ISO 37001 certification ensures that your organisation is complying with globally recognised processes and procedures that are viewed worldwide as the generally accepted standard for business transparency and good governance as it relates to issues involving bribery and corruption. Read below the frequently asked questions about ISO 37001 Anti-Bribery Management Systems Certification.
“Adequate procedures” is a term made popular through the UK Bribery Act of 2010. It presents the potential of a company avoiding liability for failing to prevent bribery if that organisation can fully demonstrate clear, sound and established policies and procedures that deter individuals (inside and outside of the organisation) from partaking in questionable or corrupt conduct.
In complying with these guidelines and prove “adequate procedures,” public and private sector organisations should strongly consider the ISO 37001:2016 Anti-Bribery Management System certification process which provides proper assurance that the organisation has succeeded in establishing, implementing, maintaining, reviewing and improving its Anti-Bribery Management System.
From improved management systems to enhanced public perception and distinct competitive advantages, certification may provide a positive return on investment for the organisation.
- It helps your company create new and better business partnerships with entities that recognise your certified status, including supply chain manufacturing, joint ventures, pending acquisitions and co-marketing alliances.
- It could potentially reduce corporate insurance premiums.
- It provides your customers, stakeholders, employees, and partners with confidence in your business operations and ethics.
- It provides a competitive edge over non-certified organisations in your industry or niche.
It provides acceptable evidence to prosecutors or courts that the organisation has taken reasonable steps to prevent bribery and corruption.
ISO 37001:2016 Anti-Bribery Management System.
It is an internationally accepted standard that specifies the procedures by which an organisation should implement in preventing bribery while detecting and reporting any bribery incident that occurs. The standard certifies that an organisation has implemented reasonable and proportionate measures to prevent bribery. These measures involve top-level leadership, training, bribery risk assessment, due diligence adequacy, financial and commercial controls, reporting, audit, and investigation.
ISO 19600:2014 Compliance Management Systems.
It is a widely accepted standard that provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an organisation’s compliance management program. It covers virtually all compliance-related issues including anti-bribery, anti-corruption, antitrust, fraud, misconduct, export control, anti-money laundering and many others. The standard acts as a global benchmark for an effective and responsive compliance management program, with a foundation that is based on the principles of good governance and transparency.
ISO 31000:2018 Risk Management.
This standard provides principles, framework and a process for managing risk, as it covers most business activities, including research, planning, management and communications. This can help the organisation increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.
ABAC Center of Excellence is fully accredited as a Conformity Assessment Body (Certification Body) to assist your organisation in attaining ISO 37001 certification through a thorough bribery risk assessment and audit covering the entire scope of the standard. The audit methodology is evidence-based, meaning any issues raised will be confirmed through adequate evidence that the ABAC Certification team has discovered during the audit.
Auditing techniques take a risk-based approach to examining your organisation’s Anti-Bribery Management System (ABMS), and the ABAC Certification team will increase the scale of the investigation if they determine that a specific process presents on a higher risk side. Factors such as Impact, Negligence, Minor, Major, and Critical are taken into consideration during the audit.
A separate audit method is a process-based approach where ABAC Certification examines the organisation’s processes while considering the interaction between those processes. Finally, there is a sampling-based audit approach where ABAC Certification incorporates an appropriate sampling plan utilising samples from different ABMS processes to conclude and support the audit findings and results.
The audit is extremely thorough in its approach, which results in an accredited certification for the scope of the ISO 37001 Anti-Bribery Management System.
The certification audit is comprised of 10 key steps:
1. AUDIT CONFIRMATION
A formal agreement is signed between ABAC Certification & Client, which contains all information regarding the terms and conditions, and technically audit man-days along with the activities to be performed.
2. PRE-ASSESSMENT AUDIT (OPTIONAL)
Gap assessment is conducted on the mutually agreed dates between Client and ABAC Certification. Gap Assessment is performed with the same independence and objectivity as a certification audit. The auditor(s) will conduct activities such as documentation review, process review, interview of process owners etc, in order to gather the necessary information that evidence compliance. The Audit finding will be categorised as Critical and Non-critical. The audit report will help the Client to prepare for Stage 1 and Stage 2 Audits and speed up the Certification process. During the Gap Assessment, Client will also understand the audit process and interact with Auditor who will increase the Client’s knowledge and confidence in the audit process.
