ISO 37003:2025
(Main)Fraud control management systems — Guidance for organizations managing the risk of fraud
Fraud control management systems — Guidance for organizations managing the risk of fraud
This document provides guidance for organizations for the development, implementation and maintenance of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of fraud and effective response to fraud events that have occurred or can occur in the future. The document provides guidance for managing the risk of fraud, including: a) internal fraud against the organization; b) external fraud against the organization; c) internal fraud in collaboration with business associates or other third parties; d) external fraud in collaboration with the organization’s personnel; e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the organization. This document is applicable to all organizations, regardless of type, size, nature of activity and whether in the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing, detecting or responding to what is generally termed "consumer fraud".
Systèmes de management du contrôle de la fraude — Lignes directrices destinées aux organisations gérant le risque de fraude
Sistemi vodenja nadzora nad goljufijami - Napotki za organizacije, ki se odzivajo na tveganje za goljufije
General Information
Standards Content (Sample)
International
Standard
ISO 37003
First edition
Fraud control management systems —
2025-05
Guidance for organizations managing
the risk of fraud
Systèmes de management du contrôle de la fraude — Lignes
directrices destinées aux organisations gérant le risque de fraude
Reference number
All rights reserved.
ISO publications, in their entirety or in fragments, are owned by ISO. They are licensed, not sold, and are subject to the
terms and conditions set forth in the ISO End Customer License Agreement, the License Agreement of the relevant ISO
member body, or those of authorized third-party distributors.
Unless otherwise specified or required for its implementation, no part of this ISO publication may be reproduced,
distributed, modified, or used in any form or by any means, electronic or mechanical, including photocopying, scanning,
recording, or posting on any intranet, internet, or other digital platforms, without the prior written permission of ISO,
the relevant ISO member body or an authorized third-party distributor.
This publication shall not be disclosed to third parties, and its use is strictly limited to the license type and purpose
specified in the applicable license grant. Unauthorized reproduction, distribution, or use beyond the granted license is
prohibited and may result in legal action.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Licensing and use terms
As stated above, ISO documents, as well as any updates and/or corrections, and any intellectual property or
other rights pertaining thereto, are owned by ISO. ISO documents are licensed, not sold. This document does
not in any way operate to assign or transfer any intellectual property rights from ISO to the user. ISO
documents are protected by copyright law, database law, trademark law, unfair competition law, trade secrecy
law, and any other applicable law. Users acknowledge and agree to respect ISO’s intellectual property rights
in the ISO documents.
The use of ISO documents is subject to the terms and conditions of the applicable licence agreement.
ISO documents are provided under different licensing agreement types (“Licence Type”) allowing a non-
exclusive, non-transferable, limited, revocable right to use/access the ISO documents for one or more of the
purposes described below (“Purpose”), which may be internal or external in scope. The applicable Purpose(s)
must be agreed in the purchase order and/or in the applicable licence agreement.
a) Licence Type:
1) Single registered end-user licence (watermarked in the user’s name) for the specified Purpose. Under
this license, the user cannot share the ISO document with a third party, including on a network.
2) Network licence for the specified Purpose. The network licence can be assigned to either unnamed
concurrent end-users or named concurrent end-users within the same organization.
ii
b) Purpose:
1) Internal Purpose. Internal use only within the user’s organization, including but not limited to own
implementation (“Internal Purpose”).
The scope of permitted internal use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable internal use rights (such as for internal
meetings, internal training programmes, preparation of certification services, for integration or
illustration in internal manuals, internal training materials, and internal guidance documents). Each
internal use must be explicitly specified in the purchase order and/or in the applicable licence
agreement, and specific fees and requirements apply to each permitted use.
2) External Purpose. External use, including but not limited to:
— testing services;
— inspection services;
— certification services;
— auditing services;
— consulting services;
— conformity assessment scheme development and implementation;
— training services;
— education;
— research;
— software development and other digital platform or software-enabled digital services;
— any other services or activities conducted by the user or the user’s organization to third parties,
whether for commercial or non-commercial purposes (“External Purpose”).
The scope of permitted external use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable external use rights (e.g. in publications,
products, or services marketed and sold by the user/the user’s organization). Each external use must
be explicitly specified in the purchase order and/or in the applicable licence agreement, and specific
fees and requirements apply to each permitted use.
