1.Does the certification ISO 37001 guarantee compliance with the Sapin 2 law?
The ISO 37001 certification does not provide guarantee of regulatory compliance. Only a representative of the minister of justice is able to assess the relevance of an anti-corruption programme as regards to the law. However, entering into the certification ISO 37001 initiatives requires regulatory surveillance and identifying the legal requirements applicable for the organisation. This enables a client to implement an anticorruption programme in accordance with the international best practices as defined ISO 37001 standard and respond to the several requirement specified in the Sapin 2 law:
« 1° A code of conduct defining and illustrating the different types of behaviors to be forbidden and/or that characterize acts of corruption or of the new offence of ‘trading in influence’. This code of conduct is integrated in the organisation’s rules and procedures and as such is subject to the procedure of consultation of the Commission ‘s work council, provided for the Article L 1321-4 of the Labour Code;
2° An internal whistleblowing system intended to collect alerts from employees and dedicated to situations which would constitute violations of the Code of Conduct of the company;
3° A risk map taking the form of continuously updated documentation, enabling the company to identify, assess, and priorities actions to combat exposure to risks related to external solicitations that might potentially lead to corruption. This depends on the line of business and geographical zones where the company operates;
4° Due diligences of the clients, first-tier suppliers and intermediaries situation with regard to the risks represented;
5° Internal or external accounting control procedures, intended to ensure that books, accounts, records are not merely used as shields to mask acts of corruption or trading of influence. These control can be conducted either by in-house accounting and finance auditors, or by external auditors during the process;
6° A training programme for management and employees most exposed to risks of corruption and trading of influence;
7° A disciplinary regime aiming to sanction employees of the company in case of violation of the code of conduct of the company;
8° An internal control and assessment mechanism of the measure implemented. » (Title I, Chapter 3, article 17).
2. Is the ISO 37001 standard primarily designed for Corporates?
The Sapin 2 law requirements are aimed at companies with more than 500 employees and whose turnover is more than 100 million €.
Unlike the Sapin 2 law, the ISO 37001 certification applies to all sizes of organisation and whatever their sector of activities. An anticorruption programme requires compliance by the employees but also by third parties (partners, subcontractors, suppliers etc.). The intent of this plan is to develop and lead the implementation of the anticorruption programme along the supply chain. The ISO 37001certification can be a major, differentiating advantage and even provide a competitive edge for small organisations to demonstrate their commitments and their maturity in this area to all stakeholders.
3. Does the ISO 37001 certification apply to public undertakings?
The ISO 37001 :2016 standard sets forth that it applies to all types of organisations including those in the public sector: The requirements of this document (the normal ISO 37001 :2016) are generic and are designed to apply to all organisations (and their third parties) independent of type or the nature of their activities, as such they are applicable to public, private and not for profit organisations alike,(Section 1). Similarly, the Sapin 2 law draws attention to a requirement to act with probity toward public bodies. The aim is to identify the issues at stake and the risks to which the organisation is exposed. The aim is also to ensure that the actions are carried out to reduce the risks to a minimum. Where a private sector company is most exposed to the risk of active corruption, then the public organisations are most exposed to passive corruption. The founding principles of an anticorruption programme (risk mapping, definition of responsibilities, determination of adequate means, awareness and training, procedures, controls, internal audits, management review, etc.) remain the same.
4. What value does an ISO 37001 certification audit add to a company which has already been subject to tight financial controls?
The certification audit has not been directly linked with financial audit. Where financial audit assesses the financial statements to verify the accuracy and sincerity of the information for certifying the accounts of the company, the anticorruption certification audit is completely focused on the anticorruption management systems and processes of the company. The anticorruption management system audit therefore aims to verify the adequacy of the anticorruption programme of the organisation as regards the necessary requirements described within the ISO 37001 :2016 standard. However as part of the anticorruption management review, it is consequently relevant to check if the company has adequate financial controls and audits.
5. What is the difference between an anticorruption management system audit and an investigation?
An investigation focuses on serious suspicions of accounting and financial frauds. The intention being to authoritatively establish facts to either confirm or disregard suspicion, where appropriate to map out how fraudulent activity occurred and collect evidence (generally for the prospect of litigation). A management system audit is not designed in any way to detect frauds or even any specific deviation from any existing anticorruption management systems or policy. The objective is to monitor compliance with the existing anticorruption policy in the spirit of continuous improvement, on the basis of internal audits and management reviews. However should during an audit, a case of serious suspicion of fraud be uncovered, then it would be necessary to conduct an internal and external investigation and to launch necessary actions based upon the conclusion of the investigation.
6. Does a certified organisation lose its certification if convicted for corruption?
According to the ISO 37001 :2016 standard : “the anti-corruption management system should include indicators to identify and assess the risk of corruption, as well as to prevent, detect and remedy acts of corruption.” Note, it is not possible to completely eliminate corruption risk and no anticorruption management system will be able to prevent and detect all forms of corruption. (4.4). However a management system aims to reduce risks but cannot totally eliminate them. An act of corruption or a violation of the anti-corruption policy does not involve systematically the loss of the certification. Nonetheless, the organisation should demonstrate its enhanced root cause analytical capability, sanction and implement preventive actions to what the identified problem requires. In the absence of an adequate response from the organisation, the certification may be suspended or withdrawn.
7. What are the benefits to having an anti-corruption programme?
It is true that an organisation can have developed one of the toughest anti-corruption programmes, with a built in continuous improvement policy, without being certified. However the ISO 37001 certification offers numerous benefits: The first being the reassurance of an external critical review of the measures implemented by an independent and impartial third party. The second is the ability to guarantee to the stakeholders (clients, insurance carriers, financial organisms, international institutions, rating agencies, etc.) the maturity and rigours of the anti-corruption programme in place. Finally the promotion of the certification displays the determination of the company and its ‘tone from the top’ to eradicate all forms of corruption across all activities in which the organisation and its employees are engaged.