In 2019, BDO Forensics Partner, Adam Simms, Partner, Forensic Services, was invited to be part of the review of the existing Standard. As an experienced financial crime lawyer, Adam has an in-depth understanding of this Standard and its application.
“Since COVID-19 there has been a marked change in the profile of fraud and corruption across all sectors with the rationalisation to commit financial crime reaching alarming levels. The release of the revised Standard is timely in a COVID-19 world and will offer some useful insight and in some cases a reminder, on fraud and corruption risk across organisations,” Adam said.
“The AS8001 Standard was created to provide guidance on corporate governance around fraud and corruption issues due to some large Global corporate collapses at the time. AS8001 was one of five Standards released to guide Boards and senior management in minimising fraud and corruption risks.
“Standards Australia ensures Standards are revised within ten years or withdrawn. As a result, all of the five Standards (excluding AS8001) were withdrawn. In 2008, AS8001 was revised but has not been revisited until now, undergoing a much-needed refresh. BDO is proud to have been part of that revision process.
“As a priority, the revision brings the 2008 Standard up-to-date, especially when it comes to the impact of technology in modern business operations. In today’s world of integrated technology and greater interconnectivity, businesses and organisations are at a much greater risk of external attacks such as cyber-attacks. As the 2008 version and its predecessors were heavily focused on internal activities, the revised Standard recognises the significant rise of external threats.”
What are some of the more significant changes in the new AS8001?
Aside from the proven traditional approaches to fraud and corruption control that remain in the Standard, there are some important changes for organisations. In particular, the new Standard moves away from “should” statements and now state organisations “shall” consider the following:
- The concept of ‘Fraud Control Plans’ is replaced with the ‘Fraud and Corruption Control System.’ Fraud Control Plans have evolved into a more robust documented system. The idea of a system, as opposed to a plan, is that it brings together the strategies adopted by the organisation to combat fraud and corruption as required, as opposed to a plan that ended up as another governance document gathering dust. This is because historically, we have seen that organisations develop a plan and then ‘shelf’ it - not implementing it well, or indeed at all.
- Updated definitions for ‘fraud’ and ’corruption.’ New definitions encompass the full scope of fraud and corruption to provide more holistic approaches to combatting it. The idea of updating these definitions is that if we were to only focus on a breach of the criminal law that we would miss an opportunity to stamp out other behaviours that are harmful to organisations.
- Distinguish and harmonise AS8001 with ISO 37001-2019 Anti-Bribery Management Systems. The International Standard ISO 37001 became an Australian Standard in 2019, so it does apply in Australia. While the concept of bribery is not that far from that of corruption, the concept of corruption is far broader than bribery, and AS8001:2021 addresses this distinction.
- There is a requirement for organisations to now plan in preventing, detecting and responding to external attack – particularly a ‘cyber-born’ attacks. This recognises organisational reliance on technology and the associated risks being more prevalent now than in 2008.
- A new concept referred to as “normative references” will mean other fraud and corruption-related Standards will also need consideration to afford compliance with AS8001:2021. There are nine of these normative references, but two important examples are:
- Information Security Management - Required conforming with ISO/IEC 27001 ‘Information Security Management System (ISMS).’ This Standard reflects the impact of cyber-attacks on businesses in recent times. Businesses will need to work towards an ISMS, which is a set of policies and procedures that control an organisation’s sensitive data.
- Risk Management - Required conforming with ISO 31000:2018 – Risk Management. Businesses are faced with varying risks. These guidelines assist businesses apply common approaches to risk management to meet the individual needs of their business.
- Scrutiny of Boards - there is broader scrutiny on the tone from the top, with the Standard referencing the ‘Governing Body’ role as distinct from ‘Top Management’. The new standard AS8001:2021 defines the various lines of management and brings in the Board as the Governing Body responsible for managing governance and risk, together with senior management. Senior management should have an understanding of their role in combatting fraud and corruption risk also and ensure the they are in a position to understand the organisations risks so they can inform the Board but also manage that risk.