Unless users have been granted use rights according to the above provisions, they are not granted the right to
share or sublicense ISO documents inside or outside their organization for either Purpose. If users wish to
obtain additional use rights for ISO documents or their content, users can contact ISO or the ISO member body
in their country to explore possible options.
If the user or the user’s organization is granted a licence for the External Purpose of providing any of the
following services to third parties:
— testing services;
— inspection services;
ii(bis)
— certification services;
— auditing services;
— consulting services,
and if any of these five (5) services reference, rely upon, incorporate, or otherwise make use of any aspect,
requirement, provision, or any other information of any ISO document, the user or the user’s organization
agrees to verify that the third party receiving such services has obtained from the ISO member body in their
country, any other ISO member body, ISO or an authorized third-party distributor, a valid licence for its own
implementation of such ISO document or other use related to such services. This verification obligation must
be included in the applicable licence agreement obtained by the user or the user’s organization.
ISO documents must not be disclosed to third parties, and users must use them solely for the purpose specified
in the purchase order and/or applicable licensing agreement. Unauthorized disclosure or use of ISO
documents beyond the licensed purpose is prohibited and can result in legal action.
Use restrictions
Except as provided for in the applicable licence agreement and subject to a separate licence by ISO, the ISO
member body in the user’s country, any other ISO member body or an authorized third-party distributor, users
are not granted the right to:
— use ISO documents for any purpose other than the Purpose;
— grant use or access rights to ISO documents beyond the Licence Type;
— disclose ISO documents beyond the intended Purpose and/or Licence Type;
— sell, lend, lease, reproduce, distribute, import/export or otherwise commercially exploit ISO documents.
In the case of documents that are joint publications (such as ISO/IEC documents), this clause applies to
the respective joint copyright ownership;
— assign or otherwise transfer ownership of ISO documents, in whole or in part, to any third party.
Regardless of the Licence Type or Purpose for which users are granted access and use rights for ISO
documents, users are not permitted to access or use any ISO documents, in whole or in part, for any machine
learning and/or artificial intelligence and/or similar purposes, including but not limited to accessing or using
them
a) as training data for large language or similar models, or
b) for prompting or otherwise enabling artificial intelligence or similar tools to generate responses.
Such use is only permitted if expressly authorized through a specific licence agreement by the ISO member
body in the requester’s country, another ISO member body, or ISO. Requests for such authorization are
considered on a case-by-case basis to ensure compliance with intellectual property rights. Specifically, it is not
possible to claim the benefit of copyright exception of Article 4 of the Directive (EU) 2019/790 of the European
Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market, for
the purpose of text and data mining on ISO documents, as ISO hereby opts out of this exception.
If ISO, or the ISO member body in the user’s country, has reasonable doubt that users are not compliant with
these terms, it can request in writing to perform an audit, or have an audit performed by a third-party auditor,
during business hours at the user’s premises or via remote access.
ii(ter)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context .8
4.2 Understanding the needs and expectations of interested parties .8
4.3 Determining the scope of the fraud control management system (FCMS) .9
4.4 Fraud control management system (FCMS) .9
4.5 Fraud risk assessment .9
4.5.1 General .9
4.5.2 Collaboration with other risk management functions .10
5 Leadership . 10
5.1 Leadership and commitment .10
5.1.1 Governing body .10
5.1.2 Top management .10
5.2 Fraud control policy .11
5.3 Roles, responsibilities and authorities .11
5.3.1 General .11
5.3.2 Delegated decision-making to managers and organizational functions .11
5.3.3 Fraud control function .11
5.3.4 Information security management system function . 12
5.3.5 Internal audit function . 12
6 Planning .13
6.1 Actions to address risks and opportunities . 13
6.1.1 General . 13
6.2 Fraud control objectives and planning to achieve them . 13
6.3 Planning of changes .14
7 Support .
...
