A new
Australian Standard AS8001:2008 - Fraud & Corruption Control was
released on 11 June, 2021. This Standard is considered the benchmark when it comes to how
organisations can mitigate fraud and corruption risks. This Standard is of
particular importance to Boards, and importantly how they assess their
cyber risks.
In 2019, BDO Forensics Partner,
Adam Simms, was invited to be part of the review of the existing Standard. As an
experienced financial crime lawyer, Adam has an in-depth understanding of
this Standard and its application. In this article, he provides his
insights into key questions about the new Standard and its revision.
The history of AS8001 - Fraud & Corruption Control & why it’s
changing
The AS8001 Standard was created to provide guidance on corporate governance
around fraud and corruption issues due to some large Global corporate
collapses at the time. AS8001 was one of five Standards released to guide
Boards and senior management in minimising fraud and corruption risks.
Standards Australia ensures Standards are revised within ten years or
withdrawn. As a result, all of the five Standards (excluding AS8001) were
withdrawn. In 2008, AS8001 was revised but has not been revisited until
now, undergoing a much-needed refresh. BDO is proud to have been part of
that revision process.
As a priority, the revision brings the
2008 Standard
up-to-date, especially when it comes to the impact of technology in modern
business operations. In today’s world of integrated technology and greater
interconnectivity, businesses and organisations are at a much greater risk
of external attacks such as cyber-attacks. As the 2008 version and its
predecessors were heavily focused on internal activities, the revised
Standard recognises the significant rise of external threats.
Since COVID-19 there has been a marked change in the profile of fraud and
corruption across all sectors with the rationalisation to commit financial
crime reaching alarming levels. The release of the revised Standard is
timely in a COVID-19 world and will offer some useful insight and in some
cases a reminder, on fraud and corruption risk across organisations.
Take part in the 2020-21 BDO Corporate Fraud Survey.
Your participation is highly valued and will help us obtain insights and
recommendations for preventing, deterring and detecting corporate fraud and
corruption.
TAKE PART
What are some of the more significant changes in the new AS8001?
Aside from the proven traditional approaches to fraud and corruption
control that remain in the Standard, there are some important changes for
organisations. In particular, the new Standard moves away from “should”
statements and now state organisations “shall” consider the following:
1. The concept of ‘Fraud Control Plans’ is replaced with the ‘Fraud and
Corruption Control System'.
Fraud Control Plans have evolved into a more robust documented system. The
idea of a system, as opposed to a plan, is that it brings together the
strategies adopted by the organisation to combat fraud and corruption as
required, as opposed to a plan that ended up as another governance document
gathering dust. This is because historically, we have seen that
organisations develop a plan and then ‘shelf’ it - not implementing it
well, or indeed at all.
2. Updated definitions for ‘fraud’ and ’corruption.’
New definitions encompass the full scope of fraud and corruption to provide
more holistic approaches to combatting it. The idea of updating these
definitions is that if we were to only focus on a breach of the criminal
law that we would miss an opportunity to stamp out other behaviours that
are harmful to organisations.
3. Distinguish and harmonise AS8001 with ISO 37001-2019 Anti-Bribery
Management Systems. The International Standard
ISO 37001
became an Australian Standard in 2019, so it does apply in Australia. While
the concept of bribery is not that far from that of corruption, the concept
of corruption is far broader than bribery, and AS8001:2021 addresses this
distinction.
4. There is a requirement for organisations to now plan in preventing,
detecting and responding to external attack - particularly a ‘cyber-born’
attacks. This recognises organisational reliance on technology and the
associated risks being more prevalent now than in 2008.
5. A new concept referred to as “normative references” will mean other
fraud and corruption-related Standards will also need consideration to
afford compliance with AS8001:2021. There are nine of these normative
references, but two important examples are:
-
Information Security Management - Required conforming with
ISO/IEC 27001
‘Information Security Management System (ISMS).’ This Standard reflects
the impact of cyber-attacks on businesses in recent times. Businesses
will need to work towards an ISMS, which is a set of policies and
procedures that control an organisation’s sensitive data.
-
Risk Management - Required conforming with
ISO 31000:2018
- Risk Management. Businesses are faced with varying risks. These
guidelines assist businesses apply common approaches to risk management
to meet the individual needs of their business.
6. Scrutiny of Boards
There is broader scrutiny on the tone from the top, with the Standard
referencing the ‘Governing Body’ role as distinct from ‘Top Management’.
The new standard AS8001:2021 defines the various lines of management and
brings in the Board as the Governing Body responsible for managing
governance and risk, together with senior management. Senior management
should have an understanding of their role in combatting fraud and
corruption risk also and ensure the they are in a position to understand
the organisations risks so they can inform the Board but also manage that
risk.
