ISO & ISO TRAINING DAY 4 : Certifying ISO 37001

Similar documents
British Standard BS Specification for an Anti-bribery Management System. Summary

Evaluating and Certifying Compliance Programs

FCPA COMPLIANCE PROGRAMS

2017 The Global ABB Integrity Program.

Anti-Bribery Policy. for you for your community not for profit. Date: Head of HR. Author:

Anti-bribery management systems Requirements with guidance for use

ISCC 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT. Version 3.0

Control of Internal Auditing

Committee on Anti-Corruption (CAC) Lima, Peru 2016 An overview of ISO Anti-bribery management system standard

Procedures on Management System Certification

INTERNATIONAL STANDARD

1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General

Conflicts of Interest

INTEGRITY COMPLIANCE GUIDELINES

Anti-Corruption Compliance Program. December 2014

Annex II - Category B evidence. User Manual. for providing and evaluating Category B evidence

THE ARCG CHARTER. Issued in March 2008

ISC: UNRESTRICTED AC Attachment. Environmental & Safety Management- EnviroSystem Oversight Audit

Global Supplier Code of Business Conduct & Ethics

APPROVED. Anti-Bribery and Corruption Policy OBJECTIVES PRINCIPLES WOODSIDE POLICY. Prohibition on corruption. Gifts and entertainment principles

Spark Compliance CONSULTING ENSURE YOUR ORGANIZATION HAS A WORLD-CLASS ANTI-BRIBERY PROGRAM - BECOME ISO CERTIFIED. Frequently Asked Questions

IACA Compliance Benchmark Questionnaire

Metso Code of Conduct

Compliance Program Effectiveness Guide

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

ATTACHMENT C CORPORATE COMPLIANCE PROGRAM

QP 02 Audit and Certification Procedure

Control of Documented Information. Integrated Management System Guidance

Management System Manual International Compliance Group

Internal Quality Auditing Procedure

This document articulates ethical and behavioral guidance for all NGA Human Resources companies, employees, and business partners (such as suppliers,

Quality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation

Final Document. 18 September 2014

Template AMS Professional Sample Set01 V1, group A. Questionnaire

FINAL ASSESSMENT M.C. DEAN, INC.

Performing a Successful Audit. Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight

Transition plan for Global Certification Pty Ltd ISO Bruce Smith

To the associations of conformity assessment bodies. Our ref.: DC2017SSV337 Milan, 27/11/2017

Integrity. Purpose of the Checklist. Description

ESTERLINE ANTI-CORRUPTION PROGRAM CHARTER

SLAVERY AND HUMAN TRAFFICKING STATEMENT REXEL UK LIMITED

AUDIT AND RISK COMMITTEE CHARTER

QUALITY MANUAL ECO# REVISION DATE MGR QA A 2/25/2008 R.Clement J.Haislip B 6/17/2008 T.Finneran J.Haislip

Internal Audit Checklist System & Process Compliance Auditing

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

ANTI-BRIBERY AND ANTI-CORRUPTION POLICY

Beating bribery with BS 10500

ISO 37001:2016 ANTI-BRIBERY MANAGEMENT SYSTEMS

Grievance Policy. Version: 2.3. Status: Final. Title of originator/author: Human Resources Directorate. Name of responsible director:

DS SMITH PLC MODERN SLAVERY AND HUMAN TRAFFICKING STATEMENT 2016/17. Page 1 of 10

Anti-corruption Code of the Hitachi Rail Italy Group

Basic Policy on the Internal Control System

ETHICAL CODE OF CONDUCT

IIA Netherlands regulations concerning external quality assessment of internal audit functions