SLOVENSKI STANDARD
oSIST ISO/DIS 37003:2024
01-marec-2024
Sistemi vodenja nadzora nad goljufijami - Napotki za organizacije, ki se odzivajo
na tveganje goljufij
Fraud Control Management Systems - Guidance for organizations responding to the risk
of fraud
Systèmes de management du contrôle de la fraude — Recommandations aux
organisations en réponse aux risques de fraude
Ta slovenski standard je istoveten z: ISO/DIS 37003
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
oSIST ISO/DIS 37003:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
oSIST ISO/DIS 37003:2024
oSIST ISO/DIS 37003:2024
DRAFT INTERNATIONAL STANDARD
ISO/DIS 37003
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:
2024-01-15 2024-04-08
Fraud Control Management Systems — Guidance for
organizations managing the risk of fraud
ICS: 03.100.02; 03.100.70; 03.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 37003:2024(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO 2024
oSIST ISO/DIS 37003:2024
ISO/DIS 37003:2024(E)
DRAFT INTERNATIONAL STANDARD
ISO/DIS 37003
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:
Fraud Control Management Systems — Guidance for
organizations managing the risk of fraud
ICS: 03.100.02; 03.100.70; 03.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO 2024
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
NOT BE REFERRED TO AS AN INTERNATIONAL
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
IN ADDITION TO THEIR EVALUATION AS
or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/DIS 37003:2023(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
ii
PROVIDE SUPPORTING DOCUMENTATION. © ISO 2023
oSIST ISO/DIS 37003:2024
ISO/DIS 37003:2024(E)
ISO 37003:202x
Contents
Foreword .vi
Introduction . vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context . 8
4.2 Understanding the needs and expectations of interested parties . 9
4.3 Determining the scope of the fraud control management system (FCMS) . 9
4.4 Fraud control management system (FCMS) . 9
4.5 Fraud risk assessment . 10
4.5.1 General . 10
4.5.2 Collaboration with other risk management functions . 10
5 Leadership . 10
5.1 Leadership and commitment . 10
5.1.1 Governing Body . 10
5.1.2 Top management . 11
5.2 Fraud control policy . 11
5.3 Roles, responsibilities and authorities . 11
5.3.1 General . 11
5.3.2 Delegated decision-making to managers and organizational functions . 12
5.3.3 Fraud control function . 12
Top management should assign responsibilities and authority for the fraud control
function, including: . 12
6 Planning . 12
6.1 Actions to address risks and opportunities . 12
6.2 Fraud control objectives and planning to achieve them. 13
6.3 Planning of changes . 13
7 Support . 13
7.1 Resources . 13
7.1.1 General . 13
7.1.2 Appointment of an ISMS professional . 14
7.2 Competence . 14
7.2.1 General . 14
7.2.2 Employment process . 14
7.3 Awareness . 15
7.3.1 General . 15
7.3.2 Fraud awareness and training programme . 15
7.4 Communication. 15
7.4.2 Promoting the fraud control management system . 16
7.5 Documented information . 16
7.5.1 General . 16
7.5.2 Creating and updating documented information . 16
7.5.3 Control of documented information . 17
7.5.4 Record keeping and confidentiality of information . 17
8 Operation . 18
8.1 Operational planning and control . 18
oSIST ISO/DIS 37003:2024
ISO/DIS 37003:2024(E)
ISO DIS 37003:202X
8.2 Preventing Fraud . 19
8.2.1 General . 19
8.2.2 Promoting an effective integrity framework . 19
8.2.3 Managing conflicts of interest . 19
8.2.4 Internal controls and the environment of internal control . 20
8.2.5 Pressure testing the internal control system . 20
8.2.6 Managing performance-based targets . 21
8.2.7 Workforce screening . 21
8.2.8 Screening and management of business associates . 22
8.2.9 Preventing technology-enabled fraud . 23
8.2.10 Physical security and asset management. 23
8.3 Detecting fraud . 24
8.3.1 General . 24
8.3.2 Post-transactional review . 24
8.3.3 Analysis of management accounting reports . 24
8.3.4 Identification of early warning indicators . 24
8.3.5 Data analytics . 24
8.3.6 Fraud reporting . 25
8.3.7 Leveraging relationships with business associates and other external parties . 26
8.3.8 Complaint management . 26
8.3.9 Exit interviews . 26
8.4 Responding to fraud events . 26
8.4.1 General . 26
8.4.2 Immediate actions in response to discovery of fraud . 26
8.4.3 Digital evidence first response . 27
8.4.4 Investigation of a detected fraud event . 27
8.4.5 Consideration of grievances . 27
8.4.6 Disciplinary procedures .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.