You know the old disclaimer often heard or seen on television, that “your results may vary” depending on a number of variables? Well, that disclaimer does apply to how quickly CPA Global was able to achieve ISO 3700 anti-bribery management systems certification. Although I encourage compliance officers and executive management to seek the ISO 37001 certification; I certainly would never expect nearly as quick a readiness and audit process. From the time Spark Consulting began assisting CPA Global to prepare it took exactly 4 months before we received the good word from the certification body Ethic Intelligence that we had “passed the audition.” My advice: pursue certification, but if you are mid cap sized or larger, don’t expect to get it done in less than 6 months.
So, with that disclaimer in mind, how is it then, that CPA Global a mid-market size firm (Wall Street Journal reporting Cinven sale to Green at estimated GBP 2.5B with varied income sources, offices in 14 countries spanning 4 continents could get prepared and thru an audit process in just 4 months?
Well, the answer is three-fold. One, we spent 6 ½ years perfecting our anti-bribery system in accordance with the guidance which per ISO 37001 becomes requirements. We featured;
- An annual and continuous anti-bribery risk assessment from which annual plans and ongoing controls were based
- Multi-tiered anti-bribery employee and associate training
- Automated level 1 restricted party screening of all employees and counterparties daily
- A risk rating system for counterparties
- Differentiated monitoring including level 2 and 3 due diligence of > low-risk associates and counterparties
- Automated whistleblower hotline with employee and associate access with automated case management
- Automated Dashboard reports and metrics for managing compliance and success of the overall compliance program including of course anti-bribery
There is more, but you get the idea that we had all avenues very well covered using a risk-based system to ensure appropriate control activities were in place to deal commensurately with associated risk.
Number two, we had invested in automation which afforded us a readily accessible audit trail from which to draw from in an expeditious fashion. Let’s face it, if you can quickly pull lists of employee status changes and compare to automated let us say Navex records, the audit moves quickly and decidedly. Training attendance, third party questionnaire completion, and hotline responses can be and were handled by way of automation, making it a smoother and faster ride thru the audit process.
Finally, because we hired the right women for readiness, it took only 3 months to pull support and compare to the requirements, address any gaps, obtain final board and executive approval and manager communication of pending ISO 37001 audit. Kristy Grant-Hart and Diana Trevely of Spark made the process turnkey in that;
- They identified gaps to the ISO 37001 requirements, made risk relative recommendations, and evaluated remediation activities taken
- Gathered, categorized and made available all support for our anti-bribery system for reference throughout the process
- Sought out operational control examples from company staff and management
- Assisted with associate level, executive, and board communication
- Were available to speak to all levels of the organization as needed
- Led meetings to introduce the ISO 37001 certification process, merits and responsibilities to all appropriate parties; and finally
- Acted as an advocate during the audit process
Because Ms. Treveley, Spark’s West Coast Director who managed our readiness directly was so knowledgeable and hands-on, the project did not cut very much into my day to day agenda. Trevley’s expertise as an attorney, AB&C, and with corporate structures enabled her to be a quick study for what can be a complex undertaking. The critical path really was getting approvals and paperwork from the executives and the board; and timing the announcement we were seeking ISO 37001 with a new release of our revised Code of Conduct and a whole new training course, which for a vast number of employees would act as a refresher. Although the changes to the Code in relation to anti-bribery itself were very few and mostly specific language needed to meet the ISO 37001 requirements, the timing enabled our new campaign to be more successful out of the gate as it would have under more ordinary circumstances. With the tome at the top communicating the importance of obtaining the certification, employees were obviously more quick to meet the 30-day mandate for taking the 30 minute online, on-demand course.
Both Trevley and Ms. Grant-Hart also helped prepare decks and participated on calls to walk key participants through the audit process so they were more than adequately prepared.
Finally, and probably most impressive to me, was having Ms. Trevley at the table during the audit interviews. At times it seemed like a deposition with an occasional “I object, on the grounds that this question does not relate to a requirement and or guideline? And our auditor at times would then either represent their case or move to another line of questioning or burrowing. There were times I felt like debating an auditor notation, as I felt the concern was not taking certain mitigating factors into consideration, but for sake of time and effort, Ms. Trevley advised me to accept the finding because it was just that, which is neither a major or minor nonconformance. Although findings need to be addressed at subsequent annual surveillance audits, they do not carry the weight of a minor nonconformance and unless associated and aggregated do not pose a threat to obtaining or maintaining certification. But it was this advocacy and advisory aspect of Spark’s service that I found to be unique and very effective.
I also found Ethic Intelligence’s choice of auditors in Jean Christophe Carrou and Annie Trudel to be fines selections as the feedback on any notation (non Conformance, Finding, needs improvement) were addressed either straight away or by the end of that day. In fact the end of every daily session resulted in a recap which let us know where we stood. I try not to disparage ISO auditors in general when I say Mr. Carrou and Ms. Trudel were the best ISO auditors I have worked with to date.
So, in the end, it was 3 months of readiness, 7 days of on-site auditing, an hour 1 week later going through the final report, about 10 days creating a response plan that must be approved by the auditors before they recommend certification to Ethic Intelligence the certification body.
So kudos to CPA Global, Spark, and compliance automation (Compliance management system) in making it what now seems like quick work.
Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!