LI & FUNG LIMITED ANNUAL REPORT 2016

PostNL group procedure

How FSC could improve the new Controlled Wood Standard 1

Slavery and Human Trafficking Statement 2016

BOARD CHARTER JUNE Energy Action Limited ABN

EFR CERTIFICATION Standard Operating Procedure Management and Auditor Competency

Code of Corporate Governance

3/01/2013 4:24 PM s_quintp\bureau Veritas\41 Truth Analyst Presentation.ppt

Established May 1, 2001, revised April 4, 2011

Verisk Analytics, Inc. Code of Business Conduct and Ethics As Amended June 5, 2018

Group Code of Ethics

INTEGRITY COMPLIANCE PROGRAM

CORPORATE QUALITY MANUAL

SAI Global Full Service Team

Corporate Governance. Basic Approach to Corporate Governance. 1. Outline of corporate governance structure

Moving from ISO/TS 16949:2009 to IATF 16949:2016. Transition Guide

ISO 9001:2015 Expectations

CORPORATE COMPLIANCE PROGRAM

International Standards for the Professional Practice of Internal Auditing (Standards)

Seplat Petroleum Development Company Plc. Conflict of Interest for Employees Policy. Adopted by the Board on 24 March 2015

INTERTEK GROUP PLC INTERTEK S MODERN SLAVERY STATEMENT 2017

MACQUARIE TELECOM GROUP LIMITED CORPORATE GOVERNANCE

GSR Management System - A Guide for effective implementation

GOPRO, INC. CORPORATE GOVERNANCE GUIDELINES. (Adopted May 1, 2014 and effective as of GoPro, Inc. s initial public offering; revised August 4, 2015)

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

HEALTH, SAFETY AND ENVIRONMENT MANAGEMENT SYSTEM

Related manuals Health & Safety Part 1 Section 1; H&S Part 1 Section 2; H&S Part 1 Section 3 ; Part 2 Section 1; Corporate Services Part 5 Section 1

TABLE OF CONTENTS 1.0 INTRODUCTION...

INTERNAL AUDIT PLAN AND CHARTER 2018/19

QMS Team: MR and all HODs (Internal Auditors) MR March 10. Quality policy Define quality policy The Steering committee Objectives and targets

Document File Name LEG-001 Anti Bribery Policy V Date Approved by Owner/Revisions made 27 September 2017 V1.4

Our Approach to Risk Management

DRAFT MALAYSIAN STANDARD

Surveillance and CoP clearance

PROOF/ÉPREUVE A ISO INTERNATIONAL STANDARD. Environmental management systems Specification with guidance for use

Accreditation Process Requirements

NATIONAL AUSTRALIA BANK LIMITED ACN BOARD RISK COMMITTEE CHARTER

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

Bribery and Corruption

Global Manager Group

EA-7/04 Legal Compliance as a part of accredited ISO 14001: 2004 certification

Current Quality. Culture. Mini Paper IE 361

GOODWILL INDUSTRIES OF COLORADO SPRINGS

Transcription:

ISO 19600 & ISO 37001 TRAINING DAY 4 : Certifying ISO 37001 2017 SLIDE 1

DAY 4 Program Part 1 : Audit rules 1. Audit principles 2. Types of findings Part 2 : Audit process 3. The steps of an audit 4. Audit preparation Part 3 : How to audit ISO 37001 Part 4 : How to conduct an audit (exercise) SLIDE 2

RIGHTS OF AUTHORSHIP This document has been provided to you as a participant of the : Accreditation Training Session entitled ISO 19600 & ISO 37001 Training Mastering the Standards, audit and certification held in Paris, January, Monday 16 to Friday 20, 2017. Pursuant to ETHIC Intelligence s rights of authorship, the presentation and content of this document are protected worldwide. All unauthorized distribution, reproduction or duplication is forbidden. However, ETHIC Intelligence authorizes consultation of this document by employees or colleagues of the persons having received this training, provided that it is solely for internal use. All communication, distribution, reproduction or duplication intended to third parties without the author s prior authorization, particularly for training purposes, will infringe upon intellectual property regulations in force. SLIDE 3

