REGULATIONS FOR THE CERTIFICATION OF ANTI-BRIBERY MANAGEMENT SYSTEM

1. COMMITMENTS

The certifying body EuroCompliance SAS, hereafter referred to as EUROCOMPLIANCE, offers the certification of anti-bribery management systems standards based on ISO 37001 to any private or public organization (hereafter referred to as ORGANIZATION) which meets the conditions of access to its services. The range of services provided by EUROCOMPLIANCE are in accordance with the TERMS AND CONDITIONS OF ISO 37001.

  • RESPONSIBILITY

The services offered by EUROCOMPLIANCE may be delivered by its own employees, or by auditors contractually hired by EUROCOMPLIANCE, at its own discretion. When any part of the work is subcontracted, EUROCOMPLIANCE shall remain liable for the delivery, maintenance, expansion, reduction, suspension or revocation of the certification. In no event shall EUROCOMPLIANCE be held liable following a denial, suspension or revocation of certification insofar as the procedures and measures set out were implemented.

  • CONFIDENTIALITY

EUROCOMPLIANCE guarantees the confidentiality of information gathered when carrying out its activities, at all levels of its organization. No information shall be given to any third party, other than in legal proceedings or in response to a request for information by an accreditation body (particularly in the context of an evaluation by the latter). Only the company name of the ORGANIZATION, its details and the wording of its certification (including the audit scope) may be included in the database available for public consultation on EUROCOMPLIANCE’s website.

  • IMPARTIALITY

EUROCOMPLIANCE guarantees the impartiality of the auditing and certification processes. To this end, the interests of EUROCOMPLIANCE, the auditing team, technical validator, ISO 37001 committee and the audited ORGANIZATION are examined for any potential conflicts of interest before each job and to decide on any preventative measures if necessary.

2. CERTIFICATION PROCESS

2.1 OFFER OF CERTIFICATION

An initial questionnaire, to define the organizational structure of the organization to be certified, shall be given to the ORGANIZATION. This questionnaire may be completed by the organization itself or by EUROCOMPLIANCE’s sales team during a meeting. The ORGANIZATION shall provide all information necessary for EUROCOMPLIANCE to gain a precise picture of the organization and the products or services it provides (organizational chart(s), sales brochure, activity report etc.).

Based on this information, the sales team shall:

  • Check that the ORGANIZATION does not have any particular conflict of interest with regard to EUROCOMPLIANCE which could prevent certification by EUROCOMPLIANCE.
  • Draw up a quotation adapted to the size, structure and complexity of the ORGANIZATION.

Once the completed certification quotation has been returned by the ORGANIZATION, with any eventual payment due, the planning process may begin. After each audit, the duration of audits may be modified, based on the auditors’ feedback and audit findings. Once the certification has been issued, the ORGANIZATION may, if it wishes, expand its certification to other sites or processes. The ORGANIZATION must complete a dedicated questionnaire to define the scope of expansion. An amendment to the contract shall be added if necessary.

2.2 AUDIT PLANNING

EUROCOMPLIANCE shall designate an audit team from its base of qualified auditors (according to the requirements of standard 17021-9 and EUROCOMPLIANCE’s internal procedures). Depending on the size and complexity of the organization to be audited, the audit team may be comprised of one or more members. The team may be complemented by dedicated translation resources. EUROCOMPLIANCE shall contact the ORGANIZATION in order to arrange an audit date and to inform it of the make-up of the audit team. The ORGANIZATION may reject a team member, or the entire team, within 8 business days of such notification. After this date, the proposed audit team shall be deemed accepted by the ORGANIZATION. Any rejection must be justified by the ORGANIZATION in order to be admissible. This does not apply to auditor interns (trainee auditors) and observers present to evaluate auditors in the process of auditing.

2.3 INITIAL AUDIT

2.3.1. “Step 1” Audit

This first phase of the audit shall take place during the initial audit (and is therefore not required for a recertification audit, except in the event of major change). It allows the chief audit executive to check that the anti-bribery management system is at a sufficient level to be audited with a view to certification. The following shall be reviewed during this initial audit:

  • The scope of application and any exceptions
  • The existence of a policy, of objectives and of monitored indicators
  • The existence of procedures
  • Internal audit practices
  • Planned management reviews
  • The existence of document management rules

The first phase of the audit generally takes place on-site. However, it may take place off-site, depending on the business, organization and the location of the ORGANIZATION. Should any serious shortcomings be discovered (critical gaps), the auditor may request a certification audit report (second phase, see below), which cannot take place until these issues have been resolved. In the event that these shortcomings are not resolved within six months of the final day of the “Stage 1” audit, a new “Stage 1” audit shall be carried out.

