Auditing Anti-Bribery
•
2 likes•1,476 views
This presentation has been delivered by Jean-Pierre Méant at the PECB Insights Conference 2018 in Paris.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Auditing Anti-Bribery
Similar to Auditing Anti-Bribery (20)
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
Auditing Anti-Bribery
- 2. 2 What is ISO? International Organisation for Standardisation Private association under Swiss law 161 members – National Standardisation Bodies
- 3. 3
- 4. 4 The different Types of Standards Over 20’000 standards Management system standards Guidance and requirements standards
- 5. 5 The Auditing of Standards The various kinds of audits First party audits Second party audits Third party audits
- 6. 6 ISO Auditing Framework ISO/IEC 17011 : Requirements for accreditation bodies ISO 19011 : Guidelines for auditing management systems 17021-1 : Requirements for audit and certification of management systems 17021-9 : Requirements for auditing and certification of anti-bribery management systems
- 7. 7 Accreditation bodies Accredit certification bodies Grouped in International Accreditation Forum: IAF COFRAC, DAkkS, UKAS, Accredia, ANAB, ANSI, IAS… Conduct regular assessments of conformity assessment bodies Accreditation ensures level certification playing field Not all accreditation bodies accredit for ISO 37001
- 8. 8 Guidelines for auditing management systems
- 9. 9 Requirements for audit and certification of management systems (1) Legal entity or governmental body Confidentiality
- 10. 10 Requirements for audit and certification of management systems (2) Impartiality No consultancy by certification body or controlled entities No outsourcing to consultancy organization Minimum two year cooling off period for audits following: internal audits consultancy by related entities consultancy by individual auditors
- 11. 11 Requirements for auditing anti-bribery management systems (3) Specific additional auditors’ competencies for anti-bribery - Knowledge of : Bribery concepts bribery risk, scenarios, indicators, controls Context of the organization Laws, regulations Bribery risk assessment and due diligence Bribery risk Anti-bribery controls Anti-bribery management systems
- 12. 12 Pre-certification activities Scope of certification Audit time • Considering size and location, complexity, maturity of system… • Possibility : Adapt QMS table in IAF MD 5:2015 by considering only exposed personnel + square root of other personnel Multi-site sampling Areas for improvement Select audit team Dates and sites Persons to be interviewed
- 13. 13 Audit - Stage 1 Off-site, partly on-site Review documented information Obtain information on sites, processes, equipment, controls, statutory requirements Allocation of resources Establish readiness for stage 2
- 14. 14 Audit - Stage 2 On-site Opening meeting With management + functions/processes to be audited Conducted by audit team leader Explanation of audit Introduction of participants Presentation of auditee Confirmation of logistics and audit details
- 15. 15 Audit - Stage 2 On-site Logistics Office space and assistance Interviews should be conducted without management presence, exceptionally in office of interviewee Auditors should pay for their own meals (possible exception for meal in auditee’s cafeteria) Notes should be made of interviews Copies/screenshots should be provided of documents consulted
- 16. 16 Audit - Stage 2 On-site Interviews Chair of Board and/or Audit or Ethics Committee Chief Executive Officer Other members of top management : e.g. Finance, Marketing Functions : HR, Communication, Internal Audit, Legal, Compliance, Anti-bribery, Public Relations, Procurement, Security Selected personnel
- 17. 17 Audit - Stage 2 On-site Documentation (as relevant to anti-bribery): Policies, procedures, contractual documentation Internal and external communication media Minutes of Board and Top Management meetings Annual Report, Corporate Responsibility Report Internal audit reports Investigation reports
- 18. 18 Audit - Stage 2 On-site Processes and activities Internet and intranet Selected due diligence file Management of business associates Risk assessment Training sessions, content and attendance Management of reporting system Implementation of gifts and hospitality policy Sponsoring
- 19. 19 Audit - Stage 2 On-site Closing meeting With management + functions and processes audited Conducted by audit team leader Presentations of non-conformities Decision on certification recommendation Agreement on timeframe for responding Recording of diverging opinions if any
- 20. 20 Non-conformities Non-fulfilment of a requirement Minor non-conformity Not an obstacle to certification proposal for corrective action within 3 months Major non-conformity Obstacle to certification or reason to withdraw certificate If not corrected within 6 months from end of stage 2, new audit
- 21. 21 Audit - Report Covers details of audit including: Identification of audit team Dates and places of activities Audit findings, evidence and conclusions Unresolved issues Recommendation Statement of conformity of system to meet requirements
- 22. 22 Post-audit activities Submission of proposal for correction of non- conformities by auditee Review effectiveness of corrections by auditors Documentary review or verification on-site Certification decision
- 23. 23 Audit cycle Initial audit Year 1 : surveillance audit Year 2 : surveillance audit Year 3 : re-certification
Editor's Notes
- On the map, the 119 full members appear in dark blue, the 39 corresponding members (with observer status) in light brown and the three subscriber (Belize, Antigua and Saint Vincent and the Grenadines) in dark brown.