Day 4: Certifying ISO 37001 1. Audit Rules Version 2017 SLIDE 4

Audit rules Audit principles Types of findings SLIDE 5

Definitions Audit Scope Perimeter of the audit Audit Criteria Set of policies, procedures, or requirements used as references on the basis of which evidence is compared Evidence Records, facts or statements that can be verified Audit findings Results of the assessment of the evidence compared with the audit criteria SLIDE 6

Definitions Audit Cycle From initial audit until renewal of the certification (including the periodic audits) Audit Program Organization of a set of audits planned for a specific period ( internal audit program ) Audit Plan Description of the activities necessary to realize an audit SLIDE 7

Audit principles SLIDE 8

Why conduct an audit? Assess the efficiency of records SLIDE 9

Audit rules Audit principles Types of findings SLIDE 10

Audit Findings: the three types Nonconformity Observation Noteworthy efforts SLIDE 11

1. The nonconformity A requirement A failure to meet the requirement An evidence of that failure The nonconformity is the non-compliance with a requirement or a set of requirements which renders the ABMS inefficient. SLIDE 12

1. The nonconformity : major nonconformity What is to be considered as a major nonconformity? 1. The organization completely failed to fulfill a certain requirement ex : No review from the Top Management ( 9.3.1) 2. An organization does not execute a process as required ex : The organization has defined a training process the executives and only 2% have been trained for 100% of 3. An organization has several minor nonconformities related to the same process ex : minor nonconformities related to the documented information : some of the documentation is missing, the format of some of them is alterated, not all employees have access to basic documentation 4. An organization misuses the certification mark ex : saying the full group is certified only when an entity has been certified 5. An organization has not resolved a minor nonconformity raised during a previous audit within the deadline ex : an organization had 1 year to translate its anti-bribery policy into chinese for its chinese subsidiary, it has not been done SLIDE 13

1. The nonconformity : minor nonconformity What is to be considered as a minor nonconformity? A minor nonconformity is any nonconformity that is not major and is not preventing the Management System to work. SLIDE 14

1. The nonconformity How should the auditor report the nonconformity? 1. Describe the non-conformity, general description of what is wrong 2. Provide the audit evidence-refer to a concrete document or record that is missing or is used improperly, to the activity that is not performed or is performed in a wrong fashion 3. Refer to the exact requirement : concrete number of the clause in the standard SLIDE 15

1. The nonconformity - Brainstorming What can be the sources of a requirement? SLIDE 16

What can be sourced to access conformity? Codes of conduct Management system Work instructions SLIDE 17

2. The observation A risk An inability to apply best practices An inefficiency An observation is a potential problem that needs to be addressed to improve the management system or to prevent an incident SLIDE 18

2. The observation - Brainstorming For instance, for the requirement 8.6 : what could be considered as an observation? SLIDE 19

2. Example of observations Requirement 8.6 Business associates provided the organisation with a commitment that is not precise enough to identify the transaction/project or activity Some old contracts do not have Anti-corruption provisions and the organization has not received any replies yet from the business associates with regards to anti-bribery commitment. SLIDE 20

2. The noteworthy effort A high level of commitment A motivation A verified improvement A noteworthy effort is the best practice an organization has set up that strengthens the ABMS SLIDE 21

3. The noteworthy effort - quiz For instance, for the requirement 7.2.1 what could a noteworthy effort be? SLIDE 22

3. Examples of noteworthy effort Requirement 7.2.1 The compliance team goes to international conferences on anti-bribery The Chief Compliance Officer holds a degree in compliance or business law The compliance team receives annual training from an exterior company or law firm SLIDE 23

Day 4: Certifying ISO 37001 2. Audit process Version 2017 SLIDE 24

Audit process The steps of an audit Audit preparation SLIDE 25

The audit steps Starting the audit process Preparing the audit activity Realizing the audit Report Follow-up (if necessary) Appoint a lead auditor Define the audit scope, criteria, program Appoint an audit team (if necessary) Review relevant documents of the ABMS Draft audit plan Prepare working documents (checklist) Opening meeting Collect information Document findings Closing meeting Prepare and circulate the report (technical review) Check the efficiency of corrective actions SLIDE 26

