Numerous prior posts have highlighted various aspects of ISO 37001 (see here, here, here, here, here, and here). I’ve generally been critical of much ISO 370001 commentary given that it seems like the only ones championing ISO 37001 are those providing ISO 37001 certifications.
Beyond my general observations, I admit that much about ISO certifications (and the broader ISO world and its numerous acronyms) is confusing to me and perhaps to you a well.
Thus, when I saw recent social media activity by Peter Osmanski (Director at the Claro Group) about the subject, I invited him to publish this guest post in the hopes that it would educate others.
As the debate continues over the value ISO 37001 Anti-Bribery Management Systems certification, companies will need to evaluate the arguments and determine their own return on investment for such a certification. A critical factor to consider is the qualifications of the ISO auditors. One must understand that it is unlikely the abundance of qualified consultants and lawyers practicing in the anti-bribery space will be performing ISO 37001 certifications because, as discussed below, their firms are prohibited from providing both management consulting and accredited ISO certification services.
There are two important considerations for any company contemplating ISO 37001 certification:
- Type of firm that can provide ISO certification.
- Relevant experience of ISO 37001 auditors.
Type of Firm That Can Provide ISO Certification
ISO governance and terminology can be a bit overwhelming and foreign to those of us not well versed in ISO standards. So anyone seriously contemplating ISO 37001 certification would be well advised to become more versed in the governance surrounding ISO certification bodies. The Committee on Conformity Assessment (CASCO) and the International Accreditation Forum are good starting points. Note each country has its own accreditation body(ies), this is the current list of accreditation bodies by country. In the U.S. there are two accreditation bodies who provide accreditation for management systems-related ISO standards: ANSI-ASQ National Accreditation Board (ANAB) and International Accreditation Service (IAS).
Currently in the U.S. there are no U.S.-based certification bodies who are accredited to certify compliance with ISO 37001. ANAB’s website provides a list of accredited certification bodies by ISO standard and IAS’ website contains a similar search function. ANAB, as part of its accreditation process, publishes the list of companies going through the accreditation process and there are no U.S.-based companies identified for ISO 37001. Therefore, in the U.S. your only option is to start looking to international options on the IAF’s list of accreditation bodies.
Perhaps lack of demand is a factor. However a more significant factor is understanding the restrictions on firms who can become accredited to certify ISO compliance. Again if this standard is of interest to your company you are well advised to invest the time to understand how firms become accredited certification bodies because that understanding will help identify red-flags in your search for providers (e.g., non-accredited certifications, consulting advise/guarantees to obtain certification, collaboration with a certification body, etc.).
In short, ISO 37001 is defined as a “management system” and in order to audit a management system a firm first needs to be accredited to audit management systems pursuant to the requirements in ISO 17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification or management systems (click here for a publically available summary of the requirements by ANAB). It is 17021-1:2015 that contains the rules on impartiality that restrict the services a certification body can perform. Note ISO 17021-1:2015 is copyrighted and therefore a link to the source document cannot be provided; section 5.2 of the standard defines and discusses impartiality. Simply stated a firm who wishes to provide ISO certification services is required to give up any work defined as “management consultancy” by ISO 17021-1:2015. Essentially any type of service that provides a client with advice is considered management consultancy services and therefore include the services consulting and law firms provide in the anti-bribery space.
Relevant Experience of ISO Auditors
These restrictions on the firms are important to consider when evaluating who is qualified to perform an ISO 37001 certification. Be cautious of firms providing ISO certification who are not identified on these accreditation bodies’ websites. While accreditation is not required, presumably anyone can offer ISO certification but, understand the limitations of that investment.
As previously noted, there are many experienced and qualified consultants and lawyers who can help your company meet the expectations set forth in various anti-bribery related regulatory requirements/guidance (e.g., Federal Sentencing Guidelines Manual, DOJ/SEC’s “A Resource Guide to the FCPA U.S. Foreign Corrupt Practices Act”, “OECD Handbook”, etc.) just understand those experienced professionals are not likely going to be who you will be hiring to perform your ISO 37001 audit unless they are willing to give up their practices to become ISO 37001 auditors.
Furthermore, understand that ISO 37001 contains many evaluations requiring a subjective determination of criteria such as “reasonable”, “adequate”, “appropriate” or “proportionate” with respect to various compliance elements including, but not limited to the overall program design, risk assessments, training, monitoring, and due diligence. Absent years of substantive field experience as an investigator, legal or compliance professional the ISO auditor’s conclusions with respect to these subjective evaluations may lack merit.
Section 3 of the DOJ’s “Evaluation of Corporate Compliance Programs” contains the following consideration: “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?” So certainly your ISO auditor who is evaluating your compliance program should meet that same standard.
Hold ISO auditors to the same scrutiny and standards you would any other advisors retained to assist with your anti-bribery and corruption efforts.
- Obtain evidence the certification body is accredited by an IAF Accreditation Body.
- If certification body is not accredited obtain an understanding of the limitations surrounding their certification (e.g. lack of global acceptance).
- Request the certifications body’s anti-bribery and corruption experience and credentials.
- Request resumes for the lead and staff auditors.
- Require a detailed scope of the audit with justification and rationale for same.
Whether or not the demand for ISO 37001 certification increases remains to be seen. Perhaps the proponents of the standard could better articulate more substantive benefits to companies. The fact there are no U.S. companies accredited to provide ISO 37001 certifications is rather convincing evidence there is a lack of demand in the U.S. Only an increase in demand may result in firms with qualified resources giving up their consulting/law practices to seek accreditation to perform ISO 37001 certification audits. As companies evaluate the return on investment related to ISO 37001 certainly the competence of the auditors is a critical factor to evaluate especially if the certification will be used to justify a modification of other compliance efforts.
FCPA Institute - Denver (May 4-5)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.