ISO 37001 Checklist

Use this ISO 37001 Checklist to evaluate organizations' anti-bribery management systems to comply with international standards to prevent corruption.

ISO 37001 Checklist



5 - Leadership

1. 5.1.1a Does the organization have a governing body in its governance structure (constituted Board of Directors)? Does this demonstrate leadership and commitment to the ESMS?


Photo Comment

2. 5.1.1b Has this body approved the anti-bribery management policy?


Photo Comment

3. 5.1.1c Do they ensure that the organization's strategy and anti-bribery policy are aligned?


Photo Comment

4. 5.1.1d Do they critically review, at planned intervals, information about the content and operation of the ESMS?


Photo Comment

5. 5.1.1e Do they provide adequate and appropriate resources for the effective operation of the ESMS?


Photo Comment

6. 5.1.1f Do they exercise supervision about the implementation and operation of the ESMS by senior management?


Photo Comment

7. 5.1.2 - Does Senior Management demonstrate leadership and commitment to the ESMS?


Photo Comment

8. 5.1.2a Do they ensure that the ESMS, anti-bribery policy, objectives, bribery risks, operational controls, anti-bribery culture, promote continuous improvement, encourage reporting of bribery, ensure that staff are not retaliated against for reports made in good faith and all needs are met adequately established, implemented, maintained and regularly reviewed?


Photo Comment

9. Has the anti-bribery policy been established and communicated to be compatible with the strategic direction of the organization? Does it fulfill the following: Prohibits bribery? Require compliance with applicable anti-bribery laws? Is it appropriate to the organization's purpose? Do they provide a structure for determining objectives? Determines commitment to meeting the requirements of the anti-bribery management system? Encourages the raising of concerns (Reports) in good faith without fear of reprisal? Does it include a commitment to continuous improvement of the ESMS? Explain the authority and independence of the compliance function? Explain the consequences of not complying with the anti-bribery policy? Is it available as documented information and in the necessary languages? Is it available to relevant stakeholders?


Photo Comment

10. 5.3 - Does senior management determine organizational roles, responsibilities, and authorities ensuring that relevant roles are assigned and communicated within and at all levels of the organization?


Photo Comment

11. 5.3.1 Are managers at all levels responsible for understanding, complying with, and applying requirements of the ESMS that refer to their roles and processes in the organization?


Photo Comment

12. 5.3.2 - Has the anti-bribery compliance function been assigned?


Photo Comment

13. 5.3.2a - Does the role have the authority and responsibility to oversee the ESMS?


Photo Comment

14. 5.3.2b - Does the role have direct access to the Governing Body?


Photo Comment

15. 5.3.2c - Is the performance of the SGAS to Senior Management and the Governing Body reported?


Photo Comment

16. 5.3.3 - Does the organization establish a process for delegated decision-making for relationships in which there is more than a low risk of bribery, appropriate and free from conflict of interests (real and potential), and critically reviewed periodically?


Photo Comment
6 - Planning

1. 6.1 - Have the risks and opportunities that need to be addressed to ensure that the ESMS can achieve the intended result(s) been established?


Photo Comment

2. 6.1a - Have the requirements of the organization's context, stakeholders and risk analysis been taken into account when approaching these opportunities?


Photo Comment

3. 6.1b - Do these actions provide reasonable assurance that the organization achieves its objectives, prevents and reduces undesirable effects, and achieves system improvement?


Photo Comment

4. 6.2 - Has the organization established its anti-bribery objectives at the relevant functions and levels?


Photo Comment

5. 6.2a - Are these objectives consistent with the anti-bribery policy, are they measurable (if applicable), do they take into account what has been determined in the context of the organization, stakeholders, and risk assessment, are they achievable, are they communicated and are they updated as appropriate?


Photo Comment

6. 6.2b - Does the organization retain documented information about these objectives and, when not achieved, determine what will be done, resources that will be required, who is responsible, when will action be achieved, how will they be evaluated, and who will impose the sanctions or penalties (if applicable)?


Photo Comment
7 - Support

1. 7.1 - Did the organization determine and provide the necessary resources for the establishment, implementation, maintenance, and continuous improvement of the ESMS (including people, resources, and infrastructure)?