The audit steps Starting the audit process 1. Launching the process 2. Appoint auditors Top Management Compliance/internal audit Top management Starting the audit process 3. Planning 4. Circulating the audit plan Compliance All interviewees Audit execution 5. Opening meeting 6. Interviews 7. Closing meeting Compliance All Interviewees Top Management SLIDE 27

Audit: general information Name, location, size Defined during the proposal Type of audit Initial/periodic/follow up/internal Scope of the audit Audit criteria All operations worldwide in relation to the Business objectives of the organization ISO 37001 / ABMS Dates Defined during the proposal Audit duration According to the IAF-MD5 Audit team Defined during the proposal SLIDE 28

Audit process The steps of an audit Audit preparation SLIDE 29

Audit plan example Time Audit Activities & Focus Areas Tuesday February 1st Day One Department and/or Services People Interviewed 09.00 AM 10.00 Opening Meeting All All persons taking part in the audit 10.00 11.00 Top management leadership Context, strategy, business model, stakeholders Top management Top management, compliance team 11.00 01.00 PM Presentation & Review of System, review of requirements, corrective actions, audit Compliance Compliance Team, Internal audit 01.00 02.00 PM Lunch 02.00 04.00 Risk assessment & Commercial activities third parties New projects, training, risk assessment communication Gifts policy Operations & General Management Managers, Sales team, Human Resources, Communications, R&D, M&A 04.00 05.30 05.30 06.00 Planning Process to address risks & opportunities Review of needs & assessments Compliance Compliance team Close of day one & review of day s activities Compliance Compliance team 06.00 End of Day one SLIDE 30

Audit preparation: checklist Makes sure nothing is left aside Do not let the checklist conduct an audit in your place SLIDE 31

The checklist is based on the requirements and processes What is the objective & which requirements apply? What are the interactions? What are the main activities? The main risks associated to the process How is the process measured??? What are the inputs & outputs? What are the associated objectives?

The checklist is based on the requirements and processes? SLIDE 33

Example of a checklist PROCESS: REFERENCES : DATE: QUESTIONS Ref. FINDINGS / SLIDE 34

Day 4: Certifying ISO 37001 3. Audit ISO 37001 Version 2017 SLIDE 35

4.1 Understanding the context of the organization The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the objectives of its ABMS. The information regarding the context must be reviewed and kept updated SLIDE 36

4.2 Understanding the needs of the stakeholders The organization shall determine the stakeholders that are relevant to the anti-bribery management system; and the relevant requirements of these stakeholders. The information regarding the stakeholders must be reviewed and kept updated. SLIDE 37

Exercise 1: Auditing the 4.1 and 4.2 Step 1: How can an organization demonstrate its compliance with this requirement? How to manage the audit of external processes present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirements 4.1 and 4.2? Who would you interview to obtain answers? SLIDE 38

4 Context of the organization: checklist example How clear is the organization s description of its activities & business model? Including organizations over which it exercises control (management) What criteria are taken into account to determine the scope of the anti-bribery management system (geography, turnover, number of employees, )? Are they relevant? (management) How exhaustive is the bribery risk assessment? How often is it reviewed? (compliance; internal audit; operations) Is there a clear stakeholder mapping? Are the stakes identified accordingly? (management) SLIDE 39

5.1 Leadership and commitment When the organization has a governing body, that body shall demonstrate leadership and commitment with respect to the anti-bribery management system Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system SLIDE 40

5.2 Anti-Bribery policy The anti-bribery policy shall: be available as documented information; be communicated in appropriate languages within the organization and to business associates who pose more than a low risk of bribery; be available to relevant stakeholders, as appropriate SLIDE 41

