BREAKING DOWN THE ISO 37001:2016 AUDIT PROCESS

There is no "one-size-fits-all" method to achieving anti-bribery management systems certification

There's been much discussion surrounding ISO 37001:2016 Anti-Bribery Management Systems and the ways that attaining certification to the standard can enhance an organization's existing anti-corruption compliance program.

 The ISO 37001:2016 standard specifies a series of measures and controls to help organizations prevent, detect and address bribery. These measures include adopting an anti-bribery policy, appointing an individual to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting, investigation and monitoring procedures.

Certification of compliance with the standard is based on an impartial, independent third-party review, assessment and audit of the organization’s anti-bribery management system and the versatility, effectiveness and proactive nature of said system.

The compliance audit itself has too often been referred to as a "one-size-fits-all" or "check-the-box" subjective process, which couldn't be further from the truth. Proper certification to the standard requires a substantial amount of preparation and self-assessment beforehand; a highly involved review, interview and audit process (often involving a sampling of affiliated or regional offices); and an evaluation and monitoring phase which is annually conducted over the three-year certification cycle.

Let's take a brief look at the audit process and examine why large multi-national companies such as Walmart, Microsoft, Alstom and a host of others have weighed the costs and benefits, and subsequently committed to attaining ISO 37001:2016 certification.

 An Evidence-Based Review; A Risk-Based Approach

The ABMS audit is a diligent approach that links auditing activity to an organization’s overall risk management framework, providing assurance to top management that risk management processes are effectively addressing all bribery risks throughout the organization and its operations.

It should be noted that the certification audit isn't solely structured on a review of paper-based controls. As you'll read below, the process assesses the organization's overarching stance on anti-bribery and how that stance is conveyed -- tangibly and intangibly -- from the board of directors right down to lower-level staff members.

Employing interviews, policy reviews, sampling, due diligence and testing of methods and techniques, the audit will produce sufficient evidence of a sound anti-bribery management system, while spotlighting specific areas of risk that demand attention and subsequent improvement to adhere to the standard.

 Certified Auditors; Anti-Bribery Experts

First and foremost, ISO 37001:2016 auditors must be specifically certified and credentialed in order to lead and conduct such audits. Auditors are guided by the requirements of ISO 17021-9 to conduct an ABMS assessment. To attain this status, auditors must undergo intensive training to fully comprehend the concepts and principles behind the various ISO management systems compliance, and the corresponding specifications and auditing techniques associated with those ISO guidelines. From that training, auditors will gain the necessary knowledge and skills to effectively plan and perform related audits. 

Further -- and just as vital -- auditing professionals must possess considerable experience in the areas of anti-bribery and anti-corruption, and have deep-seated knowledge of the industry sectors and the respective geographic regions (with a familiarity of the legal jurisdictions) served by the organization being certified.  

And finally, the ISO 37001:2016 auditor must be qualified to serve as a helpful, non-confrontational advocate during the entire audit process, expertly guiding the organization through the process with the shared goal of achieving outcomes that will ultimately fortify the organization's commitment to battling instances of bribery in the global marketplace. 

The Audit Process 

The process, which adheres closely to ISO 19011 requirements, begins well in advance of the on-site visit, with the auditor conducting a thorough analysis of news, social media and other public domain information pertaining to the organization. This outside review oftentimes helps the auditor determine the organization's perceived "culture of compliance" prior to initiating the audit.  

The audit process itself is a critical assessment of a number of crucial elements that are required by the ISO 37001:2016 standard, and a determination of how the overall policy is represented by the various roles and responsibilities throughout the organization. The process entails: 

• A review of the organization's anti-bribery policies, procedures and controls;
• An assessment of the organization's plan for communicating its polices to all employees worldwide;
• In-depth interviews with compliance personnel, leadership, management, and legal, finance, procurement, human resource and communications staff members to assess familiarity with the policies and comprehension levels for identifying and responding to red flag events;
• A review of all procedures and instructors involved with the organization's anti-bribery training;
• Performing risk assessments specific to particular projects, industries, regions, jurisdictions and third-parties associated with the organization;
• Conducting due diligence on third-party partners (by region);
• Assessment of monitoring, reporting and investigation procedures as related to anti-bribery events;
• Benchmarking the organization's overall commitment to its anti-bribery policy and management systems;
• Assessment of the organization's financial controls to detect and prevent incidences of bribery;
• Review of all corrective actions to the policy following a bribery investigation;
• Confirmation of the organization's attempt at continuous improvement of the anti-bribery management system. 

And throughout the various processes of observation, document review, sampling, interviews, technical verification and evaluation, the audit team is constantly meeting and communicating through the proper channels to assist the organization in identifying risks and improving its processes and procedures. 

The audit process can take weeks or months to complete, and needless to say, this process varies widely between organizations, industry sectors and geographic regions.  

Reporting & Documentation 

Post-audit, the team convenes an oversight board comprised of anti-bribery experts to review the audit reports and findings, and makes recommendations to both the organization and the certification committee. 

The ensuing documentation covers a host of topics, including risk areas (by project, personnel group, and geographic region), training recommendations, investigative techniques, reporting processes, and other areas of improvement. 

Follow-Up Surveillance Audits to Ensure Continuous Improvement 

The certification process doesn't end after the initial audit phase. Certification to the standard requires verification of continuous improvement and confirmation of how outcomes are implemented, documented, monitored and assessed over time. To achieve this, the audit team will conduct annual surveillance audits of the organization's anti-bribery system over the three-year certification cycle. Surveillance audits verify the organization's continued adherence to the standard, evaluate any prescribed corrective action plans, and review what the organization is doing to improve its anti-bribery management systems. 

Certification in ISO 37001:2016 symbolizes an organization's unrelenting commitment to fight corruption and pursue best practices in an ongoing quest for compliance to the widely-accepted anti-bribery standards. And the in-depth process involved in achieving certification to the standard -- together with the counsel, risk assessment, and improvement recommendations that result from the audit -- can make the certification process well worth the investment.