Realigning risk management frameworks with the revised AS 8001 Fraud and Corruption Control standard
Revisions to Australian Standard 8001:2008 Fraud and Corruption Control are close to being finalised with re-release of the standard expected soon. The new version will replace the previous iteration published in 2008.
Risk management frameworks which currently align to AS 8001:2008 will need to be reviewed against this new standard.
Risk management practitioners will be familiar with the fraud and corruption control AS 8001:2008 and many will use it as a primary source of guidance for preventing and detecting fraud and corruption in Australia across all sectors as well as for responding to incidents as and when they occur. McGrathNicol Senior Consultant Dean Newlan is convenor of the Standards Australia AS 8001 working group tasked with revising the 2008 Standard. Dean has delivered a webinar hosted by the NSW Independent Commission Against Corruption (ICAC), which can be viewed below, outlining the changes that will flow from the release of the revised standard.
New minimum requirements
Amendments include introducing the concept of ‘minimum requirements’ for organisations wishing to develop, implement and maintain an effective fraud and corruption control system. Under the revised standard, organisations ‘shall’ do certain things in order to comply with the standard rather than the currently used expression ‘should’ (requirements in the new version include the expression “Organizations shall …”). This means that any organisation seeking to fully ‘comply’ with the new standard must, at a minimum, have implemented all of the ‘requirements’.
Until now, AS 8001 had stopped short of stipulating that an element is a ‘requirement’ – elements previously appearing in the standard in bold text were offered as best practice guidance rather than as ‘requirements’.
- “shall” indicates a requirement
- “should” indicates a recommendation
- “may” indicates permission
- “can” indicates a possibility or a capability
What other standards do organisations need to comply with?
In addition, in order to comply with the reissued AS 8001, organisations will need to comply with a number of nominated standards issued by Standards Australia, ISO or IEC which are referred to as ‘Normative References’. Normative references are standards that an organisation must implement in order to comply with a standard. Normative references in AS 8001 will include:
- AS ISO 31000: Risk management – Guidelines;
- AS ISO 37001: Anti-bribery management systems – Requirements with guidance for use; and
- AS ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements.
It is likely many larger Australian organisations will already comply with some or all of these normative references.
Other significant changes to AS 8001 include a requirement to develop and implement a risk-based Information Security Management System (ISMS) to manage information security and other IT-related risks. This has been driven by a global increase in cyber-attacks raising information security concerns across all industries.
How much work will be required by organisations?
In terms of how much work will be required to realign an organisation’s risk management framework with the new standard, this will depend on the size of the organisation. In many cases, larger organisations with mature risk management frameworks may already comply with the minimum requirements and normative references set out in the revised AS 8001. Two areas which may require closer attention include qualified resourcing and the development or enhancement of existing Fraud and Control Corruption Systems / frameworks.
There are a number of international standards under development (e.g. ISO 37003 Fraud control – Guidance) or due for release in the near future (e.g. ISO 37002 Whistleblowing management systems – Guidelines; ISO 37301 Compliance management systems) which may also impact existing compliance and risk management frameworks.
Monitoring the development of Australian and international standards enables organisations to identify potential areas for remediating or enhancing existing risk management systems.