at —
- preventing fraud and corruption;
- detecting fraud and corruption; and
- responding to fraud and corruption events that have already occurred.”
Clearly, the Standard aims to guide organisations to establish and maintain the minimum requirements for an effective fraud and corruption control system. Organisations can and should go over and above when the exposure to fraud and corruption risks are greater. For example, whilst Crown Resorts had many risk, governance and fraud control measures in place, it is clear now that they could have done more to recognise and manage the money laundering risks in their business.
Implications: Don’t assume that compliance or adoption of a standard like AS 8001 will solve all your problems. The fraud and corruption control system must be aligned to the level and nature of risks in your organisation.
1. More definitions and updated definitions for ‘fraud’ and ’corruption’
The first change to note is the introduction of Fraud and Corruption Control System (FCCS) in place of a Fraud and Corruption Control Plan. This recognises the fact that fraud and corruption control works within a broader and often integrated system…not just in a policy or plan.
Secondly, the Standard introduces the term ‘minimum requirements’ by using the word “shall” instead of “should” about 90 times in the new Standard. The word “shall” was not used in the 2008 edition.
The new Standard has doubled the number of definitions – close to 20 new definitions. Also, the definitions of fraud and corruption have been broadened to include conduct that may not be necessarily be illegal or a breach of the criminal law, but can still have negative consequences to the organisation.
Implications: When updating your fraud and corruption control system documentation, ensure you cover the entire fraud and corruption control ‘system’ in your framework and use ‘shall’ in more areas. Also ensure your definitions are in line with the new Standard.
2. More focus on the foundations
The 2008 version of the Standard started with 4 pages on “Planning and Resourcing” before moving onto Prevention – Detection – Response. In comparison, the new standard strengthens the foundations of the fraud and corruption control system with 13 pages of guidance to help set the foundations. It also introduces the Governing Body and appointment of an Information Security Management System’ (ISMS) professional.
Implications: When updating your fraud and corruption control system documentation, ensure your foundations are in line with the new Standard. With 13 pages of new guidance, this will be important. Also, there are new roles and responsibilities that will require more consultation with stakeholders and integration into day-to-day fraud and corruption control processes and governance practices.
3. The governing body
The new Standard introduces the ‘Governing body’ and brings in the Board as a new line as distinct from ‘Top management’. This closely aligns with the Institute of Internal Auditors’ Three Lines Model and ISO’s ‘oversight body’.
- The Governing Body has ‘ultimate responsibility and authority’ for the organisations activities, governance and policies.
- Top management should manage the fraud and corruption risks and have an understanding of their role in combatting fraud and corruption risk and ensure they are in a position to understand the organisations risks so they can inform the Board.
Implications: When updating your fraud and corruption control system documentation, ensure you clearly define the roles of the Governing Body and Top Management in understanding and managing the risks of fraud and corruption. You may also need to enhance your reports to the Audit and Risk Committee to provide regular updates.
4. Compliance with other standards
The revised Standard introduces the concept of ‘normative references’, meaning that some other standards issued by the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), Standards Australia (SA), Auditing and Assurance Standards Board (AASB) and National Institute of Standards and Technology (NIST) must also be complied with in order to fully comply with AS 8001:2021. The normative references in the new Standard include:
- AS 4811, Employment screening
- AS ISO 31000, Risk management — Guidelines
- AS ISO 37001, Anti-bribery management systems — Requirements with guidance for use
- AS ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
- ISO/IEC 27041, Information technology — Security techniques – Guidance on assuring suitability and adequacy of event investigative method
- ISO/IEC 27042, Information technology — Security techniques – Guidelines for the analysis and interpretation of digital evidence
- ISO/IEC 27043, Information technology — Security techniques – Incident investigation principles and processes
- ASA 240 The Auditor’s Responsibility Relating to Fraud in An Audit of a Financial Report issued by the Auditing And Assurance Standards Board
- NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide
Implications: We see this as a major challenge for small to medium organisations to fully comply with the new AS 8001:2021. Organisations should still pursue alignment with the new Standard and the normative references but recognise not all areas may be fully compliant. Recognise the standard provides an opportunity for continuous improvement and keep making small and large improvements over several years.
5. Information security
With increasing dependency on information technology, external vendors and growing importance of cyber security, most of the normative references directly relate to information security and computer security incident handling. This is a major upgrade to the new Standard.
In addition, the new Standard now includes updated guidance in relation to preventing, detecting and responding to external “cyber-born” attacks. The definition of ‘attack’ is broad and includes any “attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset”. The Standard also:
- requires appointing an Information Security Management System’ (ISMS) professional,
- requires organisations to now plan in preventing, detecting and responding to external ‘cyber-born’ attacks,
- provides guidance in relation to the capture and analysis of digital evidence, and
- introduces the concept of Digital Evidence First Response.
