Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Worth MacMurray: A front end ISO 37001 certification audit sure beats a back end DOJ investigation

Is my anti-corruption program effective or not effective? In the United States, companies only receive the definitive answer to that question in worst case scenarios — at the back end of a governmental program evaluation, typically while under FCPA scrutiny by the DOJ.

And because the rare published declinations and enforcement actions are often difficult to apply broadly, they typically raise as many questions as provide meaningful answers.

By contrast, a certified ISO 37001 Anti-bribery management system provides various front-end advantages:

  • The certification audit is undertaken voluntarily by an organization, not while “under the gun.”
  • The auditor is an independent and accredited third party, selected by the organization.
  • The scope of the audit is specified by the organization (with ISO 37001’s flexibility providing the opportunity to start with a relatively manageable organizational subset (like Alstom, certifying Europe) or a corporate division, and then expanding the certification scope through follow-up audits, as desired).
  • The audit process is designed to provide prompt feedback: the audit team’s report issued to the organization after completion of the Stage 1 (design) and Stage 2 (effectiveness) review activity specifies any major and/or minor systemic nonconformities that may exist.
  • The audit report also specifies the nature and timing of the corrective action needed prior to any audit team certification recommendation to the certifying body’s certification committee, and
  • Positive market recognition in various forms may well result from certification — finally allowing companies to beneficially leverage their past and on-going FCPA program anti-bribery costs. Historically, this has been the case with other ISO management system standards — e.g. quality (ISO 9001), environmental (14001) and information security (27001).

To be clear, an organization’s receipt of certification to the ISO 37001 business standard does not necessarily mean that they have an “effective” anti-corruption program in the eyes of the government or otherwise meet applicable legal standards.

But the chances of meeting applicable legal standards are likely improved for those organizations that receive ISO 37001 certification because of the standard’s requirements emphasizing process and detail, and the rigorous independent and accredited third party certification audit process.

For example, don’t the following ISO 37001 anti-bribery system requirements (supplementing the compliance program guidance found in the U.S. Sentencing Guidelines, the DOJ/SEC FCPA Guidance and the DOJ Evaluation of Corporate Compliance Program (pdf) document) also help strengthen an anti-corruption compliance program?

Consider these factors:

Resources: Organizations shall determine and provide the (human, physical and financial) resources needed for the establishment, implementation, maintenance and continual improvement of the anti-bribery management system. (7.1) and to support the anti-bribery compliance function (5.3.3).

For many companies, any anti-bribery-related resource analysis consists of the compliance department’s annual budget review – which, in some cases, can be a “cram down” (e.g. a CFO communication that “compliance gets 1.5% more (or worse, less) than last year — period”) rather than a serious discussion to review the facts. By contrast, ISO 37001’s focus is on the overall system — its maintenance and improvement — based on need.

Controlled entities: Organizations shall implement procedures requiring that all other organizations that it controls either implement the organization’s anti-bribery controls or implement their own controls — reasonable and proportionate to the bribery risk. (8.5.1)

It’s not enough for the parent company alone to have appropriate controls. Query what this may mean for private equity, venture capital and other investment vehicles.

Continual improvement: Organizations shall continually improve the suitability, adequacy and effectiveness of the anti-bribery management system. This fundamental continual improvement ISO principle appears throughout the document (e.g. in the core anti-bribery management system requirement (4.4), in management’s leadership and commitment responsibilities (5.1.2), as one of the components to be included in the anti-bribery policy (5.2 g), as part of the resource assessment (7.1) and as a stand-alone requirement (10.2), among other places.) Proactive anti-bribery measures are thus emphasized and supported in numerous ways.

Measurement and monitoring: Section 9.1 exemplifies ISO 37001’s business approach to anti-bribery. As with other ISO management system standards, this monitoring, measurement, analysis and evaluation requirement includes: what needs to be measured and monitored; who is responsible; the methods involved; when the activities will occur; when the results will be analyzed and evaluated; to whom and how the results will be reported; and what documentation is to be retained. Given the current FCPA enforcement emphasis on “operationalizing compliance,” wouldn’t many (if not most) anti-corruption compliance programs benefit from this degree of management system process and detail?

*     *     *

In the FCPA world, management and boards of organizations taking constructive and good faith steps to fight bribery often ponder how the organization’s efforts will be received should it be subjected to a DOJ “back end” review. They similarly despair at the amounts spent on anti-corruption corporate compliance programs that seemingly generate little measurable business benefit besides a degree of insurance.

ISO 37001 certification changes this landscape. With its various “front end” advantages, organizational leaders now have a business tool that can increase confidence internally (for organizational leaders) and externally (to the market) that the entity is taking substantive and management system-certified steps to fight bribery.


Worth MacMurray is a Principal at Governance & Compliance Initiatives ( and a PECB Certified ISO 37001 Lead Implementer. He can be emailed here.

Share this post



  1. ISO 37.001 certification can be also used to enhance the suppliers/third parties management. A company should demand this kind of certification from it supply chain. If this action be taken by big organizations, we would have the integrity culture spread through the country.

  2. I have to confess to being somewhat taken aback by the following paragraph in this article.

    "To be clear, an organization’s receipt of certification to the ISO 37001 business standard does not necessarily mean that they have an “effective” anti-corruption program in the eyes of the government or otherwise meet applicable legal standards."

    If you implement an Anti-Bribery Management System (ABMS) in accordance with ISO 37001 that means all of the standard including Section 4.1, Item (h) and Section 5.2, Item(b), which require you to determine all applicable (legal) requirements and comply with them, and that would include any guidance or code of practice etc. So, for example, if you are subject to the FCPA that would include the 'Guidance' and 'Evaluation of Corporate Compliance' mentioned in the article.

    Furthermore a certification audit against ISO 37001 must be done in compliance with ISO 17021-1 and ISO 17021-9.

    The whole point of a certification to ISO 37001 should be to give a reasonable assurance of compliance with the law, similar to a certification to ISO 14001 or OHSAS 18001.

  3. I agree with the remarks made by Anthony Mason. While this is an overall very well written article, the comments relating to 37001 certification not equating to an effective anti-bribery program is at odds with the rationale for producing the standard in the first instance.

    As a member of the committee responsible for ISO 37001 it is my belief that the author may have misinterpreted the view that ISO 37001 certification isn't a guarantee that bribery will not occur.

    Certification when undertaken by an experienced certifier will attest that the firm has a robust anti-bribery program that meets the requirements of ISO 37001. And as such, the risk of bribery occurring is greatly reduced. Should an incident occur however, then the chances are this will be a one off occurrence and not a systemic problem.

    Additionally, the organisation will have an "audit trail" as such to show to regulatory agencies demonstrating the efforts they have undertaken to minimise the risk of bribery from occurring. Which should reduce any subsequent regulatory penalties that maybe imposed.

Comments are closed for this article!