ISO/FDIS 37003

SLOVENSKI STANDARD
01-marec-2024
Sistemi vodenja nadzora nad goljufijami - Napotki za organizacije, ki se odzivajo
na tveganje goljufij
Fraud Control Management Systems - Guidance for organizations responding to the risk
of fraud
Systèmes de management du contrôle de la fraude — Recommandations aux
organisations en réponse aux risques de fraude
Ta slovenski standard je istoveten z: ISO/DIS 37003
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT INTERNATIONAL STANDARD
ISO/DIS 37003
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:
2024-01-15 2024-04-08
Fraud Control Management Systems — Guidance for
organizations managing the risk of fraud
ICS: 03.100.02; 03.100.70; 03.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 37003:2024(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO 2024

ISO/DIS 37003:2024(E)
DRAFT INTERNATIONAL STANDARD
ISO/DIS 37003
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:

Fraud Control Management Systems — Guidance for
organizations managing the risk of fraud
ICS: 03.100.02; 03.100.70; 03.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO 2024
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
NOT BE REFERRED TO AS AN INTERNATIONAL
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
IN ADDITION TO THEIR EVALUATION AS
or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/DIS 37003:2023(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
ii
PROVIDE SUPPORTING DOCUMENTATION. © ISO 2023

ISO/DIS 37003:2024(E)
ISO 37003:202x
Contents
Foreword .vi
Introduction . vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context . 8
4.2 Understanding the needs and expectations of interested parties . 9
4.3 Determining the scope of the fraud control management system (FCMS) . 9
4.4 Fraud control management system (FCMS) . 9
4.5 Fraud risk assessment . 10
4.5.1 General . 10
4.5.2 Collaboration with other risk management functions . 10
5 Leadership . 10
5.1 Leadership and commitment . 10
5.1.1 Governing Body . 10
5.1.2 Top management . 11
5.2 Fraud control policy . 11
5.3 Roles, responsibilities and authorities . 11
5.3.1 General . 11
5.3.2 Delegated decision-making to managers and organizational functions . 12
5.3.3 Fraud control function . 12
Top management should assign responsibilities and authority for the fraud control
function, including: . 12
6 Planning . 12
6.1 Actions to address risks and opportunities . 12
6.2 Fraud control objectives and planning to achieve them. 13
6.3 Planning of changes . 13
7 Support . 13
7.1 Resources . 13
7.1.1 General . 13
7.1.2 Appointment of an ISMS professional . 14
7.2 Competence . 14
7.2.1 General . 14
7.2.2 Employment process . 14
7.3 Awareness . 15
7.3.1 General . 15
7.3.2 Fraud awareness and training programme . 15
7.4 Communication. 15
7.4.2 Promoting the fraud control management system . 16
7.5 Documented information . 16
7.5.1 General . 16
7.5.2 Creating and updating documented information . 16
7.5.3 Control of documented information . 17
7.5.4 Record keeping and confidentiality of information . 17
8 Operation . 18
8.1 Operational planning and control . 18
ISO/DIS 37003:2024(E)
ISO DIS 37003:202X
8.2 Preventing Fraud . 19
8.2.1 General . 19
8.2.2 Promoting an effective integrity framework . 19
8.2.3 Managing conflicts of interest . 19
8.2.4 Internal controls and the environment of internal control . 20
8.2.5 Pressure testing the internal control system . 20
8.2.6 Managing performance-based targets . 21
8.2.7 Workforce screening . 21
8.2.8 Screening and management of business associates . 22
8.2.9 Preventing technology-enabled fraud . 23
8.2.10 Physical security and asset management. 23
8.3 Detecting fraud . 24
8.3.1 General . 24
8.3.2 Post-transactional review . 24
8.3.3 Analysis of management accounting reports . 24
8.3.4 Identification of early warning indicators . 24
8.3.5 Data analytics . 24
8.3.6 Fraud reporting . 25
8.3.7 Leveraging relationships with business associates and other external parties . 26
8.3.8 Complaint management . 26
8.3.9 Exit interviews . 26
8.4 Responding to fraud events . 26
8.4.1 General . 26
8.4.2 Immediate actions in response to discovery of fraud . 26
8.4.3 Digital evidence first response . 27
8.4.4 Investigation of a detected fraud event . 27
8.4.5 Consideration of grievances . 27
8.4.6 Disciplinary procedures .
...