When it comes to avoiding operational risk and reputational ruin, councils turn to the Australian Standards for Fraud and Corruption Control. These standards set out best practices for preventing, detecting and responding to fraud and corruption.
Now, after 13 long years, these standards have been updated.
While this will be welcome news to risk-aware councils, it also comes with implications. It’s likely your council will need to invest in more training, resources – and of course, planning.
Here’s what you need to know.
What’s changing?
To understand the updates that have taken place, it’s best to view them in a wider context.
Since 2008, the world has vastly changed when it comes to technology and ways of working – which means fraud and corruption risks have also changed.
So, these updates are all about bringing risk management practices into a contemporary context.
Some 20 key changes have been instated – no short number to get your head around. Throughout these changes, we see four consistent themes, which are:
- Adapting to threats from technology
- Increasing planning and resourcing
- Taking a proactive approach
- Managing performance-based targets
Let’s explore each in more detail.
Theme 1: Adapting to threats from technology
Before the new standards were released, fraud was primarily addressed as an internal issue. An act that would be carried out by an employee, or someone closely connected to your council.
Now, external attacks – driven by technology – are a rising concern. This is largely due to:
- Increasingly complex IT infrastructures
- The rise of internet-based payment systems
- An increasingly globalised economy
The awareness of these threats is the largest change we see throughout AS 8001:2021.
To properly protect your council against such threats, you’ll need staff who are well-versed in information technology.
One standard where this change is playing out is the recommendation to appoint an Information Security Management System (ISMS) expert to assist in the prevention of technology-enabled fraud.
Ideally qualified in both IT and risk management, your ISMS officer would be responsible for understanding cybercrime and how to manage its associated risks.
Your existing IT Manager may be the right fit.
Theme 2: Increasing planning and resourcing
Implementing fraud and corruption control systems successfully requires a high degree of commitment from councils. This includes adequately investing in personnel and systems to oversee your processes, ongoing.
This theme emerges throughout the updated standards – with several recommendations for strategic planning and accountability.
For instance, while the former AS8001:2008 recommended appointing a specialised fraud control officer, the new standard expands the officer’s remit of duties.
At a glance, these duties now also include:
- Developing, implementing and maintaining a fraud and corruption control system
- Escalating and monitoring fraud and corruption incidents, including coordinating internal and external reporting
- Conducting and monitoring investigations into allegations of fraud and corruption
So does this mean you’ll need to recruit a new staff member altogether? Not necessarily.
You should already have someone on your team (such as a risk manager, WHS officer or governance officer) with the requisite skills and knowledge.
This person can be trained to take on the responsibilities of the fraud control officer. However, given their expanded duties, you may need another resource at some point to manage the additional workload.
Theme 3: Taking a proactive approach
Councils should already have strong internal controls in place to reduce fraud and corruption incidences, thanks to the previous iteration of the standards.
However, the standards now provide stronger guidance on how to proactively test the strength of these systems – through pressure testing.
In a pressure test, a corruption action is deliberately designed to breach the existing controls of an organisation to see where they are failing and need to be improved. By doing this, you’ll gain a better understanding of your council’s vulnerabilities and areas of potential risk.
The old standards gave a broad overview of how pressure tests should be run, but the new standards give far stronger guidance.
Theme 4: Managing performance-based targets
Setting goals, targets and key performance indicators are essential to any organisation.
But if these targets are tied entirely to financial objectives, where someone within the organisation stands to benefit from that target being hit, this can incentivise people to reach it by any means possible.
Which means those incentives might accidentally encourage fraud and corruption.
As a completely new addition to the Australian Standards, councils are now advised to consider incentive programs as part of their risk assessment plan.
You are also advised to:
- Rely less on targets that are hard to verify – which means relying less on data that is self-reported by someone who stands to gain from the target being hit
- Use analytics programs to identify potentially suspicious performance outcomes
- Ensure you have the right to audit or verify business associates’ performance claims
A final word
As of now, none of these changes are compulsory – meaning you won’t be penalised for not implementing them immediately.
But they are on the horizon. Once the Audit Office of NSW updates its guidelines to reflect these changes, any councils that have not taken them in accordingly are at risk of being audited.
More importantly though, if you don’t proactively heed these guidelines, you are leaving the door open for fraud and corruption to enter your council.
So take the time to familiarise yourself with the changes, and start rolling them out – as soon as possible.
This is simply a snapshot of the breadth of changes that have taken place. Want to delve a little deeper? You can. Or contact your Regional Risk Manager for one-on-one support.