Title Page

  • Site conducted

  • Client/Organization

  • Date and Time

  • Evaluator

  • Location

ISO 37001 Audit Checklist

4 - Context of the Organization

  • 4.1 - Have you determined all the external and internal problems that are relevant to your purpose and that affect your ability to achieve the objectives of your ESMS?

  • Are these issues reviewed and monitored regularly?

  • 4.2 - Have the needs and expectations of stakeholders relevant to the ESMS been determined?

  • 4.3 - Has the scope of your ESMS been determined, taking into account all external and internal issues, the needs of stakeholders and the outcome of the bribery risk assessment?

  • 4.4 - Is the ESMS established and does it include a description of the necessary processes and their sequences and interactions?

  • 4.5 - Has the organization determined the criteria for identifying and managing the bribery risks of these processes?

  • Have you assessed the adequacy and effectiveness of existing controls to mitigate these risks?

  • 4.5.2 Have you established criteria for assessing the level of these risks?

  • 4.5.3 Is this assessment performed on a regular basis (Time and frequency) defined by the organization?

  • 4.5.4 Does the organization hold documented information for this requirement?

5 - Leadership

  • 5.1.1 - Does the organization have a governing body in its governance structure (constituted Board of Directors)? Does this demonstrate leadership and commitment to the ESMS?

  • Has this body approved the anti-bribery management policy?

  • Do they ensure that the organization's strategy and anti-bribery policy are aligned? Critically reviews, at planned intervals, information about the content and operation of the ESMS? Provides adequate and appropriate resources for the effective operation of the ESMS? Exercises supervision about the implementation and operation of the ESMS by Senior Management?

  • 5.1.2 - Does Senior Management demonstrate leadership and commitment to the ESMS?

  • Ensures that the ESMS, anti-bribery policy, objectives, bribery risks, operational controls, anti-bribery culture, promotes continuous improvement, encourages reporting of bribery, ensures that staff are not retaliated against for reports made in good faith and all needs are met adequately established, implemented, maintained and regularly reviewed?

  • 5.2 - Has the anti-bribery policy been established and communicated, compatible with the strategic direction of the organization?

  • Prohibits bribery?

  • Require compliance with applicable anti-bribery laws?

  • Is it appropriate to the organization's purpose?

  • Do they provide a structure for determining objectives?

  • Determines commitment to meeting the requirements of the anti-bribery management system?

  • Encourages the raising of concerns (Reports) in good faith without fear of reprisal?

  • Does it include a commitment to continuous improvement of the ESMS?

  • Explain the authority and independence of the compliance function?

  • Explain the consequences of not complying with the anti-bribery policy?

  • Is it available as documented information and in the necessary languages?

  • Is it available to relevant stakeholders?

  • 5.3 - Does senior management determine organizational roles, responsibilities and authorities ensuring that relevant roles are assigned and communicated within and at all levels of the organization? Managers at all levels must be responsible for understanding, complying with and applying requirements of the ESMS that refer to their roles and processes in the organization.

  • 5.3.2 - Has the anti-bribery compliance function been assigned?

  • Does the role have the authority and responsibility to oversee the ESMS?

  • Does the role have direct access to the Governing Body?

  • Report the performance of the SGAS to Senior Management and the Governing Body?

  • 5.3.3 - Does the Organization establish a process for delegated decision-making for relationships in which there is more than a low risk of bribery, appropriate and free from conflict of interests (real and potential) and critically reviewed periodically?

6 - Planning

  • 6.1 - Have the risks and opportunities that need to be addressed to ensure that the ESMS can achieve the intended result(s) been established?

  • Have the requirements of the organization's context, stakeholders and risk analysis been taken into account when approaching these opportunities?

  • Do these actions provide reasonable assurance that the organization achieves its objectives, prevents and reduces undesirable effects and achieves system improvement?

  • 6.2 - Has the organization established its anti-bribery objectives at the relevant functions and levels?

  • Are these objectives consistent with the anti-bribery policy, are they measurable (if applicable), do they take into account what has been determined in the context of the organization, stakeholders and risk assessment, are they achievable, are they communicated and are they updated as appropriate?

  • Does the organization retain documented information about these objectives and, when not achieved, determine what will be done, resources that will be required, who is responsible, when will action be achieved, how will they be evaluated and who will impose the sanctions or penalties (if applicable)?

7 - Support

  • 7.1 - Did the organization determine and provide the necessary resources for the establishment, implementation, maintenance and continuous improvement of the ESMS (including people, resources and infrastructure)?

  • 7.2 - Has the organization determined the necessary competencies of the people who carry out work under its control and which affect the performance of the ESMS? (Job description, or similar)

  • Do they ensure that these people are competent based on appropriate education, training or experience? And where applicable, does it take actions to acquire and maintain necessary competence by evaluating its effectiveness?

