Diana Trevley: Five tips for surviving an ISO 37001 Anti-Bribery Certification audit

Last week CPA Global, an IP technology leader, became one of the first companies to obtain ISO 37001-Anti-Bribery Management Systems certification.

CPA Global achieved this recognition following a multi-country, multi-day audit by independent auditors with in-depth anti-bribery expertise.

With Microsoft and Wal-Mart having recently announced their plans to seek ISO 37001 certification, many other organizations are following suit. 

Through my role in the process with Spark Compliance Consulting acting on behalf of CPA Global, I distilled our top five tips for surviving and succeeding in the ISO 37001 certification process.

Here they are:

1. Mind the gap.

Too many compliance officers quickly skim the major categories of ISO 37001 and assume that they don’t need to prepare because their programs address these categories generally. But every requirement of ISO 37001 must be met to achieve certification and even the best program will have a few loose ends to wrap up before the audit. First things first — get a readiness assessment so you know where you are and what more you may need to do.

2. This isn’t just a compliance exercise.

Achieving ISO 37001 certification is a company-wide endeavor. The auditor’s job is to see how anti-bribery processes and controls are embedded throughout the organization, which means interviewing members of management, compliance, legal, sales, finance, procurement, internal audit, human resources, communications — the list goes on. So be sure to engage other departments and functions when preparing for certification.

3. It’s not a deposition…But sometimes it feels like one.

You can expect your ISO 37001 auditor to be polite, but don’t expect him or her to go easy on the interviewees. Anyone claiming the ISO 37001 audit process simply reviews a paper program has never sat through an ISO 37001 interview. Interviewees are asked in-depth questions about processes and procedures and then asked to show the auditor — right then and there — proof that they exist and are being followed. Make sure the interviewees know what to expect and are thoroughly prepared so that they ace their interviews.

4. Failure is not fatal.

If you partially fail to meet a requirement during the audit, certification bodies will hold the audit process open for a short period of time while you plan to correct the non-conformity. So don’t panic if something unexpected turns up in the audit — you still have a chance to achieve certification provided you promptly follow up with corrective action.

5.  Nobody’s perfect. But you can keep trying.

ISO 37001 doesn’t require perfection, but it does require continuous improvement, which the auditor will be looking for at the annual surveillance audits. Use the initial certification audit as a learning experience as to how you can make your program even more efficient and effective in the coming years.

_____

Diana Trevley is the West Coast Director of Spark Compliance Consulting. She served as lead consultant for CPA Global’s ISO 37001 certification audit. She can be contacted here.