2.3.2 “Step 2” Audit.

This second phase of the audit must assess the ORGANIZATION’s compliance with the requirements of ISO 37001 standards:

  • Information and evidence of compliance with ISO 37001: 2016;
  • The monitoring, measurement, reporting and review of the organization’s performance against key performance goals and targets;
  • The effectiveness of the customer’s anti-bribery management system and whether it meets applicable legal, regulatory and contractual requirements;
  • The client’s operational control over the process;
  • The internal audits and management review;
  • The involvement of management.

An audit plan shall be sent by the chief audit executive within 7 calendar days before the audit, at the latest. It shall list the areas to be audited, the interlocutors and the time slots. It shall aim to cover a representative sample of the ORGANIZATION’s activities, and to cover supervisory functions as well as operational functions (sales, purchases, project management).

The audit shall include:

  • An opening meeting (mutual introduction of participants, reminder of the audit’s objectives, its scope, boundaries, overview of the methodology, latest approval of the audit plan).
  • The audit itself, based on interviews with those involved in the system, and consultation of documents and registers.
  • A closing meeting during which the chief audit executive shall present their findings and any eventual nonconformities discovered during the audit.

The audited organization must advise as soon as possible of any circumstances preventing it from following the audit plan. Otherwise, the audited organization is required to respect the audit plan. Any departures from it may result in an increase in the duration of the audit and therefore its cost.

  • Follow-up Record of Nonconformities

Should any nonconformity(ies) be identified during the audit, the chief audit executive shall transmit to the audited organization a follow-up record of minor/major nonconformities, within a maximum of 5 days from the end of the audit. The audited organization must then produce an action plan, detailing a cause analysis, for approval by the chief audit executive, in compliance with the conditions described in the Follow-up Record of Nonconformities. When the action plan has been approved, the report may be produced.

  • Audit Report

The report shall be prepared by the chief audit executive. It shall be sent to the ORGANIZATION within 10 calendar days of the validation of the Follow-up Record of Nonconformities. Any reservations about the report must be expressed by the ORGANIZATION within 8 business days. Beyond that time-frame, the report shall be deemed to have been approved by the ORGANIZATION.

2.4 RESPONSE TO NONCONFORMITIES

2.4.1 Major nonconformity

A major nonconformity is a nonconformity that affects the capacity of the management system to achieve the expected results, and which therefore significantly reduces confidence in the compliance of the management system. Thus in event of major nonconformity:

INITIAL AUDIT

  • The ORGANIZATION must provide an action plan to the chief audit executive within 30 calendar days (after the closing meeting of the audit) to address any major nonconformity(ies).
  • The ORGANIZATION must provide evidence of correction of any major nonconformity(ies) within 90 days.
  • A certification decision cannot be taken while evidence of correction of any major nonconformity remains unverified.
  • If evidence of the correction of any major nonconformity cannot be provided, the certificate cannot be awarded.
  • At the end of this 90-day period, a new “Stage 2” audit shall be necessary to assess the possibility of certification.

SURVEILLANCE AUDIT

  • The ORGANIZATION must provide an action plan to the chief audit executive within 30 calendar days (after the closing meeting of the audit) to address any major nonconformity(ies).
  • The ORGANIZATION must provide evidence of correction of any major nonconformity(ies) within 90 days.
  • A decision cannot not be taken while evidence of correction of any major nonconformity remains unverified.
  • If EUROCOMPLIANCE is unable to verify evidence of correction and implementation of corrective actions for any major nonconformity after 90 days, the certificate shall be suspended.
  • If no appropriate action plan is proposed within 6 months, the suspension shall lead to the automatic revocation of the certificate.

RECERTIFICATION AUDIT

  • If any major nonconformity is discovered during a recertification audit, the ORGANIZATION must implement corrections and corrective actions before the certificate expires.
  • If EUROCOMPLIANCE is unable to verify the implementation of corrections and corrective actions for any major nonconformity within 90 days from the “Step 2” Audit closing meeting, the certificate shall be suspended.
  • If no appropriate action plan is proposed within 6 months, the suspension shall lead to the automatic revocation of the certificate.
  • EUROCOMPLIANCE must then schedule an initial audit in order to proceed with a new, full “Step 2” audit. (Exceptionally, a substantiated request of exemption may be addressed to the management of EUROCOMPLIANCE, for a recertification audit and a return to compliance of any eventual major nonconformities identified within a 6-month period from the validity date of the initial certificate. No exemption requests shall be considered after this 6-month period).
  • In the particular case of audits of multiple sites: if one of the sites presents a major nonconformity, certification shall be denied to the whole network pending satisfactory corrective actions. The problematic site may not be excluded from the scope of certification in order to resolve any major nonconformity.
  • An additional audit may be carried out within 90 days (from the closing meeting of the audit) in order to eliminate any major nonconformity(ies).