5.3 Organizational roles, responsibilities and authorities Top management shall have overall responsibility for the implementation of, and compliance with, the anti-bribery management system, as described in 5.1.2. Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within and throughout every level of the organization. Managers at every level shall be responsible for requiring that the anti-bribery management system requirements are applied and complied with in their department or function. The governing body (if any), top management and all other personnel shall be responsible for understanding, complying with and applying the anti-bribery management system requirements, as they relate to their role in the organization. SLIDE 42

Exercise 2: Auditing the requirement 5 Step 1: How can an auditor be assured that an organization has strong leadership on anti-bribery? present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 5? What could be a nonconformity for this requirement? SLIDE 43

5. Leadership Checklist example Review the anti-bribery policy (compare with the requirement) Presence of the management at the opening meeting Description of business strategy versus bribery risks Timings of the management & governing body reviews (do they actually happen as planned; check records) Resources allocated to the compliance function & the maintenance of the anti-bribery management system (time allocated for the audit; feedback from contact person, ) Adequacy of the ABMS and the context of the organization (as identified previously) Description of delegated decision-making SLIDE 44

5. Leadership Nonconformity examples The code of conduct is signed by the legal director and not by the CEO The top management does not consider bribery risks before engaging new strategy There is no identified compliance function SLIDE 45

6.1 Actions to address risks and opportunities & 6.2 Anti-bribery objectives and planning to achieve them The organization shall plan: actions to address these bribery risks and opportunities for improvement; how to: integrate and implement these actions into its anti-bribery management system processes; evaluate the effectiveness of these actions When planning how to achieve its anti-bribery management system objectives, the organization shall determine: what will be done; what resources will be required; who will be responsible; when the objectives will be achieved; how the results will be evaluated and reported; who will impose sanctions or penalties. SLIDE 46

Exercise 3: Auditing the requirement 6 Step 1: How can an objective be audited? How can the auditor be sure this objective is achievable? present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 6? How would you assess those objectives and plans to extract concrete data? SLIDE 47

6. Planning Is there a system to review bribery risks before any new project? Are strategic objectives balanced with bribery risks? Does anti-bribery feature within the processes? Is it systematic (purchases, recruitment, sales, )? Is there a dashboard to review objectives & targets of the ABMS? Is there a program & action plan to address bribery risks? SLIDE 48

7. Support The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the anti-bribery management system (7.1) The organization shall provide adequate and appropriate anti-bribery awareness and training to Personnel (7.3) The organization shall determine the internal and external communications relevant to the antibribery management system (7.4.1) SLIDE 49

7.5 Documented information Documented information required by the anti-bribery management system and by this document shall be controlled refer to the list we discussed yesterday SLIDE 50

Exercise 4: Auditing the requirement 7 Step 1: How can the auditor assess a training session? What are the functions involved in the requirement 7? Is it necessary to audit them? present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 7? What questions would you ask for the interviews? SLIDE 51

7. - Support Examples of questions Is there a budget identified to support the ABMS (check financial data with finance)? Is there job/function descriptions at all levels of the organization which take antibribery into account (check job descriptions with HR or the function in charge of managing the ABMS)? Are anti-bribery training plans and records of the training available? How often is the training renewed? How long does it last? Does it depend upon the function of the individual? (check with HR: compare with financial resources available) Are there specific questions during the recruitment process (for certain functions?) SLIDE 52

7 - Support How are bonuses determined & attributed? (check with HR) Review internal rules on potential disciplinary actions in cases of corruption (check with HR) Is there a communications process that addresses the requirements of 7.4 with regard to anti-bribery? (check with communications department or crisis management) SLIDE 53

8.1 Operational planning and control The organization shall plan, implement, review and control the processes needed to meet the requirements of the anti-bribery management system, and to implement the actions determined in 6.1. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.1? SLIDE 54

8.1 Operational planning and control What controls over the anti-bribery management system are in place? (periodic reporting? Process reviews?...) Which processes are identified at risk? Is the assessment documented? Is there a representative of the compliance function ( anti-bribery champion ) in the processes identified as at risk? SLIDE 55

