Why ISO 37001 Audits Are Different From Other Management System Audits
If you have been through an ISO 9001 or ISO 14001 audit before, you might assume an ISO 37001 certification audit follows the same rhythm. In some ways it does. But ISO 37001, the Anti-Bribery Management System standard, carries a different weight. The subject matter is bribery and corruption, and auditors know that the consequences of a weak system are not just a quality complaint or an environmental incident. They can mean criminal charges, regulatory penalties, and serious reputational damage.
On this page
That changes how auditors approach the work. They are not just ticking boxes against documented procedures. They are looking for evidence that your organisation genuinely understands its bribery risks, has built real controls around them, and that leadership is driving the culture from the top. If you are preparing for your first ISO 37001 audit, or if you want to understand what is actually being assessed, this guide walks you through the full process in plain language.
A Quick Overview of ISO 37001
ISO 37001 was published by the International Organisation for Standardisation to help organisations prevent, detect, and address bribery. It applies to all types of organisations, public and private, large and small, across any industry. The standard requires you to build a management system that identifies where bribery risks exist in your operations and puts proportionate controls in place to reduce those risks.
It is worth noting that ISO 37001 certification does not prove your organisation has never been involved in bribery. What it demonstrates is that you have implemented a reasonable and proportionate anti-bribery management system. That distinction matters, both legally and commercially. Many organisations pursue this certification to satisfy procurement requirements, demonstrate due diligence to regulators, or build trust with international partners.
If you are also implementing a broader compliance framework, it is worth reading our easy guide to implementing ISO 37301, which complements ISO 37001 well in practice.
The Two-Stage Certification Audit Process
Like most ISO management system certifications, ISO 37001 uses a two-stage audit process before you receive your certificate. Understanding what happens in each stage removes a lot of the anxiety around the process.
Stage 1: The Readiness Review
Stage 1 is sometimes called a documentation review or a readiness audit. The auditor is assessing whether your management system is sufficiently developed to proceed to the full certification audit. At this point, they are not yet conducting a deep investigation into how your controls work in practice. They are reviewing your documented system against the requirements of the standard.
For ISO 37001, the Stage 1 review will typically examine your anti-bribery policy, your bribery risk assessment, your due diligence procedures for business associates, your gifts and hospitality register, your financial and non-financial controls documentation, your training records, and your internal reporting and whistleblowing procedures. The auditor will also check that your management system scope is clearly defined and that your top management has formally committed to the system.
At the end of Stage 1, the auditor will give you a report identifying any gaps. These might be areas where documentation is missing, where the scope is unclear, or where the system does not yet meet a specific clause of the standard. You will typically have a few weeks to address these gaps before Stage 2. If there are significant issues, the auditor may recommend delaying Stage 2 until they are resolved.
Our article on 8 things to do before an ISO Stage 1 readiness audit gives you a solid preparation checklist that applies across standards including ISO 37001.
Stage 2: The Certification Audit
Stage 2 is where the real work happens. The auditor is now assessing whether your anti-bribery management system is actually implemented and working effectively. This goes well beyond checking whether documents exist. The auditor will be interviewing staff, reviewing records, observing processes, and testing whether what is written in your procedures matches what actually happens in your organisation.
For ISO 37001 specifically, the auditor is looking for evidence that your controls are proportionate to your actual bribery risks. A company operating in a low-risk domestic environment will face different scrutiny than a company with international supply chains, government contracts, or operations in high-risk jurisdictions. The auditor will have reviewed your bribery risk assessment and will be testing whether your controls are genuinely designed to address the risks you identified.
What Auditors Actually Look At During the ISO 37001 Audit
Let me walk you through the key areas an ISO 37001 auditor will examine during Stage 2. This is where preparation makes a real difference.
Leadership and Top Management Commitment
This is the first thing auditors probe, and it is often where organisations fall short. ISO 37001 places significant responsibility on top management. The standard requires that senior leaders demonstrate genuine commitment to the anti-bribery management system, not just sign a policy statement and walk away.
The auditor will want to interview directors or senior executives directly. They will ask questions like: How do you personally demonstrate your commitment to anti-bribery? What resources have you allocated to the anti-bribery program? What happens when a business opportunity conflicts with your anti-bribery obligations? If the CEO cannot answer these questions credibly, that is a significant finding regardless of how good the documentation looks.
The auditor will also check whether your organisation has appointed a compliance function or individual with appropriate authority, resources, and independence to oversee the anti-bribery management system. This is a specific requirement under ISO 37001 and one that auditors take seriously.
Bribery Risk Assessment
Your bribery risk assessment is the foundation of the entire system. The auditor will examine it in detail. They want to see that you have identified your bribery risks across all relevant areas: the countries and sectors you operate in, the types of transactions you conduct, your relationships with third parties, and the nature of your interactions with public officials.
Critically, the auditor will assess whether the risk assessment is credible and proportionate. A risk assessment that rates every risk as low with no supporting analysis will raise immediate concerns. The auditor will ask who conducted the assessment, what methodology was used, when it was last reviewed, and whether it has been updated following any significant changes to your business.
They will also check whether the controls you have implemented actually correspond to the risks you identified. If your risk assessment identifies a high risk around third-party intermediaries but you have no due diligence procedure for those intermediaries, that is a non-conformity.
Due Diligence on Business Associates
This section generates more audit findings than almost any other area of ISO 37001. The standard requires organisations to conduct risk-based due diligence on business associates, which includes agents, intermediaries, joint venture partners, contractors, and suppliers who interact with public officials or operate in high-risk environments on your behalf.
