2. 2
What is ISO?
International Organisation
for Standardisation
Private association under
Swiss law
161 members – National
Standardisation Bodies
4. 4
The different Types of Standards
Over 20’000 standards
Management system standards
Guidance and requirements standards
5. 5
The Auditing of Standards
The various kinds of audits
First party audits
Second party audits
Third party audits
6. 6
ISO Auditing Framework
ISO/IEC 17011 : Requirements for accreditation bodies
ISO 19011 : Guidelines for auditing management
systems
17021-1 : Requirements for audit and certification of
management systems
17021-9 : Requirements for auditing and certification of
anti-bribery management systems
7. 7
Accreditation bodies
Accredit certification bodies
Grouped in International Accreditation Forum: IAF
COFRAC, DAkkS, UKAS, Accredia, ANAB, ANSI,
IAS…
Conduct regular assessments of conformity assessment
bodies
Accreditation ensures level certification playing field
Not all accreditation bodies accredit for ISO 37001
9. 9
Requirements for audit and certification of
management systems (1)
Legal entity or governmental body
Confidentiality
10. 10
Requirements for audit and certification of
management systems (2)
Impartiality
No consultancy by certification body or controlled entities
No outsourcing to consultancy organization
Minimum two year cooling off period for audits following:
internal audits
consultancy by related entities
consultancy by individual auditors
11. 11
Requirements for auditing anti-bribery
management systems (3)
Specific additional auditors’ competencies for anti-bribery -
Knowledge of :
Bribery concepts
bribery risk, scenarios, indicators, controls
Context of the organization
Laws, regulations
Bribery risk assessment and due diligence
Bribery risk
Anti-bribery controls
Anti-bribery management systems
12. 12
Pre-certification activities
Scope of certification
Audit time
• Considering size and location, complexity, maturity of
system…
• Possibility : Adapt QMS table in IAF MD 5:2015 by
considering only exposed personnel + square root of
other personnel
Multi-site sampling
Areas for improvement
Select audit team
Dates and sites
Persons to be interviewed
13. 13
Audit - Stage 1
Off-site, partly on-site
Review documented information
Obtain information on sites, processes, equipment,
controls, statutory requirements
Allocation of resources
Establish readiness for stage 2
14. 14
Audit - Stage 2
On-site
Opening meeting
With management + functions/processes to be
audited
Conducted by audit team leader
Explanation of audit
Introduction of participants
Presentation of auditee
Confirmation of logistics and audit details
15. 15
Audit - Stage 2
On-site
Logistics
Office space and assistance
Interviews should be conducted without
management presence, exceptionally in office of
interviewee
Auditors should pay for their own meals (possible
exception for meal in auditee’s cafeteria)
Notes should be made of interviews
Copies/screenshots should be provided of
documents consulted
16. 16
Audit - Stage 2
On-site
Interviews
Chair of Board and/or Audit or Ethics Committee
Chief Executive Officer
Other members of top management : e.g. Finance,
Marketing
Functions : HR, Communication, Internal Audit,
Legal, Compliance, Anti-bribery, Public Relations,
Procurement, Security
Selected personnel
17. 17
Audit - Stage 2
On-site
Documentation (as relevant to anti-bribery):
Policies, procedures, contractual documentation
Internal and external communication media
Minutes of Board and Top Management meetings
Annual Report, Corporate Responsibility Report
Internal audit reports
Investigation reports
18. 18
Audit - Stage 2
On-site
Processes and activities
Internet and intranet
Selected due diligence file
Management of business associates
Risk assessment
Training sessions, content and attendance
Management of reporting system
Implementation of gifts and hospitality policy
Sponsoring
19. 19
Audit - Stage 2
On-site
Closing meeting
With management + functions and processes
audited
Conducted by audit team leader
Presentations of non-conformities
Decision on certification recommendation
Agreement on timeframe for responding
Recording of diverging opinions if any
20. 20
Non-conformities
Non-fulfilment of a requirement
Minor non-conformity
Not an obstacle to certification
proposal for corrective action within 3 months
Major non-conformity
Obstacle to certification or reason to withdraw
certificate
If not corrected within 6 months from end of stage 2,
new audit
21. 21
Audit - Report
Covers details of audit including:
Identification of audit team
Dates and places of activities
Audit findings, evidence and conclusions
Unresolved issues
Recommendation
Statement of conformity of system to meet
requirements
22. 22
Post-audit activities
Submission of proposal for correction of non-
conformities by auditee
Review effectiveness of corrections by auditors
Documentary review or verification on-site
Certification decision
23. 23
Audit cycle
Initial audit
Year 1 : surveillance audit
Year 2 : surveillance audit
Year 3 : re-certification
On the map, the 119 full members appear in dark blue, the 39 corresponding members (with observer status) in light brown and the three subscriber (Belize, Antigua and Saint Vincent and the Grenadines) in dark brown.
