How Do Banks Investigate Unauthorised Transactions?
Unauthorised transactions, whether due to fraud or errors, can be a stressful experience for consumers. When a bank customer notices an unfamiliar …
AS8001:2021 is an updated framework from Standards Australia that is designed to help organisations combat fraud and corruption.
It builds on earlier versions of the framework by increasing board-level responsibility for combatting fraud and corruption, as well as factoring in new technologies and embracing a whole-of-organisation approach.
CFOs and Accounts Payable managers need to be aware of AS8001:2021 as the framework has particular implications for Accounts Payable functions, who are often at the forefront of the fight against fraud and corruption.
Mitigating the risk of fraud and corruption is a key priority for all organisations. There are both financial and legal reasons for you to take concrete steps to reduce your exposure. Failing to do so could see your organisation held accountable by courts, tribunals, shareholders, or other stakeholders. However, those with malicious intent are constantly adapting their tactics, making the fight to prevent fraud and corruption particularly challenging for many organisations.
To help you implement best-practice fraud and corruption mitigation strategies, Standards Australia recently released the third edition of AS 8001 Fraud and Corruption Control.
AS8001:2021 is a framework that aims to guide organisations in combatting fraud and corruption. It was originally released by Standards Australia in 2008. This version, released in July 2021, is the third edition of the framework. It seeks to ensure the framework meets current industry circumstances by considering the impact of technology in modern business operations.
The main objective of this updated Standard is to guide organisations regarding the minimum requirements for developing, implementing and maintaining an effective Fraud and Corruption Control System (FCCS).
Simply, the goal of an FCCS is to:
Whilst AS 8001:2021 itself is not mandatory, it is an excellent guide for organisations that do have obligations to prevent fraud and corruption. In the event that an organisation’s board members may need to justify their actions before a court or tribunal, judges are likely to consider whether the organisation took all reasonable steps to manage the risk of fraud and corruption. Aligning your internal controls with AS 8001:2021 is an excellent way to demonstrate that your organisation implemented appropriate measures that were intended to prevent fraud and corruption.
So, complying with AS 8001:2021 could save your organisation significant costs and avoid potentially damaging legal ramifications.
Of course fraud and corruption can penetrate any section of an organisation. However, there are particular risks for Accounts Payable (AP). In this review of AS 8001:2021, we will look specifically at the implications for a typical Accounts Payable function.
The first thing to note about AS 8001:2021 is that it strengthens the controls around fraud and corruption compared to earlier iterations of the framework.
Whereas previous versions spoke of the need to have “Fraud Control Plans,” this has been elevated to implementing “Fraud and Corruption Control Systems.” An FCCS is more rigorous, as it details the specific minimum requirements an organisation shall adopt to combat fraud and corruption. By contrast, whilst plans may be developed, without the appropriate measures in place, the plan may not be fully implemented.
Another significant change is that fraud and corruption are not solely the responsibility of “Top Management,” as in previous iterations of the framework. This version stipulates that a “Governing Body” (2.2) needs to retain overall accountability for ensuring that the organisation has adequate anti-fraud and anti-corruption measures in place. This implies that the board of an organisation must take an active interest in managing the risk of fraud and corruption.
The driving impetus for updating and strengthening the framework is the impact technology is having in contemporary organisations. With technology integrated into every aspect of an organisation’s operations, there is an urgent need to consider the ways technologies are being used to perpetrate fraud and corruption. As an example, a Business Email Compromise (BEC) attack may be the vehicle through which a fraudster initiates invoice redirection fraud.
The Standard makes clear the impact technology is having on increasing instances of external fraud:
“The pervasiveness and increasing sophistication of information technology, the rapid take-up of internet-based payment systems by the general population and an increasingly globalised economy have led to an increased incidence of external fraudulent attack on Australian organisations across all sectors. In response to these fundamental changes in the way business operates, this edition of the Standard includes minimum requirements and updated guidance on controlling external, often technologically-driven, attacks on Australian organisations” (Introduction).
This updated framework also recognises that fraud and corruption are no longer the sole purview of the finance department. Rather, a whole-of-organisation approach is required. That’s why boards have a critical role to play. It is also the reason the Standard now advocates for specialist resourcing, such as appointing an Information Security Management System (ISMS) professional who can align the organisation’s cybersecurity approach with its efforts to combat fraud and corruption (2.4.2).
Emphasising the necessity of a whole-of-organisation approach, the AS 8001:2021 stipulates a range of functions within an organisation that have an important role to play in reducing the risk of fraud and corruption, including the procurement and Accounts Payable functions (2.4.4).
Having accurate and complete records is an important measure organisations can implement to mitigate fraud and corruption.
The Standard emphasises the importance of accurate and complete records in preventing, detecting and responding to fraud or corruption events. Of particular note for any Accounts Payable team, is the Standard’s recommendation to assign access rights and permissions for relevant documents and systems to designated personnel (2.14).
When it comes to preventing payment redirection fraud, internal threat actors may manipulate supplier banking details in the text-based ABA files that are used to process EFT payments in online banking portals. By restricting access to such files to a limited number of personnel, an organisation can reduce the risk of experiencing instances of internal fraud.
The same is true for external threat actors who seek to deceive Accounts Payable staff into manipulating supplier banking records in ERP systems and Vendor Master Files. Once again, restricting access to these systems is recognised by the Standard as an important control in reducing fraud.
To align with the Standard’s guidance on record keeping and confidentiality of information, Accounts Payable teams should liaise with their organisation’s IT department to implement appropriate user roles and permissions for systems and files.
All too often instances of internal fraud can occur due to conflicts of interest. The Standard urges organisations to maintain records of relevant business, financial, family, political or personal interests of staff that could conflict with their organisation-wide duties (3.3).
