AS8001: Are you ready for the changes to fraud and corruption control?

The Australian Standard AS8001:2021 - Fraud & Corruption Control was released on 11 June, 2021. This Standard is considered the benchmark for how organisations can mitigate fraud and corruption risks. It’s of particular importance to Boards, and importantly now includes the consideration of cyber risks.

This article provides insights into key questions about the new Standard and its revision and a fraud & corruption control checklist.

The history of AS8001 - Fraud & Corruption Control & why it’s changing

The AS8001 Standard was one of five Standards created to provide guidance on corporate governance around fraud and corruption issues due to some large Global corporate collapses at the time. It was released to guide Boards and senior management in minimising fraud and corruption risks.

Standards Australia ensures that Standards are revised within ten years or withdrawn. As a result, all five Standards (excluding AS8001) were initially withdrawn.

In 2008, AS8001 was revised but had just been revisited, undergoing a much-needed refresh. BDO is proud to have been part of that revision process. 

As a priority, the revision brings the 2008 Standard up-to-date, especially regarding technology’s impact on modern organisations’ operations. In today’s world of integrated technology and greater interconnectivity, organisations are at a much greater risk of external attacks such as cyber attacks.

As the 2008 version and its predecessors were heavily focused on internal activities, the revised Standard recognises the significant rise of external threats. 

In recent years there’s been a marked change in the profile of fraud and corruption across all sectors with the rationalisation to commit financial crime reaching alarming levels. The release of the revised Standard is timely and will offer some insight and in some cases a reminder, of fraud and corruption risk across organisations.

What are some of the more significant changes in the new AS8001?

Aside from the proven traditional approaches to fraud and corruption control that remain in the Standard, there are some important changes for organisations. In particular, the new Standard moves away from ‘should’ statements and now state organisations ‘shall’ consider the following:

1.  The concept of ‘Fraud Control Plans’ is replaced with the ‘Fraud and Corruption Control System'.

Fraud Control Plans have evolved into a more robust documented system. The idea of a system, as opposed to a plan, is that it brings together the strategies adopted by the organisation to combat fraud and corruption as required, as opposed to a plan that ended up as another governance document gathering dust. This is because historically, we have seen organisations develop a plan and then ‘shelf’ it - not implementing it well or at all. 

2.  Updated definitions for ‘fraud’ and ’corruption.’

New definitions encompass the full scope of fraud and corruption to provide more holistic approaches to combatting it. The idea of updating these definitions is that if we were to only focus on a breach of the criminal law, we would miss an opportunity to stamp out other harmful behaviours to organisations.

3.  Distinguish and harmonise AS8001 with ISO 37001-2019 Anti-Bribery Management Systems.

The International Standard ISO 37001 became an Australian Standard in 2019. While the concept of bribery is not that far from that of corruption, the concept of corruption is far broader than bribery, and AS8001:2021 addresses this distinction. 

4.  There is a requirement for organisations to now plan in preventing, detecting and responding to external attack - particularly a ‘cyber-born’ attacks.

This recognises organisational reliance on technology, increased connectivity and the associated risks being more prevalent now than in 2008.

5.  A new concept referred to as “normative references” will mean other fraud and corruption-related Standards will also need consideration to afford compliance with AS8001:2021.

There are nine of these normative references, but two important examples are: 

  • Information Security Management - Required conforming with ISO/IEC 27001 ‘Information Security Management System (ISMS).’ This Standard reflects the impact of cyber attacks on organisations in recent times. Organisations will need to work towards an ISMS, which is a set of policies and procedures that control an organisation’s sensitive data
  • Risk Management - Required conforming with ISO 31000:2018 - Risk Management. Organisations are faced with varying risks. These guidelines assist in applying common approaches to risk management to meet the organisation’s individual needs.

6.  Scrutiny of Boards

There is broader scrutiny on the tone from the top, with the Standard referencing the ‘Governing Body’ role as distinct from ‘Top Management’.

The new standard AS8001:2021 defines the various lines of management and brings in the Board as the governing body responsible for managing governance and risk, together with senior management. Senior management should understand their role in combatting fraud and corruption risks, ensuring they are in a position to understand the organisation’s risks to inform the Board and manage the risk.

7.  Third-party notification 

There is new guidance that considers the impact of a fraud and corruption event on third parties such as customers/clients, government services and the relevant industry more broadly and whether to inform these parties. This includes guidance around the right time to share information to prevent further or ongoing fraud. By way of example, considerations, if an organisation is subjected to an external attack and what has happened to them may be happening to other organisations within the same industry or sector. 

8.  ‘Pressure testing’ of internal controls. 

The Standard introduces the concept of ‘pressure testing’, which draws on the concept of penetration testing in cyber security to test internal fraud and corruption mitigation controls. An example in the Standard is a test of the controls around false invoicing. It’s a common type of fraud associated with poor controls over entering new vendors/updating vendor information in the system. A specific test might include email communication to change client details in the vendor management system and observing how the internal controls respond. How organisations do this will be up to them, but it must form part of the program.

9.  Due diligence requirements for ‘business associates’ - the screening and management of business associates which includes external parties with whom the organisation has a business relationship.

This has seen a heightened risk during the global pandemic and has not historically been managed well by organisations. The Standard suggests searches that can be undertaken in this regard.

10.  Reference and guidance to whistleblower protection and misconduct reporting channels.

Whistleblowing remains a key detection mechanism and a whistleblowing platform should be considered a misconduct barometer and a safeguard for the business and associated parties. There is a new Standard under production, ISO 37002 Whistleblowing Protection Management System expected in Q3, 2021 but some items from the draft ISO 37002 have been included in AS8001:2021.

11.  Immediate actions in fraud and corruption response

There is a range of new guidance within the Standard relating to the immediate actions in response to the discovery of fraud or corruption. More specifically, the Standard requires capturing digital evidence at that point.

A number of fraud and corruption events fail to be investigated correctly in the first instance because the evidence is not being captured immediately or appropriately, and it’s not secured to protect it from deletion or safeguarded against contamination. The same considerations exist for physical evidence. The guidance also covers investigations, the investigator, investigations planning and record-keeping. These guides are geared towards ensuring organisations are well placed to respond to incidents and prosecute where necessary.

12.  New guidance around the disruption of fraud and corruption.

In many cases, an investigation may not uncover enough evidence for legal proceedings or police referral, so there is guidance around the disruption of fraud and corruption being an adequate response in these circumstances, ensuring the activity doesn’t continue. As per the Standard, these include:

  • Increased audit activity 
  • Increased monitoring of specific transactions 
  • Internal control augmentation
  • Delivery channel revaluation 
  • Augmented identity checking.

Assessing your compliance with Standards

Many of these changes are already considered and recommended to effectively mitigate the impact of fraud and corruption on businesses and organisations. Inclusion in the revised Standard will make them a ‘must’. As such, organisations should begin reviewing their Fraud Control Program and implement critical changes to create a Fraud and Corruption Control System compliant with the revised 2021 Standard.

Are Standards mandatory?

One of the key questions many businesses and organisations have is whether these Standards are mandatory - it’s a bit of a ‘yes’ and ‘no’.

While Standards are a good reference point for businesses, they are not legally binding unless incorporated into legislation - such as the standards for child car seats, for example. In this case, the law imposes a duty to use the Australian Standard (AS) to ensure compliance with the legal obligations.

Where Standards are not incorporated into law, they do serve as an excellent source of reference. 

When the courts or tribunals are looking at a determination, and whether the company did all things reasonably possible to manage the risk, they often will look at whether the company was compliant with Australian Standards.

Organisations should be aware of what Australian Standards are and how their application can enhance business operations. 

What about instances where there are International Standards (otherwise known as ISO’s)?

International Standards (e.g. ISO 37001-2019 Anti-Bribery Management Systems) can also be considered in conjunction with the equivalent Australian Standard. This means that an International Standard may be useful, particularly where its use achieves the same or better overall level of risk mitigation to its Australian Standard equivalent.

Published on 11 June 2021, AS8001 is now ready for implementation. Standards Australia released AS8001 can also be purchased through SAI Global.

BDO is well placed to advise businesses and organisations looking to comply with AS8001:2021 – Fraud & Corruption Control.

Our webinar series ‘Mapping the Fraud Blueprint of Tomorrow’ is designed especially for boards, executives and leadership teams. Our experts share insights about how best to manage the ever-changing fraud and corruption landscape, with a focus on tech, transparency, and tone-from-the-top. Find out more.

For more information or if you have any questions about this article, please contact your local office.

Download checklist

BDO have prepared a checklist with the Board and Executives in mind - to assist in their understanding and ensure the right questions are being asked about their organisation’s current risks and controls. This checklist acts as a comprehensive guide to effectively implement fraud and corruption control practices that comply with AS8001:2021.