Implications: There are significant and complex information security processes and practices required to fully comply to the ISO/IEC 27000 series of standards that will be a challenge for many organisations. We expect organisations to consider information security as part of their fraud and corruption control system documentation, but not always fully comply. When updating your fraud and corruption control system documentation, ensure you include information and reference to plans and processes in your organisation designed to protect information assets, enhance information security and prevent, detect and respond to cyber attacks.
6. Harmonise fraud and corruption with Anti-Bribery Management Systems
AS ISO 37001, Anti-bribery management systems is also a normative reference i.e. organisations must once again comply with AS ISO 37001 to comply with AS 8001:2021. The new Standard also defines bribery as a form of corruption, introduces the term “business associate” and requires appropriate risk-based screening and management of business associates.
Implications: Guidance in respect to anti-bribery is more comprehensive in the new Standard. When updating your fraud and corruption control system documentation, ensure there is alignment between your anti-bribery practices, the new Standard and AS ISO 37001.
Research by the Association of Certified Fraud Examiners (ACFE) found that 46% of all frauds were uncovered by whistleblowers, while only 3% were detected by law enforcement. Both the ACFE and the Organisation for Economic Co-operation and Development (OECD) recognise the important role of whistleblowers and whistleblower protection in the detection of fraud, bribery and corruption.
For the private sector, Australian Securities and Investments Commission (ASIC) requires public companies, large proprietary companies, and corporate trustees of APRA-regulated superannuation entities to have a whistleblower policy from 1 January 2020. In the public sector, there has been whistleblowing legislation in place for many years. For example, in NSW, there is the Independent Commission Against Corruption Act 1988 (“the ICAC Act”) and the Public Interest Disclosures Act 1994 (“the Public Interest Diclosures Act”).
The new Standard includes better guidance in relation to whistleblower protection and misconduct reporting channels to help align to the proposed new Standard ISO 37002: 2021 Whistleblowing management systems — Guidelines.
Implications: When updating your fraud and corruption control system documentation, ensure there is alignment between your whistleblowing policies, regulatory requirements and the new Standard.
8. Pressure testing fraud and corruption internal controls
The new Standard requires an organisation implement procedures aimed at assessing the effectiveness of internal controls that are specifically designed or intended to mitigate fraud and corruption risks. Examples of pressure tests include desktop review of case studies, process walk-throughs and data analysis.
Implications: When updating your fraud and corruption control system documentation, ensure you include information about the scope and types of pressure tests to be applied as well as the appropriate governance arrangements and responsibilities.
9. Notifying impacted third-parties about fraud and corruption
The new Standard requires an organisation to consider the impact of a fraud and corruption event on third-parties. Third-parties include customers, clients, Government services, law enforcement, community, environment, industry and national security.
Implications: When updating your fraud and corruption control system documentation, ensure there is a notification process for impacted third-parties when responding.
10. Disruption of fraud and corruption
The Standard also recognises the fact that an investigation may not always uncover all the perpetrators or obtain enough evidence for police, regulators or prosecution. But ‘disruption’ of the activity is recognised as an adequate response because they help ensure such activities don’t continue.
Implications: When updating your fraud and corruption control system documentation, ensure disruption is included as part of the response. Disruption activities can include increase checking and monitoring, improving exception reporting and increasing audit activity.
A cut and paste review and update is not enough: The revised AS 8001:2021 is a welcome change. It will require organisations to look closely at their entire fraud and corruption control system and update many components to re-align to the 2021 edition. A simple document edit to find “2008” and, do a cut, copy and replace with “2021” is not going to cut it….excuse the pun!
A comprehensive review is required: This presents an opportunity for each organisation to conduct a comprehensive, end-to-end review of their current fraud and corruption control system and several other supporting systems such as information security, whistleblowing, third-parties, business associates, anti-bribery, and risk management to identify shortfalls in policies, plans, responsibilities, processes and practices across the fraud and corruption control ecosystem.
The review will take time and consume resources: As the revised AS 8001:2021 spreads its tentacles into other areas through the normative reference, the refresh will take time and require input from several stakeholders – from the Governing body down.
Expect gaps between different frameworks: The revised AS 8001:2021 edition will mean that other better practice toolkits recommended by regulators and government agencies that previously relied on the 2008 edition will need to be updated…and this may take many months or perhaps years.
How we can help
InConsult is committed to helping organisations better understand the benefits and value of fraud and corruption control. We have extensive experience in fraud and corruption prevention, cyber security, investigations, crisis management, internal auditing, risk management, probity, business continuity, climate risk management and pandemic planning.
#fraud #corruption #control #FCCS #fraudcorruption #as8001