7. Third-party notification
There is new guidance that considers the impact of a fraud and corruption
event on third parties such as customers/client, Government services and
the relevant industry more broadly and whether to inform these parties.
This includes guidance around the right time to share information to
prevent further or ongoing fraud. By way of example, if an organisation is
subjected to an external attack and what has happened to them may be
happening to other organisations within the same industry or sector, there
are considerations to be made.
8. ‘Pressure testing’ of internal controls.
The Standard introduces the concept of just as there is
penetration testing
in cyber security, where a white hat hacker attacks your technology system.
Pressure testing draws on the concept, but is used to test internal fraud
and corruption mitigation controls; an example given in the Standard is a
test of the controls around false invoicing. It is a common type of fraud
associated with poor controls over entering new vendors/updating vendor
information in the system. A specific test might include an email
communication to change client details in the vendor management system and
observing how the internal controls respond. How organisations do this will
be up to them, but it must form part of the program.
9. Due diligence requirements for ‘business associates’ - the screening and
management of business associates which includes external parties with whom
the organisation has a business relationship. This has been a heightened
risk during COVID and is something that has not historically been managed
well by organisations. The Standard suggests searches that can be
undertaken in this regard.
10. Reference and guidance to
whistleblower protection
and misconduct reporting channels. Whistleblowing remains a key detection
mechanism in all organisations, and a whistleblowing platform should be
considered as a misconduct barometer on the business and a safeguard to the
business and interested parties. There is a new Standard under production,
ISO 37002
Whistleblowing Protection Management System expected in Q3, 2021 but some
items from the draft ISO 37002 have been included in AS8001:2021.
11. Immediate actions in fraud and corruption response
There is a range of new guidance within the Standard relating to the
immediate actions in response to the discovery of fraud or corruption. More
specifically, the Standard requires the capture of digital evidence at that
point. A number of fraud and corruption events fail to be investigated
correctly in the first instance because the evidence is not being captured
immediately or appropriately, and it is not secured to protect it from
deletion, or safeguarded against contamination. The same exists for
physical evidence. The guidance also covers investigations, the
investigator as well as the safety of that person, investigations planning
and record-keeping. These guides are geared towards ensuring organisations
are well placed to respond to incidents and prosecute where necessary.
12. New guidance around the disruption of fraud and corruption.
In many cases, an investigation may not uncover enough evidence for legal
proceedings or police referral, so there is guidance around the disruption
of fraud and corruption being an adequate response in these circumstances,
by ensuring the activity doesn’t continue. These include things like, as
per the Standard:
-
Increased audit activity
-
Increased monitoring of specific transactions
-
Internal control augmentation
-
Delivery channel revaluation
-
Augmented identity checking.
Assessing your compliance with Standards
Many of these changes are already considered and recommended in the
effective mitigation of the impact of fraud and corruption on businesses
and organisations. Inclusion in the revised Standard will make them a
‘must’. As such, organisations will need to begin reviewing their Fraud
Control Program and implement critical changes to create a Fraud and
Corruption Control System and to ensure they are complying with the revised
2021 Standard.
Are Standards mandatory?
One of the key questions that many businesses and organisations have is
whether these Standards are mandatory - it’s a bit of a ‘yes’ and ‘no’.
While Standards are a good reference point for businesses, they are not
legally binding unless they are incorporated into legislation - such as the
standards for child car seats as an example. In this case, the law imposes
a duty to use the Australian Standard (AS) to ensure compliance with the
legal obligations.
Where Standards are not incorporated into law they do serve as an excellent
source of reference.
When the courts or tribunals are looking at a determination and whether the
company did all things reasonably possible to manage the risk, they often
will look at whether the company was compliant with Australian Standards.
Organisations should be aware of what Australian Standards are and how they
apply to their business operations.
Complying with the Standards now could save the company some serious
problems (and money) at a later time.
What about instances where there are International Standards (otherwise
known as ISO’s)?
International Standards (e.g. ISO 37001-2019 Anti-Bribery Management
Systems) can also be considered in conjunction with the equivalent
Australian Standard. This means that an International Standard may be
useful, particularly where its use achieves the same or better overall
level of risk mitigation to its Australian Standard equivalent.
Published on 11 June 2021, the new AS8001 is now ready for implementation.
Standards Australia released AS8001 today and it can also be purchased
through
SAI Global
.
BDO is well placed to advise businesses and organisations looking to comply
with AS8001:2021 – Fraud & Corruption Control.
We will soon be releasing a management checklist and holding a client
briefing on the new Standard shortly. Our team of Forensic, Risk, People
and Technology advisory experts can assist you with all aspects of the new
Standard.
For more information or if you have any questions about this article,
please contact Adam Simms
or your local office.