Photo Comment

2. 7.2 - Has the organization determined the necessary competencies of the people who carry out work under its control and which affect the performance of the ESMS? (Job description, or similar)


Photo Comment

3. 7.2.1 Do they ensure that these people are competent based on appropriate education, training, or experience? And where applicable, does it take actions to acquire and maintain necessary competence by evaluating its effectiveness? Do you retain documented information to prove these skills? (Diplomas, certificates, declarations) For experience? (CTPS, Curriculum)


Photo Comment

4. 7.2.2 - Has the organization implemented a staff hiring process, where the hiring conditions require people to comply with the anti-bribery and ESMS policy, giving the organization the right to adopt disciplinary measures in the case of non-compliance?


Photo Comment

5. 7.2.2.1 - Are staff oriented and trained on the anti-bribery policy within a reasonable period of employment?


Photo Comment

6. 7.2.2.1a - Have you implemented procedures that allow you to take appropriate disciplinary action against personnel who violate the anti-bribery policy or the ESMS?


Photo Comment

7. 7.2.2.1b - Have you implemented a system so that staff do not suffer retaliation, discrimination, or disciplinary action of any nature for refusing to participate in or declining to participate in any activity that you reasonably believe has more than a low risk of bribery that has not been mitigated by the organization?


Photo Comment

8. 7.2.2.1c - Have you implemented a system so that reports or concerns raised, as long as they are made in good faith and, based on a reasonable conviction of attempted, real, or suspected bribery or violation of the anti-bribery and ESMS policy, do not suffer retaliation, discrimination or disciplinary actions from any nature?


Photo Comment

9. 7.2.2.2 - Has the organization implemented a procedure that determines the positions that are exposed to more than a low risk of bribery, based on the risk analysis (item 4.5)?


Photo Comment

10. 7.2.2.2a - Have you defined a process for carrying out Due Diligence in these positions before hiring, or, transfer (promotion) as long as it is applicable to the position as defined in the risk analysis?


Photo Comment

11. 7.2.2.2b - Has the organization implemented a system so that performance bonuses, performance targets, and other incentive compensation elements are analyzed periodically to verify whether the implemented controls prevent bribery from being encouraged?


Photo Comment

12. 7.2.2.2c - Do staff, Senior Management, and the Governing Body sign a declaration of compliance with the anti-bribery policy at planned intervals?


Photo Comment

13. 7.3 - Does the organization regularly provide (at planned intervals) appropriate and appropriate training and awareness for employees, in relation to the anti-bribery policy, applicable procedures, identified risks, and demonstrating the circumstances under which bribery may occur, and how to recognize them, their participation and contribution to the ESMS, encourage the reporting of bribery?


Photo Comment

14. 7.3a - Have you identified stakeholders with more than a low risk of bribery and implemented a procedure that raises awareness and trains these partners about the anti-bribery policy they operate and its name?


Photo Comment

15. 7.4 - Has the organization determined the internal and external communications relevant to its ESMS, including what it will communicate, when to communicate, who to communicate with, how to communicate, who will communicate, and the languages ​​in which to communicate?


Photo Comment

16. 7.4a - Is the anti-bribery policy available to all organization personnel and business partners with more than a low bribery risk?


Photo Comment

17. 7.5 - Has the organization defined the documented information required by the ESMS and by the organization itself as being necessary for the effectiveness of the ESMS?


Photo Comment

18. 7.5.1 - Can this documented information be retained separately as part of other systems or processes, for example, compliance, financial, commercial, etc.?


Photo Comment

19. 7.5.2 - Has the organization implemented a system for creating and updating documentation ensuring the following: identification (title, date, author, code, reference number); format (language, version, graphic); medium (paper, electronic); and critical analysis and approval (responsible person with authority)?


Photo Comment

20. 7.5.3 - Is this documented information controlled so that it is available and suitable for use when necessary, protected against loss of confidentiality, inappropriate use, or loss of integrity?


Photo Comment

21. 7.5.3a - Has the organization addressed the control activities such as distribution, access, retrieval, and use; storage and distribution; change control (version, revision); and retention and disposition?


Photo Comment

22. 7.5.3b - Has the organization identified and maintained a system for controlling documented information from external sources that was determined to be necessary for the operation of the ESMS?


Photo Comment
8 - Operation

1. 8.1 - Has the organization planned, implemented, and critically analyzed the processes necessary to meet the requirements of the ESMS, implementing actions to meet the requirement (6.1 Actions to address opportunities and improvements), establishing criteria for the processes and their due controls, maintaining documented information in the necessary extent to be confident that the processes were carried out as planned?


Photo Comment

2. 8.1.1 - Does the organization control outsourced processes (if applicable) by taking actions to mitigate any adverse effects, as necessary?