3. STAGE 1 AUDIT
After closing the gaps identified during Gap Assessment, Client will coordinate with ABAC Certification to conduct Stage 1 Audit. It is recommended to conduct the Stage 1 Audit within 15 days of Gap Assessment. The Audit Plan will be shared as per mutually agreed dates and will detail audit scope, objectives, criteria, audit team information, timing and other required information. The scope of the audit will be verified during the Stage 1 Audit. Stage 1 Audit will examine Client’s ABMS (anti-bribery management system’s) readiness for ISO 37001:2016 Certification audit. During Stage 1 audit, the documentation of the ABMS will be reviewed. Stage 1 audit findings will be categorised as Critical and Non-critical observations. Critical observations will need to be addressed before scheduling the Stage 2 audit (within 3 months of Stage 1 Audit)
4. STAGE 2 AUDIT (ISO 37001 CERTIFICATION AUDIT)
Upon completion of Stage 1 Audit, depending on the type of Audit findings raised during Stage 1 Audit, Client will be required to do either of the following:
• For Critical Observations raised during the Stage 1 audit, Client will be required to close the Critical observations before scheduling Stage 2 Audit.
• In the event of only Non-critical observations raised, Client can schedule the Stage 2 Audit immediately and coordinate with ABAC Certification to proceed for Stage 2 Audit.
Stage 2 Audit is to examine the implementation of the ABMS system for going towards ISO 37001:2016 Certification. During the Stage 2 Audit, the documented information, evidence for implementation of ABMS will be examined by different auditing techniques which will include but not be limited to interviews, sampling, record reviews. Stage 2 audit findings will be categorised as Minor Non-conformity (Minor NC), Major Non-conformity (Major NC) and Observations. If Major NC is raised, then on-site Follow-up visit will be required, as mentioned in the Additional timeline. The CAP (Corrective Action Plan) will be reviewed by Lead Auditor.
5. FOLLOW-UP AUDIT (ONLY APPLICABLE IF MAJOR NC ARE RAISED)
During the Follow-up Audit, the verification of Corrective Actions for Major Non-conformities will be done. The Followup Audit is conducted on-site.
6. RECOMMENDATION FOR CERTIFICATION
When the Client confirms the closure of Audit findings along with the CAP to ABAC Certification Audit team, the Lead Auditor will review the CAP and give recommendation for Certification.
7. CERTIFICATION DECISION
The Certification Committee will review the Audit pack submitted by the Lead Auditor and after evaluation of the audit process, techniques, findings, CAP and closure of CAP/findings, then Certification decision will be made.
8. AWARD OF CERTIFICATE
Upon issuance of Certification decision of the Certification Committee, the Certificate issuance process initiated, the license number is allocated, and the Accredited Certificate is handed to the Client. The Certificate is issued for the validity of 3 years subject to successful Surveillance Audits.
9. SURVEILLANCE AUDITS (IN CASE OF NO MAJOR NC)
As per the accreditation requirements, after granting the Certificate, Surveillance Audits need to be conducted by ABAC Certification Audit team on the annual basis to ensure that Client is still complying with the conditions of the Certificate and ISO 37001:2016 standard requirement. Surveillance Audit activity is similar to Stage 2 Audit and exams the implementation of ABMS. Audit findings will be categorised as Minor Non-conformity (minor NC), Major Non-conformity (major NC) and Observations.
If Major NC is raised, then on-site Follow-up visit will be required. The Certificate is issued for the validity of three years subject to successful Surveillance Audits.
10. RE-CERTIFICATION AUDIT START OF THE NEW AUDIT CYCLE (STEP 3)
After the completion of 2 Surveillance Audits, in the third year, if the Client will wish to extend the Certificate, they will submit an application for Re-Certification. Following the submission of the application, the Re-Certification Audit will be scheduled and conducted. Re-Certification Audit will be a combination of Stage 1 and Stage 2 Audits. Audit findings will be categorised as Minor NC, Major NC and Observations. The Audit cycle will be set to Step 3 again and is repeated for the new Certification cycle. The issued Certificate will be valid for 3 years subject to.
Download the complete Certification process including the estimated timeframe below.
The certification audit approach is based on following criteria:
Evidence Based Findings
All audit findings will be raised based on objective evidence. The Auditor will gather sufficient evidence to support the audit finding.
Risk Based Approach
The audit plan will be determined by high risk areas and functionalities.
Sample Based Approach
The organisation’s audit scope and sites will be covered with respect to the certification procedures and IAF published guidelines for multi-site audit and sampling. Sample size will be sufficient to effectively verify the system.