8.2 Due Diligence The organization shall assess the nature and extent of the bribery risk in relation to specific transactions, projects, activities, business associates and personnel falling within those categories. This assessment shall include any due diligence necessary to obtain sufficient information to assess the bribery risk. The due diligence shall be updated at a defined frequency, so that changes and new information can be properly taken into account. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.2? SLIDE 56

8.2 Due Diligence Due diligence process: questionnaire, data base, external service providers Review previous due diligence documents related to the scope of the audit and/or the projects, business partners. Investigate the results and how they were used,. SLIDE 57

8.3 ; 8.4 Financial and non-financial controls The organization shall implement financial controls that manage bribery risk. The organization shall implement non-financial controls that manage bribery risk with respect to such areas as procurement, operational, sales, commercial, human resources, legal and regulatory activities. Which evidence would you be looking at as an auditor to assess compliance with the requirements 8.3 and 8.4? SLIDE 58

8.3, 8.4 Financial and non-financial controls Obtain results of the controls conducted over: sales, procurement, HR, legal & regulatory (interview with the finance department) They can take the form of reports, audits, instructions, procedures,. SLIDE 59

8.5 Implementation of anti-bribery controls by controlled organizations and by business associates 8.5.1 The organization shall implement procedures which require that all other organizations over which it has control either: a) implement the organization s anti-bribery management system, or b) implement their own anti-bribery control Which evidence would you be looking at as an auditor to assess compliance with the requirements 8.5? SLIDE 60

8.5 Implementation of anti-bribery controls by controlled organizations and by business associates Check the status of anti-bribery MS or controls within the business associates; Review the whole risk analysis of a sample of business associates & relevant documents; Check whether specific risk analysis are done for projects/tansaction where there is a more than low risk of bribery & anti bribery controls are in place; SLIDE 61

8.6 Anti-Bribery commitments For business associates which pose more than a low bribery risk, the organization shall implement procedures which require that, as far as practicable: a) business associates commit to preventing bribery by, on behalf of, or for the benefit of the business associate in connection with the relevant transaction, project, activity, or relationship; b) the organization is able to terminate the relationship with the business associate in the event of bribery by, on behalf of, or for the benefit of the business associate in connection with the relevant transaction, project, activity, or relationship. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.6? SLIDE 62

8.6 Anti-bribery commitments Has the organization requested business associates to make a commitment to preventing bribery? Is this available as documented information? Is there supporting evidence that the organization does its best to endeavor to prevent bribery within its scope? SLIDE 63

8.7 Gifts, hospitality, donations and similar benefits The organization shall implement procedures that are designed to prevent the offering, provision or acceptance of gifts, hospitality, donations and similar benefits where the offering, provision or acceptance is, or could reasonably be perceived as, bribery. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.7? SLIDE 64

8.7 Gifts, hospitality, donations and similar benefits Gifts and Entertainment policy? Is there a platform or software to declare the G&E? SLIDE 65

8.8 Managing inadequacy of anti-bribery controls the organization shall: in the case of an existing transaction, project, activity or relationship, take steps appropriate to the bribery risks and the nature of the transaction, project, activity or relationship to terminate, discontinue, suspend or withdraw from it as soon as practicable; in the case of a proposed new transaction, project, activity or relationship, postpone or decline to continue with it. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.8? SLIDE 66

8.8 Managing inadequacy of anti-bribery controls Review the outcome of prior due-diligence reports Challenge the risk analysis vs the decision of maintaining the project/relationship/transaction Review prior examples where the organization decided to withdraw from the project/relationship/transaction Review existing documentation with regard to the top management s decision to maintain the project/relationship/transaction despite the risks identified SLIDE 67

8.9 Raising concerns The organization shall ensure that all personnel are aware of the reporting procedures and are able to use them, and are aware of their rights and protections under the procedures. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.9? SLIDE 68