2.4.2 Minor Nonconformities

A minor nonconformity is a nonconformity that does not affect the capacity of the management system to achieve the expected results and which therefore does not significantly reduce confidence in the compliance of the management system. The ORGANIZATION must provide an action plan (identification of the causes, immediate corrections if necessary and corrective actions) to the chief audit executive within 30 calendar days (from the last day of the audit) to address any minor nonconformity(ies).

If the ORGANIZATION has not provided an action plan, or if the action plan has not been validated by the chief audit executive, EC shall grant an additional 30 days for an action plan to be established and validated by the chief audit executive.

At the end of this second period, if the ORGANIZATION has not produced an audit plan, or if the audit plan has not been validated by the chief audit executive, the certificate shall be suspended.

If an adequate corrective action plan is not established within 6 months following the certificate suspension, the certificate shall be revoked.

Minor nonconformities shall be reviewed at the following audit in order to eliminate them.

2.5 ADDITIONAL AUDITS

2.5.1 Additional audit

Additional audits may be necessary to take into account particular situations arising during the certification process. This primarily concerns the following situations:

  • If one or more major nonconformity has been noted;
  • When the scope of certification has been extended;
  • If incorrect information was provided in the initial questionnaire (on the number of countries in which the organization operates, staffing, inconsistency of scope, etc.);
  • Following a serious incident (complaint or investigation by EC).

Two options are possible, according to the type of nonconformity identified:

  • Additional document audit (which may be carried out remotely)
  • Additional on-site audit

In both cases (additional document audit or additional on-site audit), the ORGANIZATION shall receive notification of the decision specifying the procedures. In the case of an initial audit, certification cannot be granted as long the additional audit has not taken place in the case of major nonconformity.

2.6 CERTIFICATION DECISION

The Lead auditor shall give the audit pack containing the findings and recommendations to EUROCOMPLIANCE. This report is entrusted to a technical proofreader for validation of its substance and form, in order to award, refuse, maintain or suspend certification. This decision and its factors are then conveyed to two members of the ISO 37001 COMMITTEE in charge of assessing compliance with impartiality measures in the certification process as a whole.

Based on the Committee’s decision, an EC executive may proceed to issue the certificate.

The certificate of compliance with the ISO 37001 standard is granted for a period of 3 years following an initial or recertification audit and is subject to surveillance audits being carried out.

Certificates may be modified (extension/reduction of the scope of certification; mergers, acquisitions) during the validity period of the certificate. In this event:

  • A modified certificate shall be issued with the same expiration date as the preceding certificate;
  • the ORGANIZATION must return the previous certificate to EUROCOMPLIANCE.

2.7 SURVEILLANCE AND RECERTIFICATION AUDITS

2.7.1 Surveillance audits

Surveillance audits shall take place annually or twice annually. In any event, the first surveillance audit following an initial certification must be conducted within 12 months of the valid-from date of the certificate. During surveillance audits, the chief audit executive shall:

  • examine the follow-up of any nonconformities of the initial audit (where applicable);
  • take into account any changes to the company’s management system;
  • systematically examine the management reviews, internal audits and processing of alerts;
  • take note of any complaints or claims (where applicable);
  • evaluate the use of the certification mark;
  • conduct sample audits on the maintenance of the anti-bribery management system.

2.7.2 Recertification audit

At the latest 3 months before the expiration of a valid certificate, a recertification audit shall be necessary in order to grant a new certificate. A recertification decision must be taken before the valid certificate expires. If EUROCOMPLIANCE cannot decide on recertification at the latest upon expiration of the certificate, the certificate then expires, the certification is no longer valid and the ORGANIZATION may not communicate on the certification during a certification interval which may not exceed 6 months.

In exceptional cases where the recertification decision is taken within 6 months of the certification expiration:

  • the valid-from date of the new certificate shall be the same as the date on which recertification was decided, thereby showing an interruption of certification with respect to the previous certificate;
  • the expiration date of the new certificate shall be based on the previous certification cycle. Thus, the validity of certificate shall be less than 3 years.

