ISO 37001:2016
Anti-Bribery Management System
Complete Audit Checklist
Audit Details
Organization:
_________________________
Audit Date:
_________________________
Lead Auditor:
_________________________
Audit Scope:
_________________________
Auditee Contact:
_________________________
Report Reference:
_________________________
Finding Classification
Finding Classification Legend
Conforming
Evidence fully satisfies the requirement.
Minor NC
Partial conformity; isolated lapse not threatening system integrity.
Major NC
Absence or systematic failure of a required element; certification risk.
N/A
Requirement not applicable to the defined scope.
Instructions for Use
This checklist covers all mandatory requirements of ISO 37001:2016 (Anti-Bribery Management Systems). For each item:
1. Review documentary evidence and conduct interviews as indicated in the Audit Guidance column.
2. Select the Finding classification: Conforming, Minor NC, Major NC, or N/A.
3. Record evidence references, interviewee names, and observations in the Notes/Ref column.
4. Complete the Audit Summary table on the final page after all clauses are reviewed.
Clause 4 – Context of the Organization
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
4.1
Understanding the organization and its context — Has the organization determined external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of its ABMS?
Review PESTLE/SWOT analysis, board minutes, risk register, strategic planning documents.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.1
Has the organization considered bribery risks arising from public officials, business associates, subsidiaries, joint ventures, and supply chain parties?
Interview senior management; verify risk identification covers all relevant third parties.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.2
Understanding needs and expectations of interested parties — Has the organization identified interested parties and their requirements relevant to the ABMS?
Review stakeholder register; check for regulators, shareholders, employees, customers, and communities.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.2
Are applicable legal, regulatory, and contractual anti-bribery obligations identified and documented?
Check legal register against local anti-bribery laws (e.g., FCPA, UK Bribery Act, local legislation).
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.3
Determining the scope of the ABMS — Is the scope of the ABMS documented, justified, and maintained?
Verify scope covers all business units, geographies, functions, and third parties where bribery risk exists.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.4
Anti-Bribery Management System — Has the organization established, documented, implemented, maintained, and continually improved the ABMS?
Request ABMS manual or equivalent documentation; verify integration with business processes.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.5
Bribery risk assessment — Has a documented risk assessment been conducted to identify and evaluate bribery risks?
Review risk assessment methodology; confirm roles, geographies, project types, and transactions are covered.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
4.5
Is the risk assessment periodically reviewed (especially after significant organizational or external changes)?
Check risk assessment dates and triggers; verify review schedule is maintained.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 5 – Leadership
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
5.1
Leadership and commitment — Does top management demonstrate commitment to the ABMS and anti-bribery culture?
Interview CEO/Board members; review board minutes for anti-bribery agenda items and policy approvals.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.1a
Has top management approved the anti-bribery policy?
Verify policy is signed by the highest governance level; check date and version.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.1b
Does top management ensure integration of ABMS requirements into business processes?
Assess integration in procurement, sales, HR, and finance processes.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.1c
Is adequate resource (financial, human, technological) provided for the ABMS?
Review ABMS budget; confirm compliance function is appropriately staffed.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.1.1
Governing body — Does the governing body (board/equivalent) oversee management's implementation of the ABMS?
Review board committee charters; confirm audit/risk committee receives ABMS reports at least annually.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.2
Anti-Bribery Policy — Is there a documented anti-bribery policy communicated to all personnel and relevant business associates?
Review policy; check distribution records, intranet availability, and translation for multilingual workforces.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.2
Does the policy prohibit bribery in all forms (public and private sector) and address gifts, hospitality, facilitation payments, and political/charitable contributions?
Compare policy scope against ISO 37001 Annex A requirements.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.3
Roles, responsibilities, and authorities — Are roles, responsibilities, and authorities for the ABMS clearly defined and communicated?
Review RACI matrix or equivalent; verify compliance officer/function has appropriate independence.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
5.3.2
Compliance function — Has a compliance function (or equivalent) been established with adequate competence, resources, and independence?
Assess reporting line of compliance function; confirm direct access to governing body.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 6 – Planning
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
6.1
Actions to address risks and opportunities — Have bribery risks and opportunities been identified, assessed, and prioritized?
Review risk register; verify likelihood and impact scores; confirm risk owners are assigned.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
6.1
Are controls selected proportionate to the nature and level of assessed bribery risk?
Trace risk assessment to control framework; verify high-risk areas have enhanced controls.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
6.2
Anti-Bribery Objectives — Have ABMS objectives been established at relevant functions and levels?
Review documented objectives; confirm they are measurable, monitored, and communicated.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
6.2
Are anti-bribery objectives consistent with the policy and risk assessment outcomes?
Map objectives to policy commitments and significant risk areas.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
6.3
Planning changes — When changes to the ABMS are planned, are they carried out in a systematic and controlled manner?
Review change management procedure; verify ABMS changes are risk-assessed before implementation.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 7 – Support
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
7.1
Resources — Has the organization determined and provided the resources needed for establishing, implementing, maintaining, and improving the ABMS?
Review budget allocation; assess staffing levels in compliance/legal/internal audit functions.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
7.2
Competence — Are personnel assigned to ABMS-relevant roles competent? Are training needs assessed?