8.9 Raising concerns Review legal context with regard to anonymous reporting Check whistleblowing procedures If there is a hotline, make a call Review existing cases (if any) and check reporting of other types of wrongdoing Question the non-retaliation culture of the organization in interviews with compliance officers or middle managers in the course of the audit SLIDE 69

8.10 Investigating and dealing with bribery The organization shall implement procedures that: Require assessment and, where appropriate, investigation of any bribery ; Require appropriate action in the event that the investigation reveals any bribery ; Empower and enable investigators; Require co-operation in the investigation by relevant personnel; Require that the status and results of the investigation are reported ; Require that the investigation is carried out confidentially. Which evidence would you be looking at as an auditor to assess compliance with the requirement 8.10? SLIDE 70

8.10 Investigating and dealing with bribery Check records of prior reports of violations of the anti-bribery policy Check the policy on violations of internal procedures? Check investigations on other incidents (ie. safety, environment ) SLIDE 71

9.1 Monitoring, measurement, analysis and evaluation The organization shall evaluate the anti-bribery performance and the effectiveness and efficiency of the anti-bribery management system. SLIDE 72

Exercise 5: Auditing the requirement 9.1 Step 1: How can an auditor assess a monitoring process? What would be the appropriate documented information? present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 9.1? To what other requirement does 9.1 refer? SLIDE 73

9.1 Monitoring, measurement, analysis and evaluation Verify the monitoring and review plans of the ABMS Check the results of the previous reviews Double check with clause 6: how are objectives measured? Double check with clause 5 (leadership) SLIDE 74

9.2 Internal audit The organization shall conduct internal audits at planned intervals to provide information on whether the anti-bribery management system conforms to : the organization s own requirements for its ABMS; the requirements of this document Is effectively implemented and maintained SLIDE 75

Exercise 6: Auditing the requirement 9.2 Step 1: What would the control of an external audit on an internal audit occur? How can an auditor assess another audit? Present your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 9.2? What would be a noteworthy effort on requirement 9.2? SLIDE 76

9.2 Internal audit Check internal audit program & criteria used to managed anti-bribery audit program (risks; incidents & internal reports; changes in the context;.) Review competence of internal auditors (training, independence, seniority, ) Sample check internal anti-bribery audit reports Example of noteworthy effort : those audits are accompanied by occasional data mining to detect potentially corrupt personnel SLIDE 77

9.3 Management review Top management shall review the organization s anti-bribery management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The outputs of the top management review shall include decisions related to continual improvement opportunities and any need for changes to the antibribery management system. SLIDE 78

Exercise 7 : Auditing the requirement 9.3 Step 1: Can we consider this external audit as part as top management review? What are the functions involved in the requirement 9.3? Is it necessary to audit them? presents your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 9.3? Who would you interview to obtain answers? SLIDE 79

9.3 Management review If in existence, dashboard to monitor performance Check minutes of management reviews; compare with requirements & documented information Sample check internal anti-bribery audit reports Persons to interview: CEO, executive committee members, chief compliance officer SLIDE 80

9.4 Review by anti-bribery compliance function The anti-bribery compliance function shall report at planned intervals, and on an ad hoc basis, as appropriate, to the governing body (if any) and top management, or to a suitable committee of the governing body or top management, on the adequacy and implementation of the anti-bribery management system, including the results of investigations and audits. SLIDE 81

Exercise 8 : Auditing the requirement 9.4 Step 1: How can an auditor understand the word effectively? What would the audit criteria for this requirement be? presents your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 9.4? What would be an observation on requirement 9.4? SLIDE 82

9.4 Review by the anti-bribery compliance function Check reports of anti-bribery compliance functions Check risk assessment Observation example: the organization evolves in a high risk sector but the Chief Compliance Officer does not report directly to the CEO SLIDE 83

