An aspect of ISO 37001 that makes it such a big topic is that it is marketed as a standard that can be audited and certified.
Since the release in October 2016 of ISO 37001 — a standard for anti-bribery management systems — the French rail transport company Alstom obtained a certification under it. In the United States, Microsoft and Wal-Mart announced that they too would seek ISO 37001 certification.
There can be several reasons for a company to seek certification, which is a public statement of quality and has an intrinsic marketing value.
Some companies may want to reestablish their reputation after a bribery scandal, others based in countries where enforcement is poor could use it to enhance the credibility of their anti-corruption efforts, especially when competing for international business.
In general, any independent review exercise, whether it leads to a certification or not, can help companies take a critical look at their program, detect potential gaps, and ultimately help strengthen their compliance program.
But is certification a good investment of time and other resources? What does certification really mean? What impact is it likely to have on the organization going forward?
Initially, certification is not a guarantee against future misconduct. Reviews of compliance programs are based on a limited sample during the period covered by the program review, meaning that a reviewer can only evaluate the strength of a company’s compliance program for the period during which it was tested.
Business is not static and a certification is not an assurance that the program will continue operating effectively even as the corporate environment changes. An ISO certification alone is not adequate to shield a company from prosecution, should a regulator come knocking.
The ISO standard specifies minimum requirements that must be fulfilled by an organization to establish and maintain an anti-bribery management system based on the risks it faces. It does not provide any guidance on how to audit against the standard.
The implementation of an anti-corruption program has to be judged on a qualitative basis and a lot depends on the judgement exercised by the certification provider. Therefore, it is important to consider the skills, experience and independence of the certification provider.
Just as you would not hire an intellectual property attorney to help you with your divorce case, a meaningful anti-corruption compliance review should be led by an individual or team of individuals with the right knowledge, skills and experience in the compliance and anti-corruption field.
While ISO contemplates using certification bodies that adhere to certain ISO standards, no U.S. provider has been accredited as a certification provider to date. It is, however, likely that many are in the process of getting accredited. It is also important to note that all Big 4 accounting firms in the U.S. have been reluctant to provide certifications of compliance programs.
The scope and breadth of reviews will depend on a company’s risk profile. This means that a company with a lower risk profile would not necessarily be subject to the same level of review as a company with a high-risk profile. However, it also means that mere document reviews and interviews are not enough to review for program effectiveness at high risk locations.
Procedures for high risk locations should include site visits, interviews, data mining, targeted testing of compliance sensitive transactions, assessment of internal controls, and analysis of interactions with business partners. Testing a sample of transactions at high risk locations is important to find out if the company is adequately documenting expenses and whether the controls are working.
Consider the following example: A company uses a consultant to interact with regulators in India, a high-risk environment. Unless a review includes some data analytics, it may not identify payments to the consultant. Unless the transactions are tested, there is no way of knowing whether there is appropriate and reliable third party documentation for the selected transactions. Without digging deeper, a review will not be able to assess whether the consultant was qualified, whether due diligence was performed, and whether the service was actually provided.
A certification exercise which rubber stamps the decisions of the company or merely assesses whether the program is designed to be in compliance with the standard, without incorporating an element of testing at high risk locations, will have limited value.
The ISO 37001 Standard: Coalition for Integrity’s Recommendations for Companies Considering Certification is here (pdf).
Shruti J. Shah, pictured above, is a contributing editor of the FCPA Blog. She’s the Vice President of Programs and Operations at Coalition for Integrity (formerly Transparency International-USA). She can be contacted here.