  • Do you retain documented information to prove these skills? (Diplomas, certificates, declarations) For experience? (CTPS, Curriculum)

  • 7.2.2 - Has the organization implemented a staff hiring process, where the hiring conditions require people to comply with the anti-bribery and ESMS policy, giving the organization the right to adopt disciplinary measures in the case of non-compliance?

  • Are staff oriented and trained on the anti-bribery policy within a reasonable period of employment?

  • Have you implemented procedures that allow you to take appropriate disciplinary action against personnel who violate the anti-bribery policy or the ESMS?

  • Have you implemented a system so that staff do not suffer retaliation, discrimination or disciplinary action of any nature for refusing to participate in or declining to participate in any activity that you reasonably believe has more than a low risk of bribery that has not been mitigated by the organization?

  • Implemented a system so that reports or concerns raised, as long as they are made in good faith and, based on a reasonable conviction of attempted, real or suspected bribery, or violation of the anti-bribery and ESMS policy, do not suffer retaliation, discrimination or disciplinary actions from any nature?

  • 7.2.2.2 - Has the organization implemented a procedure that determines the positions that are exposed to more than a low risk of bribery, based on the risk analysis (item 4.5)?

  • Have you defined a process for carrying out Due Diligence in these positions before hiring, or, transfer (promotion) as long as it is applicable to the position as defined in the risk analysis?

  • Has the organization implemented a system so that performance bonuses, performance targets and other incentive compensation elements are analyzed periodically to verify whether the implemented controls prevent bribery from being encouraged?

  • Do staff, Senior Management and the Governing Body sign a declaration of compliance with the anti-bribery policy at planned intervals?

  • 7.3 - The organization regularly provides (at planned intervals) appropriate and appropriate training and awareness for employees, in relation to the anti-bribery policy, applicable procedures, identified risks and demonstrating the circumstances under which bribery may occur and how to recognize them, their participation and contribution to the ESMS, encourage the reporting of bribery?

  • Have you identified stakeholders with more than a low risk of bribery and implemented a procedure that raises awareness and trains these partners about the anti-bribery policy they operate and its name?

  • 7.4 - Has the organization determined the internal and external communications relevant to its ESMS, including what it will communicate, when to communicate, who to communicate with, how to communicate, who will communicate and the languages ​​in which to communicate?

  • Is the anti-bribery policy available to all organization personnel and business partners with more than a low bribery risk?

  • 7.5 - Has the organization defined the documented information required by the ESMS and by the organization itself as being necessary for the effectiveness of the ESMS?<br>Can this documented information be retained separately as part of other systems or processes, for example compliance, financial, commercial, etc.

  • 7.5.2 - The organization has implemented a system for creating and updating documentation ensuring the following: identification (title, date, author, code, reference number); format (language, version, graphic); medium (paper, electronic); and critical analysis and approval (responsible person with authority).

  • 7.5.3 - Is this documented information controlled so that it is available and suitable for use when necessary, protected against loss of confidentiality, inappropriate use or loss of integrity?

  • Addressed the control activities such as distribution, access, retrieval and use; storage and distribution; change control (version, revision); and retention and disposition.

  • Has the organization identified and maintained a system for controlling documented information from external sources that was determined to be necessary for the operation of the ESMS?

8 - Operation

  • 8.1 - The organization planned, implemented and critically analyzed the processes necessary to meet the requirements of the ESMS, implementing actions to meet the requirement (6.1 Actions to address opportunities and improvements), establishing criteria for the processes and their due controls, maintaining documented information in the necessary extent to be confident that the processes were carried out as planned?

  • Does the organization control outsourced processes (if applicable) by taking actions to mitigate any adverse effects, as necessary?

  • 8.2 - Has the organization implemented a system for carrying out due diligence for bribery risks classified as above or below?

  • Do you have evidence of carrying out due diligence on planned transactions, projects, activities, relationships, business partners and personnel within the organization that have been classified as above low bribery risk? (information defined by the organization)

  • Are the frequency and methodology defined by the organization appropriate?

  • The organization may conclude that it is unnecessary, unreasonable or disproportionate to carry out due diligence on certain categories of people or business partners, does this condition exist?

  • 8.3 - Has the organization implemented financial controls that manage the identified bribery risks? (Computerized ERP systems, approval workflow, financial approval authority, double payment signatures, restrictions on the use of cash, financial auditing, among others).

  • 8.4 - Has the organization implemented non-financial controls that manage the identified bribery risks? (Procedures, policies, communication, training, awareness, contracts, double assessment and signatures, measurements of work performed)

  • 8.5 - Has the organization implemented procedures so that the ESMS covers all controlled organizations, or that they implement their own anti-bribery controls in accordance with the result of the risk analysis raised in requirement 4.5 - Risk analysis?

  • For uncontrolled organizations that have been classified as having a low risk of bribery risks, have they been determined to implement controls that manage risks?

  • When it is not possible to comply with this determination, does the organization have the capacity through its management controls to mitigate such risks?