10.1 Nonconformity and corrective action When a nonconformity occurs, the organization shall: a) react promptly to the nonconformity, and as applicable: 1) take action to control and correct it; 2) deal with the consequences; SLIDE 84

Exercise 9: Auditing the requirement 10.1 Step 1: How do I assess the efficiency of a corrective action? How do I review the root causes? How long does an organization have to take a corrective action when a nonconformity arises? presents your analysis + collective discussion Step 2: Which evidence would you be looking at as an auditor to assess compliance with the requirement 10.1? What questions would you ask in the interviews? SLIDE 85

10.1 Nonconformity and corrective actions Is there a record of corrective actions? How are they managed? How is the effectiveness reviewed? Are there instructions to describe the treatment of a corrective action? Are they discussed in the management review? SLIDE 86

10.2 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the anti-bribery management system. SLIDE 87

Exercise 10 : Auditing the requirement 10.2 Step 1: Which evidence would you be looking at as an auditor to assess compliance with the requirement 10.2? Who would you interview to obtain answers? SLIDE 88

10.2 Continual improvement Is there a commitment to continual improvement in the anti-bribery policy? ( from the top management or governing body) Check the different versions of the ABMS over time, if in existence, to observe improvements SLIDE 89

Day 4: Certifying ISO 37001 4. Conducting an audit Version 2017 SLIDE 90

Conducting an audit : the 4 steps Opening meeting Collecting information Interviews Closing meeting SLIDE 91

1. The opening meeting Introduce the audit team Review the audit plan Confirm the audit scope and the criteria Confirm timings SLIDE 92

1. The opening meeting Explain the main definitions and findings Make sure the audited persons are available List the required documents Confirm confidentiality SLIDE 93

2. Collecting information Interviews Understanding the organization of the company Get the formalized processes EVIDENCE Reading documents,financial data and hearing records Determine information flows SLIDE 94

3. Interviews technics (1) Ask the auditee to describe what he/she does in such or such situation Active listening Use open questions Re-confirm for validation SLIDE 95

3. Interviews technics (2) Follow the audit plan & check-list to start Confirm your understanding Thank the persons for their time SLIDE 96

3. Interviews technics (3) Do not get dragged into lengthy discussions Do not let the auditee conduct the interview Always be precise and refer to the facts Remain always positive SLIDE 97

3. Interviews technics : think thank You are auditing an anti-bribery management system according to ISO 37001of an old family owned company. The will to get the company certified comes from the top management who wishes to be «compliant» to the best practices. However, the interviewees react badly. They refuse to answer your questions, act agressive and do not see the point of an anti-corruption certification. 1. How would you react? 2. Could you stop the audit? 3. When presenting the findings they disagree and challenge your conclusions SLIDE 98

3. Interviews technics : think thank - You have the right to stop the audit and request a meeting with the top management for explaining the situation; - Try and explain that you are auditing a management system and not the employees competencies and that they should not feel the are being «judged»; - If findings are significant (several major NC s for instance) meet with you contact or the management prior to the closing meeting to discuss and get acceptance of the findings SLIDE 99

3. Interview techniques: practical exercise You are going to audit the Anti Bribery Management System of TechnoBugKillers. You will train yourself to interview techniques. Each of you will audit one function and then collect answers. SLIDE 100

4. The closing meeting Who does conduct it? Managed by the lead auditor What is the objective? The objective is to present the findings to the team. Link the findings to the stated objectives of the organization; list the findings in order. How to react if the team refuses the findings? Findings are clear as they are the produce of an external verification. They should not be openned for discussion SLIDE 101

4. The closing meeting : case study 1. Step 1 : each one presents its finding to the audience 2. Step 2 : Which findings are nonconformity, observations or noteworthy efforts? SLIDE 102

4. The closing meeting : list of findings Audit report & list of findings Organisation; Department (process) Clause Date: Référence: Category: Nonconformity / Observation / Efforts worth mentioning (cross out irrelevant points) Detailed finding: Auditor: SLIDE 103

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback