Key Takeaways:
AS8001:2021 is an updated framework from Standards Australia designed to help organizations combat fraud and corruption. It builds on earlier versions by increasing board-level responsibility for combating fraud and corruption, factoring in new technologies, and embracing a whole-of-organization approach. CFOs and Accounts Payable managers need to be aware of AS8001:2021 as the framework has particular implications for Accounts Payable functions, which are often at the forefront of the fight against fraud and corruption.
The Accounts Payable Guide to AS8001:2021
Mitigating the risk of fraud and corruption is a key priority for all organizations. There are both financial and legal reasons to take concrete steps to reduce exposure. Failing to do so could see your organization held accountable by courts, tribunals, shareholders, or other stakeholders. However, those with malicious intent are constantly adapting their tactics, making the fight to prevent fraud and corruption particularly challenging for many organizations.
To help implement best-practice fraud and corruption mitigation strategies, Standards Australia recently released the third edition of AS 8001 Fraud and Corruption Control.
What is AS8001:2021?
AS8001:2021 is a framework that aims to guide organizations in combating fraud and corruption. Originally released by Standards Australia in 2008, this version, released in July 2021, is the third edition of the framework. It seeks to ensure the framework meets current industry circumstances by considering the impact of technology in modern business operations.
The main objective of this updated Standard is to guide organizations regarding the minimum requirements for developing, implementing, and maintaining an effective Fraud and Corruption Control System (FCCS). Simply, the goal of an FCCS is to:
Prevent fraud and corruption.
Detect fraud and corruption.
Respond to fraud and corruption events that have already occurred.
While AS 8001:2021 itself is not mandatory, it is an excellent guide for organizations that have obligations to prevent fraud and corruption. In the event that an organization’s board members may need to justify their actions before a court or tribunal, judges are likely to consider whether the organization took all reasonable steps to manage the risk of fraud and corruption. Aligning your internal controls with AS 8001:2021 is an excellent way to demonstrate that your organization implemented appropriate measures intended to prevent fraud and corruption.
Complying with AS 8001:2021 could save your organization significant costs and avoid potentially damaging legal ramifications. Fraud and corruption can penetrate any section of an organization. However, there are particular risks for Accounts Payable (AP). In this review of AS 8001:2021, we will look specifically at the implications for a typical Accounts Payable function.
What's New in AS8001:2021?
Stronger Controls
The first thing to note about AS 8001:2021 is that it strengthens the controls around fraud and corruption compared to earlier iterations of the framework. Whereas previous versions spoke of the need to have “Fraud Control Plans,” this has been elevated to implementing “Fraud and Corruption Control Systems.” An FCCS is more rigorous, as it details the specific minimum requirements an organization shall adopt to combat fraud and corruption. By contrast, while plans may be developed, without the appropriate measures in place, the plan may not be fully implemented.
Making Boards Responsible
Another significant change is that fraud and corruption are not solely the responsibility of “Top Management,” as in previous iterations of the framework. This version stipulates that a “Governing Body” needs to retain overall accountability for ensuring that the organization has adequate anti-fraud and anti-corruption measures in place. This implies that the board of an organization must take an active interest in managing the risk of fraud and corruption.
The Impact of Technology
The driving impetus for updating and strengthening the framework is the impact technology is having in contemporary organizations. With technology integrated into every aspect of an organization’s operations, there is an urgent need to consider the ways technologies are being used to perpetrate fraud and corruption. For example, a Business Email Compromise (BEC) attack may be the vehicle through which a fraudster initiates invoice redirection fraud.
The Standard makes clear the impact technology is having on increasing instances of external fraud:
“The pervasiveness and increasing sophistication of information technology, the rapid take-up of internet-based payment systems by the general population, and an increasingly globalized economy have led to an increased incidence of external fraudulent attack on Australian organizations across all sectors. In response to these fundamental changes in the way business operates, this edition of the Standard includes minimum requirements and updated guidance on controlling external, often technologically-driven, attacks on Australian organizations.”
Adopting a Whole-of-Organization Approach
This updated framework also recognizes that fraud and corruption are no longer the sole purview of the finance department. Rather, a whole-of-organization approach is required. That’s why boards have a critical role to play. It is also the reason the Standard now advocates for specialist resourcing, such as appointing an Information Security Management System (ISMS) professional who can align the organization’s cybersecurity approach with its efforts to combat fraud and corruption.
Emphasizing the necessity of a whole-of-organization approach, AS 8001:2021 stipulates a range of functions within an organization that have an important role to play in reducing the risk of fraud and corruption, including the procurement and Accounts Payable functions.
7 Ways AS8001:2021 Impacts Accounts Payable:
1) Record Keeping and Confidentiality of Information
Having accurate and complete records is an important measure organizations can implement to mitigate fraud and corruption. The Standard emphasizes the importance of accurate and complete records in preventing, detecting, and responding to fraud or corruption events. Of particular note for any Accounts Payable team is the Standard’s recommendation to assign access rights and permissions for relevant documents and systems to designated personnel.
When it comes to preventing payment redirection fraud, internal threat actors may manipulate supplier banking details in the text-based ABA files used to process EFT payments in online banking portals. By restricting access to such files to a limited number of personnel, an organization can reduce the risk of experiencing instances of internal fraud.
The same is true for external threat actors who seek to deceive Accounts Payable staff into manipulating supplier banking records in ERP systems and Vendor Master Files. Once again, restricting access to these systems is recognized by the Standard as an important control in reducing fraud.
To align with the Standard’s guidance on record keeping and confidentiality of information, Accounts Payable teams should liaise with their organization’s IT department to implement appropriate user roles and permissions for systems and files.
2) Managing Conflicts of Interest
All too often, instances of internal fraud can occur due to conflicts of interest. The Standard urges organizations to maintain records of relevant business, financial, family, political, or personal interests of staff that could conflict with their organization-wide duties.
Recent cases reported publicly have demonstrated that staff experiencing personal financial difficulties, often due to gambling addictions, may seek to commit fraud against their employer. In the case of Accounts Payable staff, such frauds are usually committed by redirecting EFT payments. The Standard emphasizes the importance of organizations seeking to identify concealed conflicts of interest among staff that could serve as motivation for them to engage in fraudulent activities.
One of the most effective ways an organization can manage the risks posed by conflicts of interest is through the introduction of rigorous segregation of duties policies. In order for any fraud event to occur, multiple staff members would be required to collude in carrying out the fraud. This reduces the likelihood of fraud.
3) Pressure Testing the Internal Control System
The recommendation to introduce Pressure Testing is one of the most relevant elements in the Standard for Accounts Payable teams. It adapts the concept of “Penetration Testing” that is now widespread in cybersecurity. Just as a Penetration Test involves an external expert looking to identify vulnerabilities that may facilitate a breach of your network or applications, Pressure Testing is a similar initiative that seeks to determine your organization’s resilience to fraud or corruption events.
A Pressure Test seeks to assess the effectiveness of your internal controls. An external team will initiate a series of test transactions. This may involve the introduction of documents, data, or other actions that are commonly associated with fraud or corruption. The aim is to determine whether your existing internal controls have the ability to identify the potential fraud or corruption and to stop it. For example, the external testers may submit false invoices to determine whether your Accounts Payable team carries out the necessary verifications before processing a payment.
The Standard outlines numerous benefits from Pressure Testing, including:
Gaining a better understanding of different functions, programs, and risks across the organization.
Providing assurance that internal controls designed to mitigate fraud and corruption risk are operating as intended.
Closer internal working relationships.
Increased fraud awareness, helping staff acknowledge the risk of fraud and the vulnerabilities of associated processes.
Identifying and rectifying previously unknown control vulnerabilities.
Any weaknesses or vulnerabilities identified should be remediated promptly by the organization to mitigate the risk of an actual fraud or corruption event.
Common vulnerabilities identified in Pressure Testing include:
Lack of fraud awareness.
Inadequate quality assurance.
Not verifying information or evidence.
A lack of effective oversight.
Weak technology controls.
Inadequate detection controls.
A lack of reporting or reconciliation.
4) Enquiries to be Undertaken Regarding the Integrity of Business Associates
Many organizations struggle to verify the integrity of their third-party business associates. This can expose an organization to a range of risks. For example, business identity theft is a growing concern. It may see fraudsters attempting to impersonate your business associates in order to carry out invoice redirection scams. In a world of online EFT payments, it is more important than ever to have rigorous procedures in place to accurately verify the identity or veracity of your business associates. Failure to do so may make your organization more prone to being defrauded.
To combat fraud, the Standard emphasizes the importance of having systems in place to verify the identity and integrity of your business associates. Among the checks it recommends when validating a business associate are:
Search of company register.
ABN and bank account information.
Verification of the personal details of directors.
Director bankruptcy search.
Disqualified director search.
Assessment of credit rating.
Telephone listing verification.
Accounts Payable teams should have systems in place to undertake these searches when onboarding a new supplier in your ERP system or Vendor Master File. Additionally, continuing compliance should be embraced, ensuring that ongoing verification takes place. This is particularly important immediately prior to transferring funds to a supplier, as circumstances may change between the time the supplier was onboarded and the time of a payment being issued.
5) Preventing Technology Enabled Fraud
The growth in technology in recent years leaves all Australian organizations exposed to technology-enabled fraud. The perpetrators of this type of fraud have demonstrated they have the skills to constantly adapt to the emergence of new technologies and new security measures. The use of cloud-based applications has increased the risks for many organizations as critical corporate information may be more susceptible to breaches which enable fraud events to take place.
The Standard advises organizations to embrace a security-in-design approach that will facilitate continuously assessing their exposure to technology-enabled fraud. Organizations are advised to embrace an ISMS that also takes into consideration the risks of fraud and corruption. The Standard is recognizing the link between cybersecurity breaches and the way this may expose an organization to greater risk of fraud or corruption.
While technology may expose an organization to a greater risk of fraud, it also has the potential to strengthen an organization in the fight against fraud. Accounts Payable teams should look to embrace technology solutions that help verify suppliers, thereby controlling the risk of EFT payments fraud.
6) Data Analytics
Data analytics can play a pivotal role in mitigating the risk of fraud and corruption. The Standard recommends that organizations capture relevant indicators that will assist them in reducing their exposure. Software can play an important role in facilitating the capture of relevant data.
The Standard particularly references the risk of false invoicing whereby a staff member may process fictitious invoices for goods or services that have not been supplied to the organization. Robust internal controls are essential to prevent this type of fraud.
When it comes to sources of data, the Standard recommends the following:
Internally, from the organization itself.
Other organizations – third-parties with whom your organization has no pre-existing relationship.
Relevant regulators.
For Accounts Payable teams, obtaining data from a variety of divergent sources can be challenging. However, with the right systems in place, it is possible to obtain the necessary data that provides critical awareness into potentially fraudulent events.
Importantly, the Standard advises that data should ideally be obtained in real-time. Accounts Payable teams should embrace real-time fraud detection software systems, such as those that facilitate data matching techniques, to detect potentially fraudulent events.
7) Disruption of Fraud and Corruption
Disruption is a critical element in the response to fraud and corruption. Given the challenges of combating global crime syndicates, disruption of their activities is more important than ever.
Organizations can embrace a range of techniques that will help disrupt the activities of those carrying out fraud or corruption. These techniques may include:
Increased audit activity in the business activity concerned.
Implementing additional / more rigorous internal controls such as authorization procedures and segregation of duties.
Implementing additional identity validation requirements for new and existing vendors.
Additional fraud and corruption awareness training for staff.
All these techniques are particularly important for Accounts Payable teams to embrace, as they will have a material effect on strengthening your ability to fight fraud and corruption.
How can Eftsure help?
The release of AS8001:2021 represents an important step up for any Accounts Payable team looking to mitigate the risk of fraud and corruption. Despite the fact that this Standard is not mandatory, organizations would be well advised to adopt many of the best-practice recommendations contained in the Standard in order to avoid the financial, reputational, and legal consequences that would result from a fraud or corruption event.
Many of the recommendations contained in the Standard have direct relevancy for Accounts Payable teams, who are often at the forefront of both internal and external threats.
By integrating the Eftsure platform into your Accounts Payable processes, your organization can align with many of the recommendations in the Standard. Eftsure helps you:
Maintain an accurate and complete audit trail
Implement segregation of duties
Strengthen internal controls by providing an extra layer of defense against fraud or error
Onboard suppliers securely
Check ABN and other essential compliance details in real-time
Verify bank account information in real-time
Disrupt fraud by aggregating data from multiple sources which increases awareness of potential threats
Contact Eftsure today for a full demonstration of our unique fraudtech platform and how it can help in your organization’s fight against fraud and corruption.
