Our ISO 37001 certification audit for Microsoft
STEER, on behalf of PECB, recently completed ISO 37001 Anti-bribery Management System (ABMS) certification audits for Microsoft Hungary and a global business group within Microsoft. STEER performed these audits through its partnership with PECB, the accredited certification body selected by Microsoft to review its application and determine whether Microsoft’s ABMS met ISO 37001’s rigid standards.
Microsoft successfully passed the certification audits, after a thorough audit of all aspects of their relevant ABMS, which led to the issuance of the applicable ISO 37001 certificatesby PECB.
Microsoft is the first major U.S. based company committing to the ISO Anti-Bribery Management Standard. STEER performed the certification audits as an independent third party, whose mission was to ensure that Microsoft satisfied the rigorous requirements of the standard. STEER through their many years of corporate compliance and anti-bribery practical experience met the requirements that Microsoft was seeking and was selected to perform the audits.
“After competitively evaluating several of the ISO 37001 accredited certifying bodies in the market, I was extremely impressed with the PECB and STEER team. Their level of professionalism, extensive practical experience working in compliance organizations of multi-national organizations, and in-depth understanding of ISO 37001 requirements made them a great set of partners to work with as part of Microsoft’s ISO 37001 journey.”
Judd Hesselroth, Director, Office of Legal Compliance – Programs at Microsoft
Since the publication of the ISO 37001:2016 (Anti-bribery) standard, a number of experts have given their opinion, in as many articles, which often addressed the content of the standard, its value for an organization, and the process an organization would go through to become certified under the standard.
There are not many publications concentrating on the practical experience of an auditor mandated to audit an organization against the provisions of the standard and recommend for certification.
In this blog (and those to follow) we would like to share our key practical experiences and thoughts about a certification audit in a Fortune 500 Company.
Quickly grasp the dynamics of the organization
Globally operating companies, such as Microsoft, are governed by multiple organizational dimensions and their respective roles & responsibilities. Business Segments with global responsibilities for their portfolios interact with Region and Country organizations. They are supported by functions assisting the business operations, and guiding their activities to be in compliance with standards, laws and regulations.
It is normally the organization’s compliance department that develops and disseminates the policies and guidance derived from the ISO 37001 standard, which then need to be implemented and adhered to by the Business Segments, Regions & Countries and each entity of the organization. They all play a critical role in making the provisions of the standard become part of the company DNA.
For the auditor to assess, in a relatively short auditing timeframe, whether the entity seeking certification is living up to the provisions as stipulated in the standard and to test whether the ABMS is working in the “day-to-day-practice,” it is required that the auditor gains an understanding of the organizational structure, its interactions and dynamics. The auditor needs to quickly assess how processes and controls are organized and managed and how the designed “controls” find their way into the daily business activities.
Imagine all the people …
Intercultural competence is a critical skill when auditing global companies. The auditor, while conducting an audit, needs the personal skills to properly interact with individuals from a variety of cultural backgrounds.
Commitment from management and tone at the top may be perceived in different ways by different cultures. The auditor may identify areas for improvement if they are able to recognize the fact that management communication could be modified to a more effective local communication, so that the spirit of the message is not diluted.
Know what you audit
Auditors with a solid practical background in the field of anti-bribery/anti-corruption are better equiped to understand not only the essence of the standard and its provisions, but also understand the challenges of implementing and maintaining the respective requirements of the standard in the daily business activities.
An auditor with extensive compliance experience in globally operating businesses, will be capable of identifying weak, missing or redundant controls related to anti-bribery relatively fast as he/she can reflect on real situations and examples of successully working controls and also root causes of control failures.
In general, companies seeking certification for their ABMS, are sincerely interested in the critical eye from an experienced auditor. The resulting ISO 37001 certification will confirm the strength of their program and ultimately make the company more competitive, as it will show their commitment to the highest ethical standards.
STEER is a global boutique group of compliance, risk management and internal audit professionals with over four decades of experience as senior execu¬tives with multinational corporations, with offices in New York (USA) and Zurich (Switzerland). We partner with companies to devel¬op or enhance their compliance programs and risk management competencies in an effort to strengthen their culture of integ¬rity and governance.
The quality of our work has been recog¬nized by Management and Boards of Fortune 200 companies, as well as by government authorities and regulators worldwide. STEER’s network of consult¬ants have a minimum of 20 years relevant working experience and are highly knowledgeable in providing compliance, risk management and audit services.
PECB is a certification body for persons, management systems, and products on a wide range of international standards, including ISO 37001:2016. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to: Governance, Risk Management, and Compliance. PECB is accredited by IAS (International Accreditation Service; headquartered in the USA) for ISO 37001:2016.