Breaking Down The ISO 37001:2016 Audit Process

By Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime)
Group Chief Executive Officer
Corporate Research and Investigations Limited
There is no “one-size-fits-all” method to achieving anti-bribery management systems certification

There’s been much discussion surrounding ISO 37001:2016 Anti-Bribery Management Systems and the ways that attaining certification to the standard can enhance an organisation’s existing anti-corruption compliance program.

The ISO 37001:2016 standard specifies a series of measures and controls to help organisations prevent, detect and address bribery.  These measures include adopting an anti-bribery policy, appointing an individual to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting, investigation and monitoring procedures.

Certification of compliance with the standard is based on an impartial, independent third-party review, assessment and audit of the organisation’s anti-bribery management system and the versatility, effectiveness and proactive nature of said system.

The compliance audit itself has too often been referred to as a “one-size-fits-all” or “check-the-box” subjective process, which couldn’t be further from the truth.  Proper certification to the standard requires a substantial amount of preparation and self-assessment beforehand; a highly involved review, interview and audit process (often involving a sampling of affiliated or regional offices); and an evaluation and monitoring phase which is annually conducted over the three-year certification cycle.

Let’s take a brief look at the audit process and examine why large multi-national companies such as Walmart, Microsoft, Alstom and a host of others have weighed the costs and benefits, and subsequently committed to attaining ISO 37001:2016 certification.

 

An Evidence-Based Review; A Risk-Based Approach

The ABMS audit is a diligent approach that links auditing activity to an organisation’s overall risk management framework, providing assurance to top management that risk management processes are effectively addressing all bribery risks throughout the organisation and its operations.

It should be noted that the certification audit isn’t solely structured on a review of paper-based controls.  As you’ll read below, the process assesses the organisation’s overarching stance on anti-bribery and how that stance is conveyed — tangibly and intangibly — from the board of directors right down to lower-level staff members.

Employing interviews, policy reviews, sampling, due diligence and testing of methods and techniques, the audit will produce sufficient evidence of a sound anti-bribery management system, while spotlighting specific areas of risk that demand attention and subsequent improvement to adhere to the standard.

 

Certified Auditors; Anti-Bribery Experts

First and foremost, ISO 37001:2016 auditors must be specifically certified and credentialed in order to lead and conduct such audits.  Auditors are guided by the requirements of ISO 17021-9 to conduct an ABMS assessment.  To attain this status, auditors must undergo intensive training to fully comprehend the concepts and principles behind the various ISO management systems compliance, and the corresponding specifications and auditing techniques associated with those ISO guidelines.  From that training, auditors will gain the necessary knowledge and skills to effectively plan and perform related audits.

Further — and just as vital — auditing professionals must possess considerable experience in the areas of anti-bribery and anti-corruption, and have deep-seated knowledge of the industry sectors and the respective geographic regions (with a familiarity of the legal jurisdictions) served by the organisation being certified.

And finally, the ISO 37001:2016 auditor must be qualified to serve as a helpful, non-confrontational advocate during the entire audit process, expertly guiding the organisation through the process with the shared goal of achieving outcomes that will ultimately fortify the organisation’s commitment to battling instances of bribery in the global marketplace.

 

The Audit Process

The process, which adheres closely to ISO 19011 requirements, begins well in advance of the on-site visit, with the auditor conducting a thorough analysis of news, social media and other public domain information pertaining to the organisation.  This outside review oftentimes helps the auditor determine the organisation’s perceived “culture of compliance” prior to initiating the audit.

The audit process itself is a critical assessment of a number of crucial elements that are required by the ISO 37001:2016 standard, and a determination of how the overall policy is represented by the various roles and responsibilities throughout the organisation.  The process entails:

  • A review of the organisation’s anti-bribery policies, procedures and controls;

  • An assessment of the organisation’s plan for communicating its polices to all employees worldwide;

  • In-depth interviews with compliance personnel, leadership, management, and legal, finance, procurement, human resource and communications staff members to assess familiarity with the policies and comprehension levels for identifying and responding to red flag events;

  • A review of all procedures and instructors involved with the organisation’s anti-bribery training;

  • Performing risk assessments specific to particular projects, industries, regions, jurisdictions and third-parties associated with the organisation;

  • Conducting due diligence on third-party partners (by region);

  • Assessment of monitoring, reporting and investigation procedures as related to anti-bribery events;

  • Bench-marking the organisation’s overall commitment to its anti-bribery policy and management systems;

  • Assessment of the organisation’s financial controls to detect and prevent incidences of bribery;

  • Review of all corrective actions to the policy following a bribery investigation;

  • Confirmation of the organisation’s attempt at continuous improvement of the anti-bribery management system.

And throughout the various processes of observation, document review, sampling, interviews, technical verification and evaluation, the audit team is constantly meeting and communicating through the proper channels to assist the organisation in identifying risks and improving its processes and procedures.

The audit process can take weeks or months to complete, and needless to say, this process varies widely between organisations, industry sectors and geographic regions.

 

Reporting & Documentation

Post-audit, the team convenes an oversight board comprised of anti-bribery experts to review the audit reports and findings, and makes recommendations to both the organisation and the certification committee.

The ensuing documentation covers a host of topics, including risk areas (by project, personnel group, and geographic region), training recommendations, investigative techniques, reporting processes, and other areas of improvement.

 

Follow-Up Surveillance Audits to Ensure Continuous Improvement

The certification process doesn’t end after the initial audit phase. Certification to the standard requires verification of continuous improvement and confirmation of how outcomes are implemented, documented, monitored and assessed over time.  To achieve this, the audit team will conduct annual surveillance audits of the organisation’s anti-bribery system over the three-year certification cycle.  Surveillance audits verify the organisation’s continued adherence to the standard, evaluate any prescribed corrective action plans, and review what the organisation is doing to improve its anti-bribery management systems.

Certification in ISO 37001:2016 symbolises an organisation’s unrelenting commitment to fight corruption and pursue best practices in an ongoing quest for compliance to the widely-accepted anti-bribery standards.  And the in-depth process involved in achieving certification to the standard — together with the counsel, risk assessment, and improvement recommendations that result from the audit — can make the certification process well worth the investment.

 

INTERESTED IN LEARNING MORE?

ABAC Center of Excellence (www.ABACGroup.com) is an independent accredited conformity assessment body of Corporate Research and Investigations Limited “CRI Group” for the scope of ISO 37001:2016 Anti-Bribery Management System certification, which was created to educate, equip and support the world’s leading business organisations with the latest in best-practice due diligence processes and procedures, providing world-class anti-bribery and anti-corruption solutions to organisations seeking to validate or expand their existing compliance frameworks to maintain a competitive edge in the world marketplace.

ABOUT THE AUTHOR

Zafar I. Anjum, is Group Chief Executive Officer of CRI Group (www.crigroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations.  Headquartered in London (with significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, USA, Canada, Latin America and the United Kingdom.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime)
CRI Group Chief Executive Officer

2nd Floor, 5 Harbour Exchange Square
South Quay, London E14 9GE
United Kingdom

Phone: +44 207 8681415
Mobile: +44 7588 454959
Email: zanjum@CRIGroup.com