If EUROCOMPLIANCE cannot issue a new certificate in the 6 months following the expiration date of the certificate, EUROCOMPLIANCE must then proceed with a new “Step 2” audit (see §2.3.2).

Reasons preventing EUROCOMPLIANCE from deciding on recertification before expiration of the certificate may include:

  • late recertification audit (less than 3 months before expiration of the certificate),
  • the ORGANIZATION failing to fully implement the corrections and corrective actions of major nonconformities during the recertification audit before expiration of the certificate,
  • EUROCOMPLIANCE being unable to verify corrections and corrective actions of these major nonconformities before expiration of the certificate.

Therefore, in order to guarantee the continuity of certification, the recertification audit must take place at least three months before expiration of the certificate. A “Step 1” audit is not usually scheduled for a recertification audit (see §2.3.1). However, if any significant changes have been made to the management system (extending the area or scope of application) EUROCOMPLIANCE may decide to carry out a “Step 1” audit prior to the recertification audit.

3. OBLIGATIONS OF THE ORGANIZATION WITHIN THE FRAMEWORK OF CERTIFICATION

In order to obtain and maintain its certification, the ORGANIZATION must respect the following rules and procedures:

3.1 ORGANIZATION OF AUDITS

THE ORGANIZATION must make available to EUROCOMPLIANCE all documents, plans, specifications and other information required by the latter in order to finalize the audit plan. The ORGANIZATION must supply any necessary personal protective equipment for the audit team moving around the site (where applicable). The ORGANIZATION must designate an authorized staff member to liaise with EUROCOMPLIANCE. The ORGANIZATION must also make a guide available to the audit team in order to facilitate the audit. The ORGANIZATION undertakes to accept auditor interns (trainee auditors) or observers sent to evaluate auditors in the process of auditing on its premises, and it shall not be responsible for paying their attendance and travel expenses.

3.2 PRESENCE OF OBSERVERS FROM THE ACCREDITING ORGANIZATION (COFRAC OR OTHER BODY MANDATED BY IT)

If the system of reference is the subject of an accreditation program, the ORGANIZATION undertakes to allow on its premises any eventual observers from the accrediting body sent to evaluate the auditors in the process of auditing. If the ORGANIZATION refuses, EUROCOMPLIANCE shall take the decision to revoke the ORGANIZATION’s certificate.

3.3 MAJOR CHANGES TO OPERATIONS

The ORGANIZATION must inform EUROCOMPLIANCE in writing of its intention to modify its management system as well as any product or manufacturing process that could affect compliance to current standards or laws with regard to the certified management system. Depending on the changes, EUROCOMPLIANCE may decide to schedule additional audits or change the scale of the audit cycle in order to ensure that certification is maintained. Failure to inform EUROCOMPLIANCE of any changes may result in the suspension of certification.

3.4 COMMUNICATIONS RELATING TO CERTIFICATION

Communications relating to certification are subject to the regulations and user guide of the certification mark which are given to the ORGANIZATION with the certificate upon certification. The ORGANIZATION undertakes to abide by them. The certificate remains the property of EUROCOMPLIANCE and may not be copied for use by a third party unless the word “copy” or “duplicate” appears on the copy. The certificate is deemed to be valid unless a surveillance audit reveals that the ORGANIZATION’s management system no longer complies with ISO 37001 standards. The ORGANIZATION’s right to use the certification mark is dependent on maintaining the certificate’s validity with regard to the management system certified. Improper use of the certification mark may be considered a case of major nonconformity. When suspended, the ORGANIZATION’s certification is temporarily invalidated. Upon notification of the suspension, revocation or expiration of the certification, the ORGANIZATION undertakes to:

  • immediately cease to be a beneficiary of the certification;
  • immediately remove, or have removed, any mention or reference to the certificate or certification mark on all commercial, technical and legal resources and others;
  • in the case of revocation, return the certificate to EUROCOMPLIANCE. Since compliance with revocation procedures is central to the reputation of the EUROCOMPLIANCE certification mark and of other beneficiaries of the certification, EUROCOMPLIANCE retains the right to take measures to verify that the certification or certification mark has been removed. EUROCOMPLIANCE shall employ all legal means and remedies, including urgent injunctions, to compel the ORGANIZATION subjected to a revocation of its certification to strictly fulfill its obligations.

4. SUSPENSION, REVOCATION

4.1 SUSPENSION OF THE CERTIFICATE

The total duration of a suspension may not exceed 6 months. A decision to suspend the certificate may be taken by EUROCOMPLIANCE in the following cases:

  • At the request of the ORGANIZATION: in this case, EUROCOMPLIANCE must be informed in writing. This letter should specify: the duration and reason for the suspension (example: temporary, due to works…), the effective date of the suspension.
  • On the initiative of EUROCOMPLIANCE, due to:
    • serious breaches of its contractual obligations;
    • improper use of the certificate;
    • breach of the rules of communication and use of the certification mark;
    • non-payment of an invoice after reminder has been sent;
    • failure to inform EUROCOMPLIANCE of a change in the structure of the ORGANIZATION;
    • failure to reply to a written request from EUROCOMPLIANCE;
    • failure to comply with regulations;
    • refusal to be audited;
    • failure to complete the first surveillance audit on time following initial certification;
    • failure to lift a major nonconformity following an additional audit.

A suspension may only be lifted when the problem has been resolved. An additional audit may be necessary when the suspension is lifted in order to determine a return to compliance. Following this audit, EUROCOMPLIANCE may decide:

  • to return the certificate;
  • to impose a further suspension;
  • to revoke the certificate.

4.2 REVOCATION OF THE CERTIFICATE

A decision to revoke the ORGANIZATION’s certificate may be taken on the following grounds:

  • in the event of non-payment of an invoice after three reminders, the last of which was sent by post with proof of receipt,
  • if the ORGANIZATION voluntarily surrenders the certificate,
  • if a suspension has not been lifted at the end of a six month period,
  • if the ORGANIZATION goes into receivership,
  • if the ORGANIZATION and/or EUROCOMPLIANCE terminates the certification contract,
  • if the ORGANIZATION refuses the presence of observer(s) from the accrediting body, sent to evaluate the auditor(s) in the process of auditing.

5. APPEALS AND COMPLAINTS

5.1 APPEALS

The ORGANIZATION has the right to appeal:

  • In the event of disagreement with audit findings;
  • If for any reason, it contests a suspension notification or revocation of its certificate.

This appeal does not suspend the initial decision, unless specified. Written notice of the appeal must reach EUROCOMPLIANCE within 8 calendar days from the date that the ORGANIZATION received notice of the non-issuance, suspension or revocation of the certificate. The latter shall be analyzed by a new decision-making body. EUROCOMPLIANCE shall rule on the decision within a maximum of 10 calendar days. Once a decision regarding the appeal has been reached, no counter-proceedings shall be receivable with a view to modifying or changing the decision, from either party in the conflict. Whatever the decision following appeal, no further proceedings may be brought against EUROCOMPLIANCE for the reimbursement of costs, or any other loss resulting from the notification of suspension, revocation or refusal to issue the certificate.

5.2 COMPLAINTS

5.2.1 Against EUROCOMPLIANCE

If the ORGANIZATION has a complaint about the conduct of EUROCOMPLIANT’s employees or subcontractors, this complaint may be prepared within 8 days and addressed to the President or General Director of EUROCOMPLIANCE, or to the following email address: alerte@eurocompliance.com.

5.2.2 Against the ORGANIZATION

If a complaint against the ORGANIZATION is lodged at EUROCOMPLIANCE, the latter must address this claim with the ORGANIZATION in order to ensure that serious incidents are dealt with. If the seriousness of the complaint so warrants, an additional audit (cf. §2.5) may be promptly undertaken by EUROCOMPLIANCE. EUROCOMPLIANCE is not required to evaluate the basis of the complaint, but to audit the ORGANIZATION’s capacity to deal with the complaint within the framework of its anti-bribery management system. The certified ORGANIZATION undertakes at that point to accept such an audit according to the conditions laid out in the notice which shall be sent to it. Should it not be possible to proceed with this audit, EUROCOMPLIANCE reserves the right to suspend the certificate and, where appropriate, revoke it.

6. CHANGES TO THE TERMS

The terms and conditions of these regulations are defined in the context of the terms and conditions of certification accreditation in effect at the time of signature of the certification contract. Should these terms change, EUROCOMPLIANCE shall modify the current rules and regulations without notice, and shall notify the ORGANIZATION, which undertakes to accept these terms. In the event where new terms would result in the modification of its services (such as audit duration) and its pricing conditions, EUROCOMPLIANCE shall send an amendment to the ORGANIZATION beforehand. If said amendment is not accepted, EUROCOMPLIANCE reserves the right to proceed with the termination of the contract and the revocation of the certificate.

Contact us