Process Based Approach
The Auditor will adhere to ISO 19011 guidelines and establish an audit trail of the organisation’s processes and interactions as well as risks associated with them.
The extent of the entire certification process is generally based on six key procedures, and the level at which these procedures are implemented by the organisation:
- Proportionate Procedures: An organisation’s procedures to prevent bribery associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organization’s activities. They are also clear, practical, accessible, effectively implemented and enforced.
- Top Level Commitment: The degree to which top-level management of an organisation (board of directors, owners or any other equivalent body or person) is committed to preventing bribery by persons associated with it, and fosters a culture within the organisation in which bribery is never acceptable.
- Risk Assessment: How the organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodically reviewed, informed and documented.
- Due Diligence: How the organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation in order to mitigate and confront identified bribery risks.
- Communication: The degree to which the organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication (including training).
- Monitoring and Review: How the organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.
The certification process can take up to eight weeks to complete, dependent on the number of locations visited.
- Employs interviews, policy reviews, sampling, due diligence and testing of methods and techniques;
- Produces sufficient evidence of a sound and adequate anti-bribery management system;
- Spotlights specific areas of risk that demand attention and subsequent improvement to adhere to the standard.
While a Quality Manager isn’t mandatory, we highly suggest that a representative from the organisation who is familiar with the organisation’s risk management processes and procedures act as a primary point person alongside our auditors during the certification process. This will help the process proceed in a more efficient and timely manner.
We do not provide consulting services, as that could present a potential conflict of interest during the certification process.
Certification can only be attained through an accredited auditor who is trained to the standard and adheres to strict competency requirements for certification bodies. An Accredited Auditor:
- Is specifically certified and credentialed to lead and conduct such audits.
- Is guided by the requirements of ISO 17021-9 to conduct an ABMS assessment.
- Is highly experienced in the areas of anti-bribery and anti-corruption.
- Is knowledgeable of the industry sectors and the respective geographic regions (with a familiarity of the legal jurisdictions) served by the organisation being certified.
- Is qualified to serve as a helpful, non-confrontational advocate during the entire audit process, expertly guiding the organisation through the process.
CRI Group is accredited by EIAC (Emirates International Accreditation Center) and UKAS (United Kingdom Accreditation Service).
We welcome transfers at any time during the certification cycle.
Certification costs are calculated using several factors, including the size of the organisation, staff size and number of locations that require a visit. In planning the process, we will provide a guaranteed quote upfront.
Certification occurs in three-year cycles and we will administer an annual surveillance audit to keep the certification valid for that time period.
Our representatives will follow up periodically to keep the lines of communication open and answer any questions or concerns you may have after certification. We will also contact you in advance to coordinate follow-up visits and audits.
While certification naturally leads to increased transparency and improved corporate governance, it also has many intrinsic benefits:
- It Demonstrates Best Practice in Business
A demonstrated commitment to battling corruption can bring competitive advantages in the marketplace.
- It Helps Position the Organisation as a Premium Provider
Which could justify subsequent higher pricing on goods and services.
- It Shows Transparency in Operations
Which breeds ideas and input internally that can help the organisation improve on and enhance its systems and processes.
- It Saves the Organisation Money
As it results in a marked reduction in bribes and the logistics involved in such practices.
- It Can Save the Organisation’s Employees Time & Energy
By eliminating the need for staff to repeatedly establish proof of a qualified anti-bribery and corruption training program.
- It Protects and Preserves the Integrity of the Organisation
Which supports a growing international call to incorporate ethics as a core value when conducting business around the world.
- It Leads to Healthier Relationships with Third Parties
Ensuring that outside third parties have adopted their own qualified anti-bribery measures.
- It Can Greatly Assist in Litigation
Certification provides a verified level of proof in legal proceedings that the organisation is committed to anti-bribery practices by taking reasonable actions to prevent such corruption.)
- It Ensures Compliance
The statutory defence for corporate liability is provided under subsection 4 of Section 17A, of the Malaysian Anti-Corruption Commission Act, whereby commercial organisations need to prove that “adequate procedures” against corruption have been put in place. In December 2018, the Prime Minister of Malaysia issued the “Guidelines on Adequate Procedures” according to subsection 5 of Section 17A of the MACC (Amendment) Act 2018 (Article 4.4 PRINCIPLE IV: SYSTEMATIC REVIEW, MONITORING AND ENFORCEMENT suggest ISO 37001 external audit one of the best practice to demonstrate adequate procedures). Read Malaysia’s National Anti-Corruption Plan 2019-2023 here.