  • 8.6 - Has the organization has implemented a system so that business partners who represent more than a low risk of bribery commit to preventing bribery (in any transaction and/or activity, related projects) and that the organization is able to terminate the relationship if there is proof of bribery for the benefit of this partner?

  • When the control determined in 8.3 is not possible to meet, for partners with more than a low risk of bribery, it must be a factor taken into consideration for processes 4.5 - Risk analysis, 8.2 - due diligence, 8.3 - Financial controls and 8.4 - Non-financial controls.

  • 8.7 - Has the organization implemented procedures to prevent the offering, supply or acceptance of gifts, hospitality, donations and similar benefits which could be, or could reasonably be perceived as, a bribe?

  • 8.8 - The organization has implemented a system so that, when due diligence establishes that the risk of bribery cannot be managed by existing anti-bribery controls and the organization does not wish to implement additional controls, or expand them, or take appropriate measures to manage these risks, the organization shall terminate, discontinue, suspend or cancel the relationship as soon as possible or refuse to continue, if applicable.

  • 8.9 - Has the organization implemented procedures that encourage and allow staff to report in good faith, on a reasonable basis of belief, suspicion or actual bribery, or any violation or weakness of the ESMS?

  • Does the organization treat these reports confidentially?

  • Does this method allow for anonymous reporting?

  • Prohibit retaliation and protect those who report retaliation?

  • Do they advise staff on what to do if faced with a concern or situation that may involve bribery?

  • Ensures that all staff are aware of reporting procedures and are able to use them and are aware of their rights and protections under the procedure.

  • 8.10 - Has the organization implemented procedures that require the assessment, investigation and necessary actions for any bribery, violation of the anti-bribery policy or the ESMS?

  • Does the organization empower and empower researchers and, when necessary, require the cooperation of relevant personnel?

  • That situations and results of bribery-related investigations are communicated and reported to the anti-bribery compliance function and other compliance functions, as appropriate?

  • That investigations and results are conducted confidentially?

  • Does it guarantee the impartiality of the investigator?

9 - Performance evaluation

  • 9.1 - Has the organization determined what needs to be monitored and measured and the methods of monitoring, measurement, analysis and evaluation to ensure valid results?

  • Have you established what needs to be monitored, who is responsible, method for measurement or analysis, when to monitor and to whom this information should be reported?

  • Does the organization retain documented information as evidence of results methods?

  • Does the organization evaluate this performance to prove the efficiency and effectiveness of the ESMS?

  • 9.2 - Has the organization implemented a procedure for conducting internal audits of the ESMS, in order to provide information on whether the system complies with the organization's own requirements, the anti-bribery management system and the regulatory requirements of ISO 37001?

  • Has the organization planned the frequency, methods, responsibilities and requirements that must be taken into consideration for this process, based on the results of previous audits?

  • Have you defined audit criteria and scope?

  • Did you select competent auditors to conduct them, ensuring objectivity and impartiality towards the audited processes?

  • Ensures that results are reported to relevant management, anti-bribery compliance function, Senior Management and, as appropriate, Governing Body (if any)?

  • Do you retain documented process information?

  • The reasonableness and proportionality of the audit, based on the identified risks together with the verification of internal procedures, controls and systems to prevent bribery, violation of the anti-bribery policy, ESMS requirements, failure of the business partner to meet applicable anti-bribery requirements, weaknesses of the SGAS and opportunities for improvements, were they addressed in the last internal audit carried out?

9.3 - Critical Analysis by Management

  • 9.3.1 - Has the organization implemented a system for carrying out, at planned intervals, critical analysis by Senior Management?

  • The analysis included the following considerations: previous critical analysis situations; possible changes in internal and external issues that are relevant; information about the performance; effectiveness of actions taken to address bribery risks; and the opportunity to improve the ESMS.

  • What were the opportunities for improvements identified by Senior Management that should be applied and the need for changes to the SGAS (if applicable?)

  • Does the organization retain documented information for this requirement?

  • Was a summary of the results of the critical analysis by Senior Management prepared to report to the Governing Body? (If applicable)

  • 9.3.2 - Did the governing body carry out a periodic critical analysis of the ESMS, based on information provided by Senior Management and the anti-bribery Compliance function? (if applicable)

  • Did the organization retain summarized documented information on the results of this meeting? (if applicable)

10 - Improvement

  • 10.1 - Has the organization implemented a system for dealing with non-conformities and corrective actions?

  • Does this system define how to promptly react to non-compliance by taking measures to control and correct it by dealing with its consequences?

  • Assess the need for action to eliminate the cause, so that it does not repeat itself or occur elsewhere, implementing any necessary action?

  • Critically analyze the effectiveness of corrective actions taken and make necessary changes to the ESMS, if necessary?

  • Does the organization retain documented information as evidence of these actions?

  • 10.2 - Does the organization continually improve the adequacy, sufficiency and effectiveness of the anti-bribery management system?

Recommendations

  • General comments

  • Evaluator name and signature

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.