In the context of local government, maintaining robust fraud and corruption controls is paramount. The updated AS 8001:2021 standard has brought significant enhancements to these controls, with a particular focus on integrating pressure testing as a critical component of the Fraud and Corruption Control System (FCCS). This post delves into the concept of pressure testing, its application in local governments, and highlights the key changes introduced in AS 8001:2021.
What is Pressure Testing?
Pressure testing, in the context of fraud and corruption control, involves simulating fraudulent activities to evaluate the effectiveness of an organization’s internal controls. This proactive approach helps identify vulnerabilities and ensures that the controls in place are capable of preventing, detecting, and responding to fraud and corruption attempts. This testing is similar to the concept of ethical hacking or more commonly known penetration – pen testing in Cybersecurity.
Why is Pressure Testing Important?
- Real-World Simulation: Pressure testing mimics actual fraud scenarios, providing a realistic assessment of how well current controls perform under potential threats.
- Identifying Weaknesses: By challenging the system, pressure testing uncovers weaknesses that might not be apparent during regular audits or assessments.
- Enhancing Preparedness: Organizations can improve their fraud response strategies by understanding how their controls hold up under pressure, leading to better preparedness and quicker response times.
Implementing Pressure Testing in Local Governments
Note: It is crucial that any pressure testing activities are conducted with the knowledge and approval of the CEO or appropriate senior management. Since these tests involve simulating fraudulent scenarios, they must be carefully coordinated to prevent any unintended consequences or misunderstandings.
Here are ten scenarios where pressure testing can be effectively implemented in local government context:
1. Executive Office – CEO Email Spoofing to Divulge Confidential Information to a Third Party:
Scenario: Testers send fictitious emails spoofing the CEO, requesting confidential information to be sent to a third-party email address.
Implementation:
Support Needed: IT department to set up email spoofing tools, Relevant departments holding confidential information for test execution.
Steps:
- Craft Realistic Emails:
- Send Emails to Targeted Employees:
- Monitor Responses:
2. Accounts Payable – Supplier Banking Details Update:
Scenario: Testers send fictitious emails spoofing suppliers, requesting updates to banking details.
Implementation:
Support Needed: IT department for spoofing setup, vendor management team for validation.
Steps:
– Create spoofed supplier emails.
– Send requests for bank detail changes.
– Check if the AP team follows call-back procedures and other verification steps.
3. Accounts Payable – Manipulated Contact Information:
Scenario: Testers send invoices with manipulated phone numbers to verify call-back controls.
Implementation:
Support Needed: Procurement team for invoice creation, AP team for execution.
Steps:
– Modify supplier contact details on test invoices.
– Send invoices to the AP team.
– Verify if they use correct contact information from the vendor master file.
4. Accounts Payable – Fake Invoices for Goods/Services:
Scenario: Testers send fake invoices for non-ordered goods to check adherence to 3-way matching.
Implementation:
Support Needed: Procurement and receiving departments for test coordination.
Steps:
– Generate fake invoices for undelivered goods.
– Submit to the AP team.
– Check if the AP team matches invoices with purchase orders and delivery receipts.
5. Accounts Payable – Duplicate Invoices:
Scenario: Testers send multiple invoices for the same goods/services to test duplicate checking.
Implementation:
Support Needed: Procurement team for invoice generation.
Steps:
– Submit duplicate invoices.
– Track AP team’s identification and flagging of duplicates.
– Verify prevention of double payments.
6. Accounts Payable – False GST/ABN Details:
Scenario: Testers send invoices with incorrect GST or ABN details to check regulatory compliance.
Implementation:
Support Needed: Legal and compliance teams for regulatory information.
Steps:
– Issue invoices with false tax details.
– Review AP team’s verification against official records.
7. Accounts Payable – Supplier Bank Detail Modifications via Phone:
Scenario: Testers call the AP team pretending to be suppliers and request bank detail changes.
Implementation:
Support Needed: Vendor management team for validation processes.
Steps:
– Make phone calls to AP team with bank detail change requests.
– Evaluate if they follow verification steps like callbacks or written confirmations.
8. Procurement – Unauthorized Purchase Orders:
Scenario: Testers submit unauthorized purchase orders to assess the procurement process controls.
Implementation:
Support Needed: Procurement and IT departments for system access.
Steps:
– Generate unauthorized purchase orders.
– Submit to procurement system.
– Check if system flags and prevents unauthorized orders.
9. Human Resources – Fake Employment Applications:
Scenario: Testers submit fake employment applications to test the recruitment process integrity.
Implementation:
Support Needed: HR department for process oversight.
Steps:
– Create fictitious job applications with fabricated qualifications.
– Submit applications to HR.
– Monitor HR’s background checks and discrepancy identification.
10. Payroll – Unauthorized Payroll Changes:
Scenario: Testers request unauthorized changes to payroll details to test internal controls.
Implementation:
Support Needed: Payroll and HR departments for verification processes.
Steps:
– Submit requests for unauthorized salary increases or bank detail changes.
– Assess payroll department’s verification and approval steps.
Key Changes in AS 8001:2021
The AS 8001:2021 standard introduces several important updates that strengthen fraud and corruption controls:
1. Fraud and Corruption Control System (FCCS):
Replaces the Fraud Control Plan with a more comprehensive system approach.
2. Updated Definitions:
Broadened definitions of fraud and corruption to include a wider range of conduct.
3. Minimum Requirements:
The new standard uses “shall” instead of “should” to indicate mandatory requirements, ensuring stricter compliance.
4. Normative References:
Incorporates references to other standards such as ISO 37001 (Anti-bribery Management Systems) and ISO/IEC 27001 (Information Security Management Systems).
5. Enhanced Governance:
Clear delineation of roles between the governing body and top management, emphasizing their responsibilities in fraud and corruption control.
6. Focus on Cybersecurity:
Comprehensive guidance on preventing, detecting, and responding to cyber-related fraud and corruption.
7. New Practices:
Introduces “pressure testing” of internal controls and enhanced guidance on whistleblower protections and immediate fraud response actions.
8. Enhanced Monitoring and Review:
Strengthens the monitoring and review mechanisms to ensure continuous improvement and compliance with fraud and corruption control measures.
9. Third-Party Notification and Due Diligence:
Provides guidance on notifying third parties affected by fraud and corruption events and conducting due diligence on business associates, reflecting a more holistic approach to managing external relationships and risks.
By implementing these strategies, local governments can ensure the effectiveness of their fraud and corruption controls, safeguarding public resources and bolstering public trust in their operations.
About the Author
Diluka Weerasingha (CIA, CPA, CA) is a seasoned internal audit professional with big4 background and more than 20 years experience gained through various industries.