The auditor will want to see your due diligence procedure, but more importantly they will want to see evidence that it has been applied. They will select a sample of business associates and ask to see the due diligence records for each one. They will check whether the level of due diligence was proportionate to the risk level of each associate. A low-risk domestic supplier might only require basic screening, while a foreign agent working with government officials should have received much more thorough scrutiny.
Common gaps here include no documented process for categorising business associates by risk level, incomplete due diligence records, due diligence that was completed at onboarding but never reviewed, and no process for handling situations where due diligence raises concerns.
Financial and Non-Financial Controls
ISO 37001 requires organisations to implement financial controls designed to prevent bribery. The auditor will look at how your financial approval processes work, how expenses and payments are authorised, how gifts and hospitality are recorded and approved, and whether there are controls around facilitation payments.
They will typically review a sample of transactions, expense claims, and gifts and hospitality entries. They are looking for anomalies and for evidence that the controls are actually working rather than just existing on paper. An auditor who sees a gifts and hospitality register with no entries for a company that regularly entertains clients will ask questions.
Non-financial controls include things like segregation of duties, project approval processes, and controls around contract management. The auditor will assess whether these controls are proportionate to your identified risks.
Training and Communication
The auditor will examine how your organisation communicates its anti-bribery commitments internally and externally, and how staff are trained on their obligations. They will want to see training records, the content of training materials, and evidence that training has been completed by relevant personnel including senior management.
One thing auditors look for here is whether training is genuinely tailored to roles and risks. Generic online compliance training ticked off once a year may satisfy the documentation requirement but will not satisfy an auditor who is also interviewing staff and finding that people do not understand what to do when they are offered a bribe or asked to make a facilitation payment.
Reporting Mechanisms and Whistleblowing
ISO 37001 requires organisations to have confidential reporting mechanisms that allow staff and other relevant parties to raise concerns about bribery without fear of retaliation. The auditor will check that these mechanisms exist, are accessible, are communicated to staff, and that there is a process for investigating concerns that are raised.
They will also look for evidence that the system has been used, or if it has not been used, they will probe whether staff are actually aware of it and comfortable using it. A reporting mechanism that nobody knows about is not a functioning control.
Internal Audit and Management Review
The auditor will check that you have conducted internal audits of your anti-bribery management system and that these audits were conducted by competent, independent personnel. They will review the internal audit reports and check whether findings were addressed. Our article on how to run ISO internal audits that actually find problems is worth reading before your certification audit, as weak internal audits are a common finding.
They will also review records of your management review meetings, checking that senior leadership is actively reviewing the performance of the anti-bribery management system and making decisions about improvements.
How Audit Findings Are Classified
At the end of the Stage 2 audit, the auditor will issue a report classifying their findings. Understanding these classifications helps you respond appropriately.
A major non-conformity means a significant failure in the management system, either a complete absence of a required element or a systematic failure that undermines the effectiveness of the system. A major non-conformity will prevent certification from being issued until it is resolved and verified. These are serious but not necessarily fatal if you address them promptly and thoroughly.
A minor non-conformity is a single lapse or isolated failure that does not indicate a systemic problem. You will still need to submit a corrective action plan and evidence of resolution, but certification can typically proceed once the plan is accepted.
An observation or opportunity for improvement is not a formal finding that requires corrective action, but it is the auditor flagging something worth attention. You are not required to act on these, but experienced organisations take them seriously.
If you receive a finding and believe it is incorrect or based on a misunderstanding, you have the right to raise this with the auditor during the closing meeting. For formal disputes, our article on the formal process for disputing an ISO audit finding explains your options clearly.
After the Audit: Surveillance and Recertification
Once you receive your ISO 37001 certificate, the audit cycle does not end. Certification bodies conduct annual surveillance audits to verify that your anti-bribery management system continues to meet the requirements of the standard. These surveillance audits are typically shorter than the initial certification audit, but they are not a formality.
After three years, you will undergo a full recertification audit. This is essentially a repeat of the Stage 2 process, and the auditor will be looking for evidence of continual improvement over the certification period, not just maintenance of the status quo.
The ongoing nature of the audit cycle is actually one of the genuine benefits of ISO 37001 certification. It creates a structured rhythm that keeps anti-bribery controls active and leadership engaged, rather than allowing compliance programs to fade after the initial effort.
Common Reasons Organisations Fail Their ISO 37001 Audit
Having seen many organisations go through this process, the failures tend to cluster around a few recurring issues. Leadership that is present in the documentation but absent in practice. Risk assessments that are too generic to drive meaningful controls. Due diligence processes that exist on paper but are not consistently applied. Training that is completed but not understood. And internal audits that are conducted to satisfy the requirement rather than to genuinely test the system.
The organisations that sail through their ISO 37001 audits are the ones that treat the standard as a genuine framework for managing bribery risk, not as a compliance exercise to get a certificate. That distinction is visible to an experienced auditor within the first hour of an interview.
Getting the Right Help for Your ISO 37001 Journey
ISO 37001 is a specialist standard, and finding a consultant or certification body with genuine anti-bribery expertise makes a real difference to how well your system is built and how smoothly your audit goes. The market for ISO consultants varies considerably in quality, and choosing the wrong provider can cost you significant time and money.
CertBetter connects businesses with verified ISO consultants and accredited certification bodies who have real experience with standards like ISO 37001. You submit one form, receive up to three competing quotes from vetted providers, and can compare them properly before committing. The service is completely free for businesses. If you are starting your ISO 37001 journey or preparing for an upcoming audit, it is worth getting a few expert perspectives before you decide how to proceed.