- - Examples of standards : 9001 (quality systems), 19600 (compliance), 26000 (social responsibility), 31000 (risk management), 3166 (country codes), 4217 (currency codes), 37001 (anti-bribery management systems) A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more. Management system standards specify repeatable steps that organizations implement to achieve their goals and objectives, and to create an organizational culture that engages in a continuous cycle of self-evaluation, correction and improvement of operations and processes. ISO management system standards have a common body of terms and definitions and follow the same structure (so-called high level structure). Guidance standards provide guidance that organizations implement at their discretion while the requirements of requirements standards must be implemented in order to conform to the standard. ISO 37001 is a requirements standard. Only requirements standards can be certified under the ISO regulation framework.
- First party audits are internal audits or self-assessments of a management system by an organization in order to identify the weaknesses of a system and the corrections that are needed in a spirit of continuous improvement. The audit may be conducted by a party mandated by the organization but the audit report shall remain within the organization. Second party audits are audits conducted e.g. by a client with its suppliers or by a professional association with its members in order to determine whether they are implementing measures required from them, e.g. a suppliers’ charter or a professional association’s code of conduct. The auditor can be a representative of the client or of the professional association or an auditor mandated by them. The audit report will be remitted to the party that has mandated the audit who will decide how to communicate the results to the auditee. Third party audits are audits conducted by an independent third party. Only these audits qualify for certification.
- ISO does not carry out certifications nor does it accredit certification bodies but it has issued a number of Standards or Specifications for the certification process. They are: ISO/IEC 17011 : Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies ISO 19011 : Guidelines for auditing management systems (ISO 19011:2011) ISO/IEC 17021Conformity assessment — Requirements for bodies providing audit and certification of management systems Part 1: Requirements (ISO/IEC 17021-1) Part 9:Competence requirements for auditing and certification of anti-bribery management systems
- IAF MD 1:2018 IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization (Issue 2, issued on 29 January 2018; application from 29 January 2018) This document is for the audit and, if appropriate, the certification of management systems of organizations with a number of sites with a single management system. IAF MD 2:2017 IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems (Issue 2, issued on 15 June 2017; application from 15 June 2018) This document provides normative criteria on the transfer of accredited management system certification between certification bodies. The criteria may also be applicable in the case of acquisitions of certification bodies accredited by an IAF or Regional MLA signatory.
- ISO/IEC 17021-1 5.1.1 Legal responsibility The certification body shall be a legal entity, or a defined part of a legal entity that can be held legally responsible for all its certification activities. A governmental certification body is deemed to be a legal entity on the basis of its governmental status. 4.6 Confidentiality To gain the privileged access to information that is needed for the certification body to assess conformity to requirements for certification adequately, it is essential that a certification body does not disclose any confidential information. 8.4.1 The certification body shall be responsible, through legally enforceable agreements, for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf.
- ISO/IEC 17021-1 5.2.5 The certification body and any part of the same legal entity and any entity under the organizational control of the certification body [see 9.5.1.2, bullet b)] shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body. 5.2.6 …the certification body … shall not offer or provide internal audits to its certified clients. A recognized mitigation of this threat is that the certification body shall not certify …for a minimum of two years following the completion of the internal audits. 5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, A recognized mitigation … is …not (to) certify the management system for a minimum of two years following the end of the consultancy. 5.2.8 The certification body shall not outsource audits to a management system consultancy organization,…This does not apply to individuals contracted as auditors but they may not be involved in an audit where they have provided consultancy services (5.2.10) for a minimum of two years following the end of the consultancy.
- Bribery concepts: direct and indirect payments, facilitation payments, non-financial benefits or advantages, conflicts of interests Bribery risk: risk of bribery associated with third parties, such as public officials, agents, consultants, subcontractors, family or relations Bribery scenarios: personnel, recruiting, hiring and remuneration; commercial activities; travel, gifts, and hospitality; donations and sponsorship; procurement and contracting; sales and marketing; manufacturing and supply chain; outsourced processes; merging and acquisitions. Indicators: red flags, e.g. ICC, OECD, World Bank Anti-bribery management system: the audit team shall have knowledge and skills in designing or implementing an ABMS or a similar compliance management or internal control system
- Auditee total personnel 110, exposed 10 10 + square root of 100 = 20 According to QMS table in IAF MD 5:2015, this calls for 3 man/days (rather than 8 for 110 personnel), 1 off-site and 2 on-site Adapt upward for complex or multi-site operations
- Documented information : management system documents and records, as well as previous audit reports. Policies, procedures, etc.