New Australian Fraud & Corruption Standard Will Challenge Organisations

SYDNEY, Australia, November 23, 2021 - The third edition of the Australian Standard AS 8001:2021 – Fraud & Corruption Control was recently released.  Overall, the updates are a welcome refresh to the 2008 edition and the 2021 revision addresses new and relevant areas. But the revised 2021 edition spreads its tentacles into other areas including information technology, security incident management and anti-bribery through the normative references meaning that full compliance will be a challenge for many organisations.

AS 8001 is the benchmark

"AS 8001 is arguably the benchmark guide for how organisations should manage and mitigate fraud and corruption risks," according to InConsult director Tony Harb.

"The first edition of AS 8001 was in 2003 after a spate of corporate collapses that included Enron, WorldCom, One.Tel and HIH in the early 2000’s.  AS 8001 was updated again in 2008, right in the middle of the Global Financial Crisis.  But a lot has happened since then, especially around information technology, and the 2021 refresh of AS 8001 reflects some of these major changes," he added.

AS 8001 is the backbone to regulations

AS 8001 is a very good standard.  It’s very popular and has a strong corporate following.  This means it is widely used as a reference point by many organisations in the public and private sector to help set the foundations of their fraud and corruption policy, plan, framework, systems and practices.

"But the impact of AS 8001 is far more reaching because it is also the backbone for how state and federal regulators such as the Independent Commission Against Corruption (ICAC), the Australian Prudential Regulation Authority (APRA) and the Audit Office of New South Wales set fraud and corruption control guidelines," he added. 

There are many instances where regulators and government agencies use AS 8001:2008 as a reference point to guide and encourage organisations to adopt the Standard or their guidelines including the Audit Office of New South Wales’ Fraud Control Improvement Kit and APRA's prudential practice guide SPG 223 – Fraud Risk Management.

AS 8001:2008 is now superseded

The release of the 2021 edition means that AS 8001:2008 is officially 'superseded'.  A superseded Standard is one, which is fully replaced by another Standard, which is a new edition of the same Standard.  According to Tony Harb, that means that any reference to the 2008 edition is now outdated and a simple review and edit of current policy and framework documents or guidelines to find “2008” and, replace with “2021” will not be enough to comply with the new edition.

"The new 2021 edition will require organisations undertake a more comprehensive review and assessment of their entire fraud and corruption control system which is now much more broader." said Tony Harb.

Some key changes include specific oversight responsibilities for the governing body (such as the board) , inclusion of the Information Security Management System (ISMS) professional as a new role, greater alignment to information security management, new definitions and refined definitions and the requirement to pressure test controls.  

Implications of normative references

But the biggest change according to Tony Harb is the inclusion of normative references in AS 8001:2021.

International standards directives defines the inclusion of a normative reference as, “This conditional element shall give a list of the referenced documents… in such a way as to make them indispensable for the application of the document.” 

What does this mean? By citing other standards in AS 8001 such as ISO 31000 Risk management and AS ISO/IEC 27001, Information technology — Security techniques — Information security management systems as normative references, these references are considered as indispensable to the application of AS 8001:2021, or in other words - indispensable means - critical, vital, essential, necessary and obligatory. 

There are 10 normative references in the standard and complying with all of them may be a stretch and a major challenge for many organisations.

So for an organisation to say its fraud and corruption control framework complies with AS 8001:2021 will now require considerable work.

"From our experience and research, many large organisations can struggle to comply with the Australian Cyber Security Centre's  baseline cyber security guidelines known as the Essential Eight and the normative reference in the 2021 edition to AS ISO/IEC 27001 which is even more rigorous to comply with when it comes to information security management, will be a challenge." added Tony Harb.

"We have already seen concerns raised by a number of organisations on the impact of the new AS 8001:2021 on their resources and skill set to transition to the new Standard.  Our advice is simple...doing nothing is not an option because the new Standard is a significant enhancement to the 2008 edition.  But don't rush...evaluate your current fraud and corruption control system against the new edition and develop a work plan over the next 12 months to transition to the new Standard." Tony Harb suggested.

"Where an organisation does not meet some elements of a normative reference, we recommend adding a note to internal documentation listing those elements and outlining reasons why not and any other compensating controls or relevant factors to help strengthen fraud and corruption framework governance" he added.

Review the changes
InConsult has undertaken a review of the key changes between AS 8001:2008 and the new AS 8001:2021.  You can read the full article here - Key Changes to AS 8001:2021 Fraud & Corruption Control. Organisations looking to achieve better practice in fraud and corruption control should also purchase a copy of the the new standard and assess the impact of the new edition on their activities, systems, stakeholders and business environment.

No organisation is immune from fraud and corruption

InConsult is committed to helping organisations better understand the benefits and value of fraud and corruption control. Find out more about our fraud and corruption prevention services. Follow news and updates from InConsult on Twitter and LinkedIn.

About InConsult

Established in 2001, InConsult is a leading professional services firm with extensive local and international experience in risk management, business continuity, fraud and corruption prevention, internal audit, probity, assurance and GRC software development and delivery. To learn more, visit inconsult.com.au.