Recent cases reported publicly have demonstrated that staff experiencing personal financial difficulties, often due to gambling addictions, may seek to commit fraud against their employer. In the case of Accounts Payable staff, such frauds are usually committed by redirecting EFT payments. The Standard emphasises the importance of organisations seeking to identify concealed conflicts of interest among staff that could serve as motivation for them to engage in fraudulent activities.
One of the most effective ways an organisation can manage the risks posed by conflicts of interest is through the introduction of rigorous segregation of duties policies. In order for any fraud event to occur, multiple staff members would be required to collude in carrying out the fraud. This reduces the likelihood of fraud.
The recommendation to introduce Pressure Testing is one of the most relevant elements in the Standard for Accounts Payable teams.
It adapts the concept of “Penetration Testing” that is now widespread in cybersecurity. Just as a Penetration Test involves an external expert looking to identify vulnerabilities that may facilitate a breach of your network or applications, Pressure Testing is a similar initiative that seeks to determine your organisation’s resilience to fraud or corruption events (3.5.3).
A Pressure Test seeks to assess the effectiveness of your internal controls. An external team will initiate a series of test transactions. This may involve the introduction of documents, data or other actions that are commonly associated with fraud or corruption. The aim is to determine whether your existing internal controls have the ability to identify the potential fraud or corruption and to stop it. For example, the external testers may submit false invoices to determine whether your Accounts Payable team carries out the necessary verifications before processing a payment.
The Standard outlines numerous benefits from Pressure Testing, including:
Any weaknesses or vulnerabilities identified should be remediated promptly by the organisation to mitigate the risk of an actual fraud or corruption event.
Common vulnerabilities identified in Pressure Testing include:
Many organisations struggle to verify the integrity of their third-party business associates.
This can expose an organisation to a range of risks. For example, business identity theft is a growing concern. It may see fraudsters attempting to impersonate your business associates in order to carry out invoice redirection scams. In a world of online EFT payments, it is more important than ever to have rigorous procedures in place to accurately verify the identity or veracity of your business associates. Failure to do so may make your organisation more prone to being defrauded.
To combat fraud, the Standard emphasises the importance of having systems in place to verify the identity and integrity of your business associates (3.8.3). Among the checks it recommends when validating a business associate are:
Accounts Payable teams should have systems in place to undertake these searches when onboarding a new supplier in your ERP system or Vendor Master File. Additionally, continuing compliance should be embraced which ensures that ongoing verification takes place. This is particularly important immediately prior to transferring funds to a supplier, as circumstances may change between the time the supplier was onboarded and the time of a payment being issued.
The growth in technology in recent years leaves all Australian organisations exposed to technology-enabled fraud.
The perpetrators of this type of fraud have demonstrated they have the skills to constantly adapt to the emergence of new technologies and new security measures. The use of cloud-based applications has increased the risks for many organisations as critical corporate information may be more susceptible to breaches which enable fraud events to take place.
The Standard advises organisations to embrace a security-in-design approach that will facilitate continuously assessing their exposure to technology-enable fraud (3.9). Organisations are advised to embrace an ISMS that also takes into consideration the risks of fraud and corruption. The Standard is recognising the link between cybersecurity breaches and the way this may expose an organisation to greater risk of fraud or corruption.
Whilst technology may expose an organisation to a greater risk of fraud, it also has the potential to strengthen an organisation in the fight against fraud. Accounts Payable teams should look to embrace technology solutions that help verify suppliers, thereby controlling the risk of EFT payments fraud.
Data analytics can play a pivotal role in mitigating the risk of fraud and corruption.
The Standard recommends that organisations capture relevant indicators that will assist them in reducing their exposure. Software can play an important role in facilitating the capture of relevant data (4.5).
The Standard particularly references the risk of false invoicing whereby a staff member may process fictitious invoices for goods or services that have not been supplied to the organisation. Robust internal controls are essential to prevent this type of fraud.
When it comes to sources of data, the Standard recommends the following:
For Accounts Payable teams, obtaining data from a variety of divergent sources can be challenging. However, with the right systems in place, it is possible to obtain the necessary data that provides critical awareness into potentially fraudulent events.
Importantly, the Standard advises that data should ideally be obtained in real-time. Accounts Payable teams should embrace real-time fraud detection software systems, such as those that facilitate data matching techniques, to detect potentially fraudulent events.
Disruption is a critical element in the response to fraud and corruption. Given the challenges of combating global crime syndicates, disruption of their activities is more important than ever.
Organisations can embrace a range of techniques that will help disrupt the activities of those carrying out fraud or corruption (5.13). These techniques may include:
All these techniques are particularly important for Accounts Payable teams to embrace, as they will have a material effect on strengthening your ability to fight fraud and corruption.
The release of AS8001:2021 represents an important step up for any Accounts Payable team looking to mitigate the risk of fraud and corruption. Despite the fact that this Standard is not mandatory, organisations would be well advised to adopt many of the best-practice recommendations contained in the Standard in order to avoid the financial, reputational and legal consequences that would result from a fraud or corruption event.
Many of the recommendations contained in the Standard have direct relevancy for Accounts Payable teams, who are often at the forefront of both internal and external threats.
By integrating the eftsure platform into your Accounts Payable processes, your organisation can align with many of the recommendations in the Standard. eftsure helps you:
Contact eftsure today for a full demonstration of our unique fraudtech platform and how it can help in your organisation’s fight against fraud and corruption.
Unauthorised transactions, whether due to fraud or errors, can be a stressful experience for consumers. When a bank customer notices an unfamiliar …
For years, industry experts have been making predictions about what the finance function would look like in 2025. Many of the reports, …
The finance industry is extremely susceptible to data breaches. In fact, in 2023, it was the most breached industry and accounted for …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.