Photo Comment

3. 8.2 - Has the organization implemented a system for carrying out due diligence for bribery risks classified as above or below?


Photo Comment

4. 8.2.1 - Do you have evidence of carrying out due diligence on planned transactions, projects, activities, relationships, business partners, and personnel within the organization that have been classified as above low bribery risk? (information defined by the organization)


Photo Comment

5. 8.2.2 - Are the frequency and methodology defined by the organization appropriate?


Photo Comment

6. 8.2.3 - Does the organization conclude that it is unnecessary, unreasonable, or disproportionate to carry out due diligence on certain categories of people or business partners, does this condition exist?


Photo Comment

7. 8.3 - Has the organization implemented financial controls that manage the identified bribery risks? (Computerized ERP systems, approval workflow, financial approval authority, double payment signatures, restrictions on the use of cash, and financial auditing, among others).


Photo Comment

8. 8.4 - Has the organization implemented non-financial controls that manage the identified bribery risks? (Procedures, policies, communication, training, awareness, contracts, double assessment, signatures, measurements of work performed)


Photo Comment

9. 8.5 - Has the organization implemented procedures so that the ESMS covers all controlled organizations, or that they implement their own anti-bribery controls in accordance with the result of the risk analysis raised in requirement 4.5 - Risk analysis?


Photo Comment

10. 8.5.1 - For uncontrolled organizations that have been classified as having a low risk of bribery risks, have they been determined to implement controls that manage risks?


Photo Comment

11. 8.5.2 - When it is not possible to comply with this determination, does the organization have the capacity through its management controls to mitigate such risks?


Photo Comment

12. 8.6 - Has the organization implemented a system so that business partners who represent more than a low risk of bribery commit to preventing bribery (in any transaction and/or activity, related projects) and that the organization is able to terminate the relationship if there is proof of bribery for the benefit of this partner?


Photo Comment

13. 8.6.1 - When the control determined in 8.3 is not possible to meet, for partners with more than a low risk of bribery, it must be a factor taken into consideration for processes 4.5 - Risk analysis, 8.2 - due diligence, 8.3 - Financial controls and 8.4 - Non-financial controls.


Photo Comment

14. 8.7 - Has the organization implemented procedures to prevent the offering, supply, or acceptance of gifts, hospitality, donations, and similar benefits that could be, or could reasonably be perceived as a bribe?


Photo Comment

15. 8.8 - Has the organization implemented a system so that, when due diligence establishes that the risk of bribery cannot be managed by existing anti-bribery controls and the organization does not wish to implement additional controls, or expand them, or take appropriate measures to manage these risks, the organization shall terminate, discontinue, suspend or cancel the relationship as soon as possible or refuse to continue, if applicable?


Photo Comment

16. 8.9 - Has the organization implemented procedures that encourage and allow staff to report in good faith, on a reasonable basis of belief, suspicion, actual bribery, or any violation or weakness of the ESMS?


Photo Comment

17. 8.9.1 - Does the organization treat these reports confidentially?


Photo Comment

18. 8.9.2 - Does this method allow for anonymous reporting?


Photo Comment

19. 8.9.3 - Prohibit retaliation and protect those who report retaliation?


Photo Comment

20. 8.9.4 - Do they advise staff on what to do if faced with a concern or situation that may involve bribery?


Photo Comment

21. 8.9.5 - Ensures that all staff are aware of reporting procedures are able to use them and are aware of their rights and protections under the procedure.


Photo Comment

22. 8.10 - Has the organization implemented procedures that require the assessment, investigation, and necessary actions for any bribery, or violation of the anti-bribery policy or the ESMS?


Photo Comment

23. 8.10.1 - Does the organization empower and empower researchers and, when necessary, require the cooperation of relevant personnel?


Photo Comment

24. 8.10.2 - Are situations and results of bribery-related investigations communicated and reported to the anti-bribery compliance function and other compliance functions, as appropriate?


Photo Comment

25. 8.10.3 - That investigations and results are conducted confidentially?


Photo Comment

26. 8.10.4 - Does it guarantee the impartiality of the investigator?


Photo Comment
9 - Performance Evaluation

1. 9.1 - Has the organization determined what needs to be monitored and measured and the methods of monitoring, measurement, analysis, and evaluation to ensure valid results?


Photo Comment

2. 9.1.1 - Have you established what needs to be monitored, who is responsible, a method for measurement or analysis, when to monitor, and to whom this information should be reported?


