Breaking Down The ISO 37001 Audit Process
There is no “one-size-fits-all” method to achieving anti-bribery management systems certification.
There’s been much discussion surrounding ISO 37001:2016 Anti-Bribery Management Systems and how attaining certification to the standard can enhance an organisation’s existing anti-corruption compliance program.
The ISO 37001:2016 standard specifies a series of measures and controls to help organisations prevent, detect and address bribery. These measures include adopting an anti-bribery policy, appointing an individual to oversee anti-bribery, compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting, investigation and monitoring procedures.
Certification of compliance with the standard is based on an impartial, independent third-party review, assessment and audit of the organisation’s anti-bribery management system, and the system’s versatility, effectiveness, and proactive nature.
The compliance audit itself has often been referred to as a “one-size-fits-all” or “check-the-box” subjective process, which couldn’t be further from the truth. Proper certification to the standard requires substantial preparation and self-assessment beforehand; a highly involved review, interview and audit process (often involving sampling of affiliated or regional offices); and an evaluation and monitoring phase, which is annually conducted over the three-year certification cycle.
Let’s take a brief look at the ISO 37001 audit process and examine why large multi-national companies such as Walmart, Microsoft, Alstom and a host of others have weighed the costs and benefits and subsequently committed to attaining ISO 37001:2016 certification.
An Evidence-Based Review; A Risk-Based Approach
The ABMS audit is a diligent approach that links auditing activity to an organisation’s overall risk management framework, providing top management that risk management processes effectively address all bribery risks throughout the organisation and its operations.
It should be noted that the certification audit isn’t solely structured on a review of paper-based controls. As you’ll read below, the process assesses the organisation’s overarching stance on anti-bribery and how that stance is conveyed — tangibly and intangibly — from the board of directors to lower-level staff members.
Employing interviews, policy reviews, sampling, due diligence and testing of methods and techniques, the audit will produce sufficient evidence of a sound anti-bribery management system while spotlighting specific areas of risk that demand attention and subsequent improvement to adhere to the standard.
Certified Auditors; Anti-Bribery Experts
First and foremost, ISO 37001:2016 auditors must be specifically certified and credentialed to lead and conduct such audits. Auditors are guided by the requirements of ISO 17021-9 to conduct an ABMS assessment. To attain this status, auditors must undergo intensive training to fully comprehend the concepts and principles behind the various ISO management systems compliance and the corresponding specifications and auditing techniques associated with those ISO guidelines. From that training, auditors will gain the necessary knowledge and skills to effectively plan and perform related audits.
Further — and just as vital — auditing professionals must possess considerable experience in the areas of anti-bribery and anti-corruption and have deep-seated knowledge of the industry sectors and the respective geographic regions (with a familiarity of the legal jurisdictions) served by the organisation being certified.
And finally, the ISO 37001:2016 auditor must be qualified to serve as a helpful, non-confrontational advocate during the entire audit process, expertly guiding the organisation through the process with the shared goal of achieving outcomes that will ultimately fortify the organisation’s commitment to battling instances of bribery in the global marketplace.
The ISO 37001 Audit Process
The process, which adheres closely to ISO 19011 requirements, begins well in advance of the on-site visit. The auditor conducts a thorough analysis of news, social media, and other public domain information pertaining to the organisation. This outside review oftentimes helps the auditor determine the organisation’s perceived “culture of compliance” before initiating the audit.
The audit process itself is a critical assessment of several crucial elements required by the ISO 37001:2016 standard and a determination of how the overall policy is represented by the various roles and responsibilities throughout the organisation. The process entails:
- A review of the organisation’s anti-bribery policies, procedures and controls;
- An assessment of the organisation’s plan for communicating its policies to all employees worldwide;
- In-depth interviews with compliance personnel, leadership, management, and legal, finance, procurement, human resource and communications staff members to assess familiarity with the policies and comprehension levels for identifying and responding to red flag events;
- A review of all procedures and instructors involved with the organisation’s anti-bribery training;
- Performing risk assessments specific to particular projects, industries, regions, jurisdictions and third-parties associated with the organisation;
- Conducting due diligence on third-party partners (by region);
- Assessment of monitoring, reporting and investigation procedures as related to anti-bribery events;
- Bench-marking the organisation’s overall commitment to its anti-bribery policy and management systems;
- Assessment of the organisation’s financial controls to detect and prevent incidences of bribery;
- Review of all corrective actions to the policy following a bribery investigation;
- Confirmation of the organisation’s attempt to continuously improve the anti-bribery management system.
And throughout the various processes of observation, document review, sampling, interviews, technical verification and evaluation, the audit team is constantly meeting and communicating through the proper channels to assist the organisation in identifying risks and improving its processes and procedures.
The audit process can take weeks or months to complete, and needless to say, this process varies widely between organisations, industry sectors and geographic regions.
Reporting & Documentation
Post-audit, the team convenes an oversight board comprised of anti-bribery experts to review the audit reports and findings and makes recommendations to both the organisation and the certification committee.
The ensuing documentation covers a host of topics, including risk areas (by project, personnel group, and geographic region), training recommendations, investigative techniques, reporting processes, and other areas of improvement.
Follow-Up Surveillance Audits to Ensure Continuous Improvement
The certification process doesn’t end after the initial audit phase. Certification to the standard requires verification of continuous improvement and confirmation of how outcomes are implemented, documented, monitored and assessed over time. The audit team will conduct annual surveillance audits of the organisation’s anti-bribery system over the three-year certification cycle. Surveillance audits verify the organisation’s continued adherence to the standard, evaluate any prescribed corrective action plans, and review how it is improving its anti-bribery management systems.
Certification in ISO 37001:2016 symbolises an organisation’s unrelenting commitment to fight corruption and pursue best practices in an ongoing quest for compliance to the widely-accepted anti-bribery standards. And the in-depth process involved in achieving certification to the standard — together with the counsel, risk assessment, and improvement recommendations that result from the audit — can make the certification process well worth the investment.
INTERESTED IN LEARNING MORE?
ABAC Center of Excellence (www.ABACGroup.com) is an independent accredited conformity assessment body of Corporate Research and Investigations Limited “CRI Group” for the scope of ISO 37001:2016 Anti-Bribery Management System certification, which was created to educate, equip and support the world’s leading business organisations with the latest in best-practice due diligence processes and procedures, providing world-class anti-bribery and anti-corruption solutions to organisations seeking to validate or expand their existing compliance frameworks to maintain a competitive edge in the world marketplace.
ABOUT THE AUTHOR
Zafar I. Anjum is Group Chief Executive Officer of ABAC® Group (www.abacgroup.com). Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. ABAC® Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, USA, Canada, Latin America and the United Kingdom.
Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime)
ABAC® Group Chief Executive Officer
2nd Floor, 5 Harbour Exchange Square
South Quay, London E14 9GE
Phone: +44 207 8681415
Mobile: +44 7588 454959
About ABAC® Center of Excellence
ABAC® is an independent certification body powered by CRI® Group. ABAC® programs protect your organisation from damaging litigation & safeguard your business in the global marketplace by providing certification & training in internationally recognised ISO standards, such as ISO 37001 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000 Risk Management Systems. ABAC® Center of Excellence offers a complete suite of services and solutions designed to educate, equip & support the world’s leading business organisations with the latest best-in-practice risk & performance assessments, systems improvement & standards certification.