Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

ISO 37001: Not all certifications are created equal

On January 25, 2017, Eni Corporation announced its ISO 37001 certification. The press release stated that “certification confirms the quality of the system of rules and controls aimed at preventing corruption, developed by Eni since 2009 in line with the principle of ‘zero tolerance’ expressed in its Code of Ethics.”

Two weeks later the company’s CEO and his predecessor were charged with international corruption by Italian prosecutors following an investigation into the company’s 2011 purchase of a Nigerian exploration license.

On November 7, 2017 the Professional Evaluation and Certification Board (PECB North America), announced that it was officially the first management system certification body in the North America region accredited against the ISO 37001. As part of the accreditation process, PECB certified Legg Mason, the first company to receive the accredited ISO 37001 certification. In June 2018 Legg Mason entered into a non-prosecution agreement with the DOJ to resolve FCPA violations involving bribes to Libyan government officials or their family members.

Although these violations occurred years before the companies went through the ISO 37001 certification, nonetheless, such cases cast serious doubts if ISO certification can be regarded as an evidence of an effective anti-bribery program. What could be the shortcomings of the certification? My research leads me to conclusion that the problem may lie in the accreditation process.

First, it is important to understand that ISO does not conduct any certification itself. Certification is done by a certification body. An organization is free to invite an independent certification body to verify that it is in conformity to the standard. Certification body may seek an accreditation, but it’s not mandatory, only recommended. Accreditation is granted by the national accreditation bodies within the countries that are members of ISO. National accreditation bodies are standalone organizations based in their home countries. International Accreditation Forum is the organization that promotes universal processes and practices for conducting accreditation of certifying bodies by national accreditation bodies. To become IAF Accreditation Body Member, national accreditation body has to go through the certification of the accreditation/conformity assessment procedures it is using to grant accreditation to certifying bodies. However, some national accreditation bodies are not members of IAF, which doesn’t prevent them from granting accreditations to certifying bodies which then issue ISO certificates.

The national accreditation body evaluates certifying bodies seeking accreditation and decides whether they follow the auditing criteria set out in the so-called ISO/CASCO standards developed by the ISO Committee on conformity assessment. As long as ISO 37001 belongs to the family of management systems certification standards, the corresponding CASCO standard is the ISO/IEC TS 17021:2015 “Conformity assessment — Requirements for bodies providing audit and certification of management systems” issued by ISO together with the International Electrotechnical Commission. Because of the specificity of anti-bribery management systems, specific additional competence requirements have been issued for auditing and certification of anti-bribery management systems (Technical Specification ISO/IEC TS 17021-9).

Some of the ISO advocates claim that accreditation is a rigorous process, but this might be true only for the certifying bodies which haven’t been accredited to audit and certify management systems before.

In case a certifying body has already received the accreditation for ISO/IEC TS 17021:2015 to issue certification against the management systems standards including ISO 9001 Quality Management, ISO 14000 Environmental management or ISO 50001 Energy management, it is eligible for a simplified accreditation procedure, or the “extension of accreditation.” A one-day documentation review and one-time witness assessment at the auditee’s premises is generally enough. The documentation may include a checklist or a guideline prepared by the certifying body for the audit team, a procedure for setting up and managing audit teams, as well as CVs of the auditors and competence criteria to justify their qualifications.

In terms of the latter, the certifying body seeking extension would need to satisfy the requirements set in Technical specification ISO/IEC TS 17021-9 referred to earlier. The Italian Accreditation Body “ACCREDIA,” for example, considers the competence requirements fulfilled when the audit team contains one, or more than one, auditor(s) who, collectively, fulfill the following requirements:

“a) Considerable experience, competence and seniority in anti-bribery, legal compliance management, or corporate crime matters;

b) Thorough and documented knowledge of the normative documents (legal, regulatory and regarding good practices);

c) Training: course of 16 hours on ISO 37001.”

As of today, most of the accredited certifying bodies received their accreditation through the extension. Given the apparent formality of this process, it is the audit team that matters. All those prior layers of accreditations and certifications do not seem to add much value, nor do they guarantee a meaningful external assurance. Therefore, if you wish to go through the certification, make sure to choose auditors well. Otherwise, a certification audit may turn into a rubber stamping exercise.


Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years’ experience as a compliance officer. She’s the founder of Studio Etica, a boutique consultancy that provides advice on corporate ethics and compliance programs to companies around the world. She speaks English, French, Italian, and Russian. She can be contacted here.

Share this post



  1. It Is also important to be part of the certification process that the certifying body and its auditors perform their own due diligence in the organization that will undergo the certification process. And that there is a preparation of the audit based on the analysis of the information obtained by the Certification Body, on the risk profile of the organization. The prior knowledge of the bribery schemes inherent to the Organization's operations and Operation sector. The Audit trail should cover end-to-end processes evaluating risk payments, and payment to partners that imposes greater risks, addressing in their track compliance with all requirements of the Standard. This is Not a financial audit, but it must be part of the evidence of compliance with the requirements of the standard.IAF should ensure Harmonized Interpretations to ensure the best conduction of the audit possible, reducing GAP ´ s on the performance of a certifying or other, of an accredited or other organ, maintaining the credibility of the certification processes.