Review job descriptions, training needs analysis, and training completion records.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
7.3
Awareness — Are personnel aware of the anti-bribery policy, their contribution to ABMS effectiveness, and consequences of non-compliance?
Review awareness training records; sample employee surveys or acknowledgments.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
7.4
Communication — Has the organization established internal and external communication processes related to the ABMS?
Review communication plan; verify channels for policy communication, reporting, and updates.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
7.5
Documented information — Is documented information required by the ABMS created, controlled, and retained?
Audit document control procedure; sample retained records for accessibility, integrity, and version control.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
7.5.2
Is documented information adequately protected from unauthorized use, modification, or destruction?
Review access controls on ABMS documentation; confirm backup and retention policies.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 8 – Operation
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
8.1
Operational planning and control — Has the organization planned, implemented, and controlled processes to meet ABMS requirements?
Review operational procedures; verify anti-bribery controls are embedded in key processes.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.2
Due diligence — Is proportionate due diligence conducted on projects, transactions, and business associates before engagement?
Sample due diligence files; verify questionnaires, screening results, and approvals are documented.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.2
Is due diligence reviewed periodically and updated to reflect changes in risk?
Check ongoing monitoring procedures; confirm re-screening triggers are defined.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.3
Financial controls — Are financial controls in place to prevent bribery (e.g., segregation of duties, approval thresholds, audit trails)?
Test key financial controls; verify authorization matrices; review journal entry testing.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.4
Non-financial controls — Are non-financial controls implemented (e.g., gifts/hospitality registers, conflicts of interest declarations)?
Review gift/hospitality register; sample declarations; verify approval workflows.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.5
Gifts, hospitality, donations, and similar benefits — Are gifts, hospitality, political/charitable donations, and sponsorships subject to documented controls?
Review policy limits; test register completeness; verify approval chain for above-threshold items.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.6
Managing inadequacy of anti-bribery controls — Is there a process to raise concerns when controls are inadequate or business associates do not comply?
Interview procurement and sales staff; review escalation procedures.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.7
Raising concerns — Does the organization have a speak-up/whistleblower mechanism that allows reporting of suspected bribery confidentially and without retaliation?
Inspect hotline records; verify confidentiality provisions; confirm non-retaliation policy exists.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.8
Investigating and dealing with bribery — Is there a documented procedure for investigating and responding to actual or suspected bribery?
Review investigation policy; trace sample cases; confirm outcomes are escalated appropriately.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.9
Business associates — Are anti-bribery commitments required by contract from relevant business associates?
Sample contracts; verify anti-bribery clauses including audit rights, certifications, and termination triggers.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
8.10
Anti-Bribery commitments — Does the organization seek confirmation from business associates that they apply appropriate anti-bribery controls?
Review supplier self-assessment process; verify certifications are current.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 9 – Performance Evaluation
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
9.1
Monitoring, measurement, analysis, and evaluation — Has the organization determined what, when, and how to monitor and measure ABMS performance?
Review KPIs and metrics (e.g., training completion %, hotline volume, due diligence coverage).
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.1
Are results of monitoring and measurement analyzed and used to drive improvement?
Check management reporting; verify trends are analyzed and actioned.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.2
Internal audit — Is an internal audit program established to assess ABMS conformity and effectiveness?
Review audit program and schedules; confirm auditor independence; sample recent audit reports.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.2
Are internal audit findings reported to appropriate management and the governing body?
Verify reporting chain; confirm significant findings reach the board/audit committee.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.3
Management review — Does top management review the ABMS at planned intervals?
Review management review minutes; confirm agenda covers policy, objectives, risks, KPIs, and improvement actions.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.3
Are management review outputs documented and actioned?
Trace action items from prior reviews; verify completion status.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
9.4
Compliance function review — Does the compliance function report regularly to top management and the governing body on ABMS performance?
Review compliance reports; confirm frequency and content meet ISO 37001 expectations.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Clause 10 – Improvement
Clause
Audit Requirement
Audit Guidance / Evidence
Finding
Notes / Ref
10.1
Nonconformity and corrective action — Are nonconformities identified, documented, and corrected?
Sample NCR records; confirm root cause analysis is performed; verify effectiveness checks.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
10.1
Are corrective actions proportionate to the significance of the nonconformity?
Review severity classification; confirm escalation for systemic or high-risk NCs.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
10.2
Continual improvement — Does the organization continually improve the suitability, adequacy, and effectiveness of the ABMS?
Review improvement initiatives; check linkage between audit findings, risk assessment, and ABMS changes.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
10.2
Is there evidence of ABMS improvements driven by lessons learned from bribery incidents, near-misses, and industry intelligence?
Review lessons-learned process; verify changes to controls or training are implemented.
☐ Conforming
☐ Minor NC
☐ Major NC
☐ N/A
Audit Summary & Sign-Off
Audit Summary
Total Items Reviewed:
Conforming:
Minor Nonconformities:
Major Nonconformities:
Overall Audit Conclusion:
☐ Recommend Certification / ☐ Recommend Surveillance / ☐ Do Not Recommend
Lead Auditor Signature:
_________________________
Date:
_________________________
Corrective Action Register
Ref #
Clause
Description of NC / Observation
Root Cause
Due Date
Status
CA-001
Open
CA-002
Open
CA-003
Open
CA-004
Open
CA-005
Open