- Examples of standards : 9001 (quality systems), 19600 (compliance), 26000 (social responsibility), 31000 (risk management), 3166 (country codes), 4217 (currency codes), 37001 (anti-bribery management systems)
A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.
Management system standards specify repeatable steps that organizations implement to achieve their goals and objectives, and to create an organizational culture that engages in a continuous cycle of self-evaluation, correction and improvement of operations and processes.
ISO management system standards have a common body of terms and definitions and follow the same structure (so-called high level structure).
Guidance standards provide guidance that organizations implement at their discretion while the requirements of requirements standards must be implemented in order to conform to the standard. ISO 37001 is a requirements standard. Only requirements standards can be certified under the ISO regulation framework.
First party audits are internal audits or self-assessments of a management system by an organization in order to identify the weaknesses of a system and the corrections that are needed in a spirit of continuous improvement. The audit may be conducted by a party mandated by the organization but the audit report shall remain within the organization.
Second party audits are audits conducted e.g. by a client with its suppliers or by a professional association with its members in order to determine whether they are implementing measures required from them, e.g. a suppliers’ charter or a professional association’s code of conduct. The auditor can be a representative of the client or of the professional association or an auditor mandated by them. The audit report will be remitted to the party that has mandated the audit who will decide how to communicate the results to the auditee.
Third party audits are audits conducted by an independent third party. Only these audits qualify for certification.
ISO does not carry out certifications nor does it accredit certification bodies but it has issued a number of Standards or Specifications for the certification process.
They are:
ISO/IEC 17011 : Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies
ISO 19011 : Guidelines for auditing management systems (ISO 19011:2011)
ISO/IEC 17021Conformity assessment — Requirements for bodies providing audit and certification of management systems
Part 1: Requirements (ISO/IEC 17021-1)
Part 9:Competence requirements for auditing and certification of anti-bribery management systems
IAF MD 1:2018 IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization(Issue 2, issued on 29 January 2018; application from 29 January 2018)This document is for the audit and, if appropriate, the certification of management systems of organizations with a number of sites with a single management system.
IAF MD 2:2017 IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems(Issue 2, issued on 15 June 2017; application from 15 June 2018)This document provides normative criteria on the transfer of accredited management system certification between certification bodies. The criteria may also be applicable in the case of acquisitions of certification bodies accredited by an IAF or Regional MLA signatory.
ISO/IEC 17021-1
5.1.1 Legal responsibility
The certification body shall be a legal entity, or a defined part of a legal entity that can be held legally responsible for all its certification activities. A governmental certification body is deemed to be a legal entity on the basis of its governmental status.
4.6 Confidentiality
To gain the privileged access to information that is needed for the certification body to assess conformity to requirements for certification adequately, it is essential that a certification body does not disclose any confidential information.
8.4.1 The certification body shall be responsible, through legally enforceable agreements, for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf.
ISO/IEC 17021-1
5.2.5 The certification body and any part of the same legal entity and any entity under the organizational control of the certification body [see 9.5.1.2, bullet b)] shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body.
5.2.6 …the certification body … shall not offer or provide internal audits to its certified clients. A recognized mitigation of this threat is that the certification body shall not certify …for a minimum of two years following the completion of the internal audits.
5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, A recognized mitigation … is …not (to) certify the management system for a minimum of two years following the end of the consultancy.
5.2.8 The certification body shall not outsource audits to a management system consultancy organization,…This does not apply to individuals contracted as auditors but they may not be involved in an audit where they have provided consultancy services (5.2.10) for a minimum of two years following the end of the consultancy.
Bribery concepts: direct and indirect payments, facilitation payments, non-financial benefits or advantages, conflicts of interests
Bribery risk: risk of bribery associated with third parties, such as public officials, agents, consultants, subcontractors, family or relations
Bribery scenarios: personnel, recruiting, hiring and remuneration; commercial activities; travel, gifts, and hospitality; donations and sponsorship; procurement and contracting; sales and marketing; manufacturing and supply chain; outsourced processes; merging and acquisitions.
Indicators: red flags, e.g. ICC, OECD, World Bank
Anti-bribery management system: the audit team shall have knowledge and skills in designing or implementing an ABMS or a similar compliance management or internal control system
Auditee total personnel 110, exposed 10
10 + square root of 100 = 20
According to QMS table in IAF MD 5:2015, this calls for 3 man/days (rather than 8 for 110 personnel), 1 off-site and 2 on-site
Adapt upward for complex or multi-site operations
Documented information : management system documents and records, as well as previous audit reports. Policies, procedures, etc.