How does an ISO 37001 audit work, how can you prepare, and what added value does an ISO 37001 audit provide – beyond the certificate? We would like to address these questions below in the form of a case study. We spoke to Chong-Lai Kim about this. He is a representative of central purchasing at Veolia and played a key role in the audit. In an interview, Kim tells us how he experienced the ISO 37001 audit DQS carried out at Veolia. We also talk to DQS auditor Hubert Spahn, who conducted the audit. As a result of the audit, three Veolia subsidiaries in Germany obtained certification according to the ISO 37001:2016 standard for anti-bribery management systems.
But we don't want to get too far ahead of ourselves. So first, a question for Chong-Lai Kim: Can you tell us how the process went?
Kim: Sure. The central purchasing department put the issue out to tender. We reviewed the offers and then decided on DQS as the provider, which led to the contract. The certification was then planned. Hubert Spahn, the DQS auditor, did this directly together with the colleagues from the specialist departments, as they are responsible for the content and technical aspects of the audit. We have a very complex corporate structure, so it was a huge coordination effort.
And what did the audit at Veolia reveal?
Spahn: The audit showed that the Veolia Group has a professionally structured and managed anti-corruption management system in accordance with ISO 37001. Consistent documentation across the various companies ensures compliance with the Loi Sapin II and the ISO standard. The audit enables Veolia to demonstrate the functionality of its anti-bribery management system to third parties for the first time with the help of an independent and credible certificate.
Background of the certification
The Veolia S.A. parent company is a listed company based in Paris. As a large company based in France with more than 500 employees and an annual turnover of at least 100 million euros, Veolia's parent company is subject to the strictest provisions of Loi Sapin II. The law also applies to companies of the same size that belong to a parent company headquartered in France.
What is the Loi Sapin II?
The Loi Sapin II is the French law to combat corruption and protect whistleblowers. It is in line with evolving global anti-corruption standards and is largely based on the FCPA (US Foreign Corrupt Practices Act §§ 78dd-1, et seq.) and the UK Bribery Act. These define regulations for the prevention and detection of bribery and corruption through increased corporate transparency. The Act also provides for increased internal monitoring and improved protection for whistleblowers.
What does the Loi Sapin II mean for affected companies?
Affected companies are obliged to introduce a comprehensive compliance program. This must include the following points:
a) a code of conduct to combat corruption,
b) a mechanism for risk assessment,
c) Procedures for conducting due diligence on third parties,
d) Compliance training for managers,
e) an internal hotline reporting procedure to protect the confidentiality of whistleblowers,
f) a procedure for measuring the effectiveness of the anti-corruption program.
If no measures are taken to prevent and detect cases of corruption, the law provides for penalties of up to EUR 1 million for companies and up to EUR 200,000 for executives, both for companies and individuals. Non-compliance can even lead to prison sentences. The enforcement of the anti-corruption measures of Loi Sapin II is monitored by the newly established national authority "Agence Française Anti-Corruption" (AFA).
The comprehensive legislation is a first in France. It means that all companies based in France or with links to France must review their compliance programs and ensure that they comply with the Loi Sapin II anti-corruption and anti-bribery standards.
First of all, congratulations to Veolia for the positive result. I have one more question for you, Hubert Spahn. Can you please tell us how an ISO 37001 audit works?
Spahn: Yes, first of all I would like to make it clear that a management system audit to combat corruption in accordance with ISO 37001 is not a forensic audit, i.e. no possible criminal acts are investigated. Nonetheless, the audit showed that all those involved in the audit, in particular those audited, must be made aware that they are not suspected or accused or placed under general suspicion, as ISO 37001 can ultimately only be audited "backwards". This means that the auditor must examine the processes and the standard from a "criminal" perspective. The aim is to find out where possible weak points and risks, gateways or indications of so-called "red flags" for corruption could be in the company. This has a direct impact on the audited employee, as it must be assumed that the person has criminal intent in order to work out the risk. It turned out that employees were often barely able to imagine where a potential corruption attempt could even occur.
Backwards Audit: How was that for you, Chong-Lai Kim?
Kim: Of course, there are questions that are perhaps unfamiliar at first, that you don't get asked every day and that provide food for thought. For me personally, it was a new kind of question. An audit like this brings the importance of the topic to the fore, even across departments. After all, Sales was involved, as were Financial Accounting and Human Resources. Everyone had their interview with Hubert Spahn.
The audit made me aware of a few things again, in particular how attentive and careful you should be when dealing with suppliers. After the interview, I also addressed this topic in my team. After all, purchasing, just like sales, is particularly vulnerable when it comes to corruption.
ISO 37001 versus ISO 37301 - Interview with auditor Hans-Jürgen Fengler
Should I implement an anti-corruption management system or a compliance management system? What are the differences between the two standards and how can you determine which standard is more suitable for which company? We talk to Hans-Jürgen Fengler about these and other questions. He is an auditor for both ISO 37001 and ISO 37301 and is therefore exactly the right person to talk to.
And what was the reaction?
Kim: Everyone was already aware of it, but it was a wake-up call. It’s one thing to hear about the topic in a training course, but another when an auditor asks about it directly in an audit.
Spahn: Although high-quality training is carried out at Veolia, the audit has made employees even more aware of possible corruption. In particular, the identification of "red flags", i.e. indications or clues in the audit for criminal behavior by employees, colleagues or partners, raised awareness and was seen as value-adding.
Where is the risk of corruption generally high?
Spahn: Particularly in the case of corporations and large organizations with multi-stage approval processes, you have to be aware that corruption is only possible with a high level of criminal energy on the part of the people involved. This is because corruption will regularly only be the "initial offense". Subsequent offenses such as fraud (Section 263 of the German Criminal Code (StGB)) will regularly be committed, possibly in the form of gang crime. The aim of corruption is to persuade the bribed person to act to the advantage of the bribe-giver, which is regularly to the detriment of the company or the general public. A person with a high level of criminal energy and the will to gain a personal advantage will not be stopped by anything, you have to be aware of that. Exposing this criminal energy in an open audit situation of an ISO 37001 certification is highly unlikely and not the aim of an ISO audit. But with an anti-corruption management system, you can make these acts more difficult and increase the likelihood of detection, and that can only be the objective.
The recent events in the EU Parliament in particular show how susceptible people and systems are to corruption and the damage this does to the image of the organizations concerned. With ISO 37001 certification, companies can create trust and transparency with their customers and partners. The independent audit contributes to the continuous development of the management system and thus to compliance within the organization
The interview was conducted by Constanze Illner.
Loading...
Auditor
Hubert Spahn
Hubert Spahn has been a certified auditor since 2006 and works for DQS, among other things, in the areas of ISO 37001 Anti-Corruption and ISO 37301 Compliance Management.
As a fully qualified lawyer and licensed attorney with additional compliance officer training, Mr. Spahn is highly qualified to audit compliance management systems.
Our clients greatly appreciate his respectful and value-driven approach to auditing.
DQS - your partner for ISO 37001 certification
DQS India is an accredited certification body for the ISO 37001 standard. With qualified auditors all over the world, we are at your disposal. Contact us - we will be happy to discuss your plans!
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Constanze Illner
Constanze Illner (she/her) is Research and Communications Officer in the area of sustainability and food safety. In this position, she keeps an eye on all important developments in this context and informs our clientele in a monthly newsletter. She also moderates the annual Sustainability Heroes conference.
Loading...