- Third-party notification - there is new guidance that considers the impact of a fraud and corruption event on third parties such as customers/client, Government services and the relevant industry more broadly and whether to inform these parties. This includes guidance around the right time to share information to prevent further or ongoing fraud. By way of example, if an organisation is subjected to an external attack and what has happened to them may be happening to other organisations within the same industry or sector, there are considerations to be made.
- ‘Pressure testing’ of internal controls - the Standard introduces the concept of just as there is penetration testing in cyber security, where a white hat hacker attacks your technology system. Pressure testing draws on the concept, but is used to test internal fraud and corruption mitigation controls; an example given in the Standard is a test of the controls around false invoicing. It is a common type of fraud associated with poor controls over entering new vendors/updating vendor information in the system. A specific test might include an email communication to change client details in the vendor management system and observing how the internal controls respond. How organisations do this will be up to them, but it must form part of the program.
- Due diligence requirements for ‘business associates’ – the screening and management of business associates which includes external parties with whom the organisation has a business relationship. This has been a heightened risk during COVID and is something that has not historically been managed well by organisations. The Standard suggests searches that can be undertaken in this regard.
- Reference and guidance to whistleblower protection and misconduct reporting channels. Whistleblowing remains a key detection mechanism in all organisations, and a whistleblowing platform should be considered as a misconduct barometer on the business and a safeguard to the business and interested parties. There is a new Standard under production, ISO 37002 Whistleblowing Protection Management System expected in Q3, 2021 but some items from the draft ISO 37002 have been included in AS8001:2021.
- Immediate actions in fraud and corruption response - there is a range of new guidance within the Standard relating to the immediate actions in response to the discovery of fraud or corruption. More specifically, the Standard requires the capture of digital evidence at that point. A number of fraud and corruption events fail to be investigated correctly in the first instance because the evidence is not being captured immediately or appropriately, and it is not secured to protect it from deletion, or safeguarded against contamination. The same exists for physical evidence. The guidance also covers investigations, the investigator as well as the safety of that person, investigations planning and record-keeping. These guides are geared towards ensuring organisations are well placed to respond to incidents and prosecute where necessary.
- New guidance around the disruption of fraud and corruption - in many cases, an investigation may not uncover enough evidence for legal proceedings or police referral, so there is guidance around the disruption of fraud and corruption being an adequate response in these circumstances, by ensuring the activity doesn’t continue. These include things like, as per the Standard:
- Increased audit activity
- Increased monitoring of specific transactions
- Internal control augmentation
- Delivery channel revaluation
- Augmented identity checking.
Assessing your compliance with Standards
Many of these changes are already considered and recommended in the effective mitigation of the impact of fraud and corruption on businesses and organisations. Inclusion in the revised Standard will make them a ‘must’. As such, organisations will need to begin reviewing their Fraud Control Program and implement critical changes to create a Fraud and Corruption Control System and to ensure they are complying with the revised 2021 Standard.
Are Standards mandatory?
One of the key questions that many businesses and organisations have is whether these Standards are mandatory - it’s a bit of a ‘yes’ and ‘no.’
While Standards are a good reference point for businesses, they are not legally binding unless they are incorporated into legislation - such as the standards for child car seats as an example. In this case, the law imposes a duty to use the Australian Standard (AS) to ensure compliance with the legal obligations.
Where Standards are not incorporated into law they do serve as an excellent source of reference. When the courts or tribunals are looking at a determination and whether the company did all things reasonably possible to manage the risk, they often will look at whether the company was compliant with Australian Standards.
Organisations should be aware of what Australian Standards are and how they apply to their business operations. Complying with the Standards now could save the company some serious problems (and money) at a later time.
What about instances where there are International Standards (otherwise known as ISO’s)?
International Standards (e.g. ISO 37001-2019 Anti-Bribery Management Systems) can also be considered in conjunction with the equivalent Australian Standard. This means that an International Standard may be useful, particularly where its use achieves the same or better overall level of risk mitigation to its Australian Standard equivalent.
Adam Simms, forensics partner, BDO