are you ready for changes to cyber risk fraud controls

Why the standard is changing

The AS8001 Standard was created to provide guidance on corporate governance around fraud and corruption issues due to some large global corporate collapses. AS8001 was one of five standards released to guide boards and senior management to minimise fraud and corruption risks.

The revision brings the 2008 Standard up to date, especially when it comes to the impact of technology in modern business operations and the significant rise of external threats. In today’s world of integrated technology and greater interconnectivity, businesses and organisations are at a much greater risk of external attacks such as cyber-attacks. Since COVID-19, there has been a marked change in the profile of fraud and corruption across all sectors, with the rationalisation to commit financial crime reaching alarming levels.

This recently published voluntary standard, AS 8001:2021, Fraud and corruption control, is intended to apply to all organisations operating in Australia, both for profit and not-for profit.

Major changes

Aside from proven traditional approaches to fraud and corruption control that remain in the standard, there are some important changes. The new standard moves away from “should” statements and now states that organisations “shall” consider:

1. Fraud and Corruption Control System

Former Fraud Control Plan requirements have evolved into a more robust documented system. The idea of a system, as opposed to a plan, is that it brings together strategies adopted by the organisation to combat fraud and corruption.

2.  Updated definitions for fraud and corruption

New definitions encompass the full scope of fraud and corruption to provide more holistic approaches to combat it.

3.  Harmonise with Anti-Bribery Management Systems

The International anti-bribery Standard ISO 37001 became an Australian Standard in 2019, so it does apply in Australia. While the concept of bribery is not that far from that of corruption, the concept of corruption is far broader than bribery, and AS8001:2021 addresses this distinction. 

4.  Plan for external attacks

There is a requirement for organisations to now plan in preventing, detecting and responding to external attack - particularly ‘cyber-born’ attacks. This recognises organisational reliance on technology and the associated risks being more prevalent now than in 2008. 

5.  Consider other standards

Other fraud and corruption-related standards will also need consideration to afford compliance with AS8001:2021. There are nine of these normative references, but two important examples are: 

  • Information Security Management - Conforms with ISO/IEC 27001 ‘Information Security Management System (ISMS).’ This standard reflects the impact of cyber-attacks on businesses in recent times. Businesses will need to work towards an ISMS, which is a set of policies and procedures that control an organisation’s sensitive data.
  • Risk Management - Conforms with ISO 31000:2018 - Risk Management. Businesses are faced with varying risks. These guidelines assist businesses apply common approaches to risk management to meet the individual needs of their business.

6.  Scrutiny of Boards

There is broader scrutiny on tone from the top, with the standard referencing the ‘governing body’ role as distinct from ‘top management’. The new standard AS8001:2021 defines the various lines of management and brings in the board as the governing body responsible for managing governance and risk, together with senior management. Senior management should have an understanding of their role in combatting fraud and corruption risk also and ensure the they are in a position to understand the organisations risks so they can inform the board but also manage that risk.

7.  Third-party notification 

There is new guidance that considers the impact of a fraud and corruption event on third parties such as customers/clients, government services and the relevant industry more broadly and whether to inform these parties. This includes guidance around the right time to share information to prevent further or ongoing fraud.

8.  Pressure testing of internal controls

There is penetration testing in cyber security, where a white hat hacker attacks your technology system. Pressure testing draws on this concept, but is used to test internal fraud and corruption mitigation controls. An example given in the standard is a test of the controls around false invoicing.

9.  Due diligence requirements for business associates

The standard suggests searches that can be undertaken for the screening and management of business associates. This has been a heightened risk during COVID-19.

10.  Whistleblowing

Reference and guidance to whistleblower protection and misconduct reporting channels. Whistleblowing remains a key detection mechanism in all organisations and a whistleblowing platform should be considered as a misconduct barometer on the business and a safeguard to the business and interested parties. There is a new Standard under production, ISO 37002 Whistleblowing Protection Management System expected in Q3, 2021 but some items from the draft ISO 37002 have been included in AS8001:2021. 

11.  Immediate actions in fraud and corruption response

There is a range of new guidance within the standard relating to immediate actions in response to the discovery of fraud or corruption, including investigations and the capture of digital evidence.

12.  New guidance around the disruption of fraud and corruption

In many cases, an investigation may not uncover enough evidence for legal proceedings or police referral, so there is guidance around the disruption of fraud and corruption as an adequate response in these circumstances, by ensuring the activity doesn’t continue. These include things like:

  • Increased audit activity 
  • Increased monitoring of specific transactions 
  • Internal control augmentation
  • Delivery channel revaluation 
  • Augmented identity checking

Are standards mandatory?

Organisations need to begin reviewing their fraud control programs and implement critical changes to create a fraud and corruption control system to ensure they comply with the revised 2021 standard.

One key question many businesses and organisations have is whether these standards are mandatory – the answer is yes and no. While standards are a good reference point for businesses, they are not legally binding unless they are incorporated into legislation. This revised standard is voluntary and is not incorporated into legislation. (For other standards such as those for child car seats, the law imposes a duty to use the Australian Standard (AS) to ensure compliance with legal obligations.)

When courts or tribunals are looking at a determination and whether the company did all things reasonably possible to manage the risk, they often will look at whether the company was compliant with Australian Standards. Complying with the standards now could save the company some serious problems (and money) at a later time.

International Standards (e.g. ISO 37001-2019 Anti-Bribery Management Systems) can also be considered in conjunction with the equivalent Australian Standard.

BDO has prepared a checklist to assist board and executives in their understanding and to ensure the right questions are being asked about their organisation’s current risks and controls.  The checklist acts as a comprehensive guide to effectively implement fraud and corruption control practices that comply with AS8001:2021 and can be downloaded at the link below.

This article Are-you-ready-for-the-changes-to-fraud-and-corruption-control was originally published by BDO in June 2021.