An Introduction Into Australian Standard 8001:2021
/Roger Darvall-Stevens took the virtual stage at this year’s ACFE Fraud Conference Asia-Pacific in late September to discuss Australia’s recent updates to their fraud and corruption control standards. As the national head of fraud & forensic services for RSM Australia, Darvall-Stevens provided an elucidating introduction to Australian Standard 8001:2021, which provides a foundation for fraud and corruption control, prevention, detection and response.
While the Standard is not legally enforced, there are minimum requirements that agencies must meet to comply with it. This includes a variety of control systems and best practices, such as having a template to document fraud and corruption incidents. One of the 2021 updates to the Standard is the inclusion of a standard for information management security systems. “With a massive increase in cybersecurity issues, a subset of this is cyberfraud, and that’s a component of fraud that we need to look after,” Darvall-Stevens noted.
Darvall-Stevens highlighted a series of updated guidance in the 2021 version of the Standard, including the following:
An increased emphasis on external attacks — particularly cyber attacks
An updated guidance to managing conflicts of interest, which can include managing risks associated with gifts, hospitality and similar benefits
Management principles for performance-based targets, so that there isn’t unnecessary pressure that might create a circumstance where employees would be driven to commit fraud in order to reach these targets
Best practices for workforce and business associate screening so that organizations can do their due diligence while keeping in mind what’s legally and culturally acceptable in terms of doing checks of police, criminal history, background, bankruptcy, work history and qualifications
Standards for whistleblower management and protection
Protocol for digital evidence first response, which includes a separation of the investigation and the determination processes, as a result of the possibility that the subject of an internal investigation might make the claim that an investigation wasn’t fair or objective because it was handled internally
Templates for the creation and maintenance of a fraud and corruption event register so that companies can confidentially keep track of this facet of corporate history
The guidance also updates specialist resources for investigator expertise and investigator safety. He explained that, in different countries or territories, “there are different political situations and different laws, and investigators need to ensure that they comply with those laws, but also that they are safe regarding cultural areas or corruption of police or other bodies.”
Darvall-Stevens advocated using the Standard to check against what an organization might already have in place to see where there are gaps within fraud and corruption risk assessment and management. Continuous improvement of internal controls is crucial to preventing the occurrence of a fraud event. “It’s so important that any fraud and corruption prevention activity is looped back to improving the prevention and control environment,” he stressed.
Building on this point, Darvall-Stevens emphasized a robust addition to Australian Standard 8001:2021 — the concept of pressure testing. “Pressure testing is the assessment aimed at the effectiveness of the tools specifically designed to prevent or mitigate fraud and corruption risk,” he defined. Much like how cybersecurity engages in penetration testing, pressure testing aids in identifying improvement opportunities that will assist in deterring future attacks.
Elaborating on the importance of whistleblower protection programs, Darvall-Stevens reminded the audience, “A tip-off is the most common way fraud is detected. The majority come from employees, and then customers, and then anonymous [sources].” Organizations that nurture and protect whistleblowers find fraud much faster and investigate it more effectively, since whistleblowers are more likely to assist in the investigation if their safety is prioritized.
As listed in Australian Standard 8001:2021, Darvall-Stevens provided a guide to immediate responses following a detected fraud event:
Identify as quickly as possible the parties involved, whether internal or external
Identify as quickly as possible whether funds have been removed, and freeze the organization’s bank accounts to prevent further leakage
If funds have been transferred, act to freeze the accounts into which money has been moved
Collect and preserve digital and physical evidence
Assess what risk the event will pose to the business
And suspend workers suspected of involvement until the investigation is complete
Rounding out his presentation, Darvall-Stevens stressed the idea that organizations have not only the potential, but also the responsibility, to constantly self-improve and engage in the type of pressure testing that will allow for the fewest number of fraud and corruption incidents in the future.