On January 25, 2017, Eni Corporation announced its ISO 37001 certification. The press release stated that “certification confirms the quality of the system of rules and controls aimed at preventing corruption, developed by Eni since 2009 in line with the principle of ‘zero tolerance’ expressed in its Code of Ethics.”
Two weeks later the company’s CEO and his predecessor were charged with international corruption by Italian prosecutors following an investigation into the company’s 2011 purchase of a Nigerian exploration license.
On November 7, 2017 the Professional Evaluation and Certification Board (PECB North America), announced that it was officially the first management system certification body in the North America region accredited against the ISO 37001. As part of the accreditation process, PECB certified Legg Mason, the first company to receive the accredited ISO 37001 certification. In June 2018 Legg Mason entered into a non-prosecution agreement with the DOJ to resolve FCPA violations involving bribes to Libyan government officials or their family members.
Although these violations occurred years before the companies went through the ISO 37001 certification, nonetheless, such cases cast serious doubts if ISO certification can be regarded as an evidence of an effective anti-bribery program. What could be the shortcomings of the certification? My research leads me to conclusion that the problem may lie in the accreditation process.
First, it is important to understand that ISO does not conduct any certification itself. Certification is done by a certification body. An organization is free to invite an independent certification body to verify that it is in conformity to the standard. Certification body may seek an accreditation, but it’s not mandatory, only recommended. Accreditation is granted by the national accreditation bodies within the countries that are members of ISO. National accreditation bodies are standalone organizations based in their home countries. International Accreditation Forum is the organization that promotes universal processes and practices for conducting accreditation of certifying bodies by national accreditation bodies. To become IAF Accreditation Body Member, national accreditation body has to go through the certification of the accreditation/conformity assessment procedures it is using to grant accreditation to certifying bodies. However, some national accreditation bodies are not members of IAF, which doesn’t prevent them from granting accreditations to certifying bodies which then issue ISO certificates.
The national accreditation body evaluates certifying bodies seeking accreditation and decides whether they follow the auditing criteria set out in the so-called ISO/CASCO standards developed by the ISO Committee on conformity assessment. As long as ISO 37001 belongs to the family of management systems certification standards, the corresponding CASCO standard is the ISO/IEC TS 17021:2015 “Conformity assessment — Requirements for bodies providing audit and certification of management systems” issued by ISO together with the International Electrotechnical Commission. Because of the specificity of anti-bribery management systems, specific additional competence requirements have been issued for auditing and certification of anti-bribery management systems (Technical Specification ISO/IEC TS 17021-9).
Some of the ISO advocates claim that accreditation is a rigorous process, but this might be true only for the certifying bodies which haven’t been accredited to audit and certify management systems before.
In case a certifying body has already received the accreditation for ISO/IEC TS 17021:2015 to issue certification against the management systems standards including ISO 9001 Quality Management, ISO 14000 Environmental management or ISO 50001 Energy management, it is eligible for a simplified accreditation procedure, or the “extension of accreditation.” A one-day documentation review and one-time witness assessment at the auditee’s premises is generally enough. The documentation may include a checklist or a guideline prepared by the certifying body for the audit team, a procedure for setting up and managing audit teams, as well as CVs of the auditors and competence criteria to justify their qualifications.
In terms of the latter, the certifying body seeking extension would need to satisfy the requirements set in Technical specification ISO/IEC TS 17021-9 referred to earlier. The Italian Accreditation Body “ACCREDIA,” for example, considers the competence requirements fulfilled when the audit team contains one, or more than one, auditor(s) who, collectively, fulfill the following requirements:
“a) Considerable experience, competence and seniority in anti-bribery, legal compliance management, or corporate crime matters;
b) Thorough and documented knowledge of the normative documents (legal, regulatory and regarding good practices);
c) Training: course of 16 hours on ISO 37001.”
As of today, most of the accredited certifying bodies received their accreditation through the extension. Given the apparent formality of this process, it is the audit team that matters. All those prior layers of accreditations and certifications do not seem to add much value, nor do they guarantee a meaningful external assurance. Therefore, if you wish to go through the certification, make sure to choose auditors well. Otherwise, a certification audit may turn into a rubber stamping exercise.
Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years’ experience as a compliance officer. She’s the founder of Studio Etica, a boutique consultancy that provides advice on corporate ethics and compliance programs to companies around the world. She speaks English, French, Italian, and Russian. She can be contacted here.