  2. This article makes good points about the need for competence in ISO37001 auditing by properly accredited CBs and also competence in due diligence, when CBs engage a potential client.

    It is important for the integrity and reputation of CBs to be able to distinguish between organisations that are seeking certificates to hide in plain sight and try to provide a first level of defence, with those that are making genuine change to their corporate governance through establishing and maintaining an independently audited management system to restore their reputation, stakeholder value and possibly demonstrate 'sack cloth and ashes'. This requires a level of competence from auditors and pre-sales staff that should not be underestimated.

    David Hitchen: (ISO TC/278: IIOC representative throughout the development of ISO37001)

  3. Vera, very good article. Thank you – you explained the structure from ISO all the way down to a certified company really well.

    I wanted to comment that, beyond selecting the right auditors (as you stated, which is very important), understanding the certification body approach to certification is also a key step. We are seeing major discrepancies as far as how audit time is calculated. You can have the best auditors in the world, but if they don't have enough time to perform a thorough audit, the outcome won't be a high quality assessment of a company's Anti Bribery Management System (ABMS).

    Our organization takes a risk based approach to determining audit time. We look at factors such as the sectoral risks, transactional risks (complexity – consortia vs single deals, use of agents, etc) and country risks (using the CPI as the benchmark). There's an entire process to understand the client's operations and ABMS risks at the point of designing a certification solution and quoting. More or less in line with what Rosemary explained.

    I truly hope that all certification bodies have robust approaches – otherwise, it may compromise the effectiveness of the process, and the perception of the value of ISO 37001 certification.

  4. Certification is not the cure of sickness or bad culture. Certification is part of the overall compliance process. Organization own's practice and monitoring are more crucial to detect the bribery. Taking ISO 9001 as an example. There have been a long misconception that ISO 9001 is the product guarantee. Product guarantee is depends on the orgnization's own outgoing inspection. The certified body (CB) does not inspect the product, but the audit the organization's compliance to management system within 3-years certification cycle (number of visit day determined by IATF. Depending on number of people under the scope, more number of day on the 1st year, fewer on annual surveillance which can take only 1-2 days minimum/year).

    The third party certification use the sampling approach which can not be resulted in the absolute assurance. Certification conducted bases on ISO 37001 standard, not the interrogation into the bribery issues.

    What should be improved in the certification process is the categorization of major and minor NCR. All NCRs should be regarded as major ones that require an immediate correction. 90-days deadline for corrective action (prevention) should be shorten. Also, the criteria in determining the audit day by IATF should be improved (mainly concern with type of industrial sector and number of people under the scope).

    For certification, the organization can be selective on the scope. The whole organization doesn't have to be certified, but part of the organization, functions, etc. For ex, one international company may apply for the certification of their procurement function in head office only. When PR, the organization doesn't present specifically on the scope of certification.

    It is possible that the national accreditation bodies themselves do not have knowledge and experience in corruption and bribery. What they are focusing when providing the accreditation is technical areas on industrial sectors which is more applicable for ISO 9001 that mostly involve with manufacturing/service operations. There are many ISO standards for certification that deal with a specific issues/concerns. The national accreditation bodies may fail to keep place and understand the objective of each standards and continue using the same and standardized approach for accreditation.

    To be fair to the certified body (accredited and non-accredited one), entering into the contract with the wrong organization is high liability and risks for them. Most organizations who want to enter into the certification are high bribery risks. Some has to go through the certification as one of the measures to demonstrate the compliance to the regulatory body.

    Bribery is concealing, the auditor will try to use the number of limited man-day to ensure there is the system in place to prevent and detect the bribery with the pre-determined scope of certification. They are not the forensic expert or insufficient resource for them to conduct the in depth investigation.

    We cannot regard management system certification as similar to the legal enforcement. The legal enforcement also has the limitation. Otherwise, the self-disclosure won't be offered to the organization.

  5. Dear Vera,

    very good description of the certifying body processes around ISO standards. A few observations, if I may. Past wrongdoing is not something that factors in how the validity of the certification that is aimed at should be judged. The certification should be judged on the expertise of the team, the reputation of the certifying body, and the area(s) of the organisation that are included in the certification. As for the technical standards, ISO 37001 follows in its structure other management systems. As such, it is reasonable to build on existing accreditations for management system standards as far as common elements are concerned. The important aspect is the factual knowledge of the audit team with regards to the subject matter of the standard. In short, the certification body needs qualified and experienced anti-corruption experts. The level of subject matter expertise applied during the audit is the key factor. Subject matter expertise is also the foundation of the reputation of the certification body. As with all certifications, personal or organisational, one can choose between the softer approach and substantial avenues. This is the choice to make, this will also signal the ambition and to some extent the seriousness of the organisation.

Comments are closed for this article!