Photo Comment

3. 9.1.2 - Does the organization retain documented information as evidence of results methods?


Photo Comment

4. 9.1.3 - Does the organization evaluate this performance to prove the efficiency and effectiveness of the ESMS?


Photo Comment

5. 9.2 - Has the organization implemented a procedure for conducting internal audits of the ESMS, in order to provide information on whether the system complies with the organization's own requirements, the anti-bribery management system, and the regulatory requirements of ISO 37001?


Photo Comment

6. 9.2.1 - Has the organization planned the frequency, methods, responsibilities, and requirements that must be taken into consideration for this process, based on the results of previous audits?


Photo Comment

7. 9.2.2 - Have you defined audit criteria and scope?


Photo Comment

8. 9.2.3 - Did you select competent auditors to conduct them, ensuring objectivity and impartiality towards the audited processes?


Photo Comment

9. 9.2.4 - Ensures that results are reported to relevant management, anti-bribery compliance function, Senior Management, and, as appropriate, the Governing Body (if any).


Photo Comment

10. 9.2.5 - Do you retain documented process information?


Photo Comment

11. 9.2.6 - The reasonableness and proportionality of the audit, based on the identified risks together with the verification of internal procedures, controls, and systems to prevent bribery, violation of the anti-bribery policy, ESMS requirements, failure of the business partner to meet applicable anti-bribery requirements, weaknesses of the SGAS and opportunities for improvements, were they addressed in the last internal audit carried out?


Photo Comment
9.3 - Critical Analysis By Management

1. 9.3.1 - Has the organization implemented a system for carrying out, at planned intervals, critical analysis by Senior Management?


Photo Comment

2. 9.3.1a - The analysis included the following considerations: previous critical analysis situations; possible changes in internal and external issues that are relevant; information about the performance; effectiveness of actions taken to address bribery risks; and the opportunity to improve the ESMS.


Photo Comment

3. 9.3.1b - What were the opportunities for improvements identified by Senior Management that should be applied and the need for changes to the SGAS (if applicable?)


Photo Comment

4. 9.3.1c - Does the organization retain documented information for this requirement?


Photo Comment

5. 9.3.1d - Was a summary of the results of the critical analysis by Senior Management prepared to report to the Governing Body? (If applicable)


Photo Comment

6. 9.3.2 - Did the governing body carry out a periodic critical analysis of the ESMS, based on information provided by Senior Management and the anti-bribery Compliance function? (if applicable)


Photo Comment

7. 9.3.2a - Did the organization retain summarized documented information on the results of this meeting? (if applicable)


Photo Comment
10 - Improvement

1. 10.1 - Has the organization implemented a system for dealing with non-conformities and corrective actions?


Photo Comment

2. 10.1.1 - Does this system define how to promptly react to non-compliance by taking measures to control and correct it by dealing with its consequences?


Photo Comment

3. 10.1.2 - Assess the need for action to eliminate the cause, so that it does not repeat itself or occur elsewhere, implementing any necessary action?


Photo Comment

4. 10.1.3 - Critically analyze the effectiveness of corrective actions taken and make necessary changes to the ESMS, if necessary?


Photo Comment

5. 10.1.4 - Does the organization retain documented information as evidence of these actions?


Photo Comment

6. 10.2 - Does the organization continually improve the adequacy, sufficiency, and effectiveness of the anti-bribery management system?


Photo Comment
4 - Context Of The Organization

1. 4.1 - Have you determined all the external and internal problems that are relevant to your purpose and that affect your ability to achieve the objectives of your ESMS? Are these issues reviewed and monitored regularly?


Photo Comment

2. 4.2 - Have the needs and expectations of stakeholders relevant to the ESMS been determined?


Photo Comment

3. 4.3 - Has the scope of your ESMS been determined, taking into account all external and internal issues, the needs of stakeholders, and the outcome of the bribery risk assessment?


Photo Comment

4. 4.4 - Is the ESMS established and does it include a description of the necessary processes and their sequences and interactions?


Photo Comment

5. 4.5 - Has the organization determined the criteria for identifying and managing the bribery risks of these processes?


Photo Comment

6. 4.5.1 Have you assessed the adequacy and effectiveness of existing controls to mitigate these risks?


Photo Comment

7. 4.5.2 Have you established criteria for assessing the level of these risks?


Photo Comment

8. 4.5.3 Is this assessment performed on a regular basis (Time and frequency) as defined by the organization?


Photo Comment

9. 4.5.4 Does the organization hold documented information for this requirement?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists