1.65k likes | 2.1k Views
ISO 37001:2016 Anti-Bribery Management System INTERNAL AUDIT CLAUSE 9.2 ( Principles & Techniques of Auditing). WORKSHOP II 14 FEBRUARY 2019 BALLROOM A SERI PACIFIC HOTEL, KUALA LUMPUR by S.NORMALIS ABD SAMAD. Implemented by. Pilot project by.
ISO 37001:2016 • Anti-Bribery Management System • INTERNAL AUDIT • CLAUSE 9.2 • (Principles & Techniques of Auditing) • WORKSHOP II • 14 FEBRUARY 2019 • BALLROOM A • SERI PACIFIC HOTEL, KUALA LUMPUR • by • S.NORMALIS ABD SAMAD Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ProgrAm outline Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
CONTENT • Objectives • Introduction to Internal Audit • Understanding Standard Requirements • Audit Planning • Performing Audit • Audit Reporting • Corrective Action and Follow Up Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
OBJECTIVES • To understand the “Principles of Auditing” • To understand the “Process Approach and Risk-based Auditing Techniques” • To understand the basic knowledge and skills of planning, performing, questioning, presentation of findings, report writing and drawing conclusion of the audit Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
PRINCIPLES OF AUDITING • Integrity • Fair Presentation • Due Professional Care • Confidentiality • Independence • Evidence-based Approach • Risk-based Approach Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Introduction to • Internal Audit Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
WHAT IS AN AUDIT • Systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteriaare fulfilled • Source: ISO 19011 : third edition 2018 clause 3.1 Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
COMBINED AUDIT • Audit carried out together at a single auditee on two or more management systems. • Note 1 : When two or more discipline-specific management systems are integrated into a single management system known as integrated management system. • Source: ISO 19011 : third edition 2018 clause 3.1 Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT EVIDENCE • Records, statements of fact or other information, which are relevant to the audit criteria and verifiable • Audit evidence is typically based on: • interviews • examination of documents • observation of activities and conditions • existing results of measurements and tests • Source: ISO 19011:2015, clause 3.13.8 Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT CRITERIA • Set of*requirements, used as a reference against which objective evidence is compared • * Requirements may include policies, procedures, • work instruction, legal requirements, contractual • obligations, standard and guidelines, etc. • Source: ISO 19011:2015, clause 3.13.7 modified Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT FINDINGS Results of the evaluation of the collected audit evidence against audit criteria Source: ISO 19011:2015, clause 3.13.9 Eg: Conformity Non Conformity Opportunity For Improvement Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT CONCLUSION Outcome of an audit, after consideration of the audit objectives and all audit findings. Source: ISO 19011:2015, clause 3.13.10 Note; Strength and weaknesses of overall quality system including summary of audit findings Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
REASONS FOR AUDITS • To determine the system meets the intent of the standard such as ISO 37001:2016 • To determine the system is effectively implemented • To determine the system is properly maintained • A control mechanism used by Management • Tool for continual improvement • Correct non conformities in the systems Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT IS NOT • A police force • Inspection of product • An interrogation task force • Finding faults Audit is an information gathering activity. There is no element of fault finding or blame for problems Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
AUDIT CLASSIFICATIONS Customer 2nd Party Customer audit your organization 3nd Party Independent Audit Organization Internal External 1st Party Audit your own organization 2nd Party You audit your supplier Supplier Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
First Party Audit First Party (Internal Auditors) Audits are carried out by trained Internal Auditors against the organization’s own management system. 1st Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Second Party Audit Second Party Audits are carried out by the Customer on the Organization. The audit is based on the requirements of the contractor potential contract. 2nd Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Third Party Audit Third Party Audits are carried out by an independent organization against the requirements of a recognized standard. ie SIRIM QAS SdnBhd 3rd Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Understanding the Standard Requirements ISO 37001:2016 Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001:2016 - Overview ISO 37001:2016 is an International Standard on Anti-Bribery Management System (ABMS). It specifies the requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 - Requirements on Internal Audit. The element for Internal Audit is part of Clause 9 of ISO 37001:2016 under Performance Evaluation 9.2 Internal Audit & Guidance in Annex A.16 Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit • 9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the anti-bribery management system: • a) conforms to: • 1) the organization's own requirements for its anti-bribery management system; • 2) the requirements of this document; • b) is effectively implemented and maintained. • NOTE 1 Guidance on auditing management systems is given in ISO 19011. • NOTE 2 The scope and scale of the organization's internal audit activities can vary depending on a variety of factors, including organization size, structure, maturity and locations. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit 9.2.2 The organization shall: a). plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirement and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits: b). define the audit criteria and scope for each audit; c). select competent auditors and conduct audits to ensure objectivity and the impartiality of the audit process; Cont… Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit …cont. d). ensure that the results of the audits are reported to relevant management, the anti-bribery compliance function, top management and, as appropriate, the governing body (if any); e). retain documented information as evidence of the implementation of the audit programme and the audit results. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit 9.2.3 These audit shall be reasonable, proportionate and risk-based. Such audits shall consist of internal audit processes or other procedures which review procedures, controls and systems for: a) bribery or suspected bribery; b) violation of the anti-bribery policy or anti-bribery management system requirements; c) failure of business associates to conform to the applicable anti-bribery requirements of the organization; d) weaknesses in, or opportunities for improvement to, the anti-bribery management system. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit 9.2.4 To ensure the objectivity and impartiality of these audit programmes, the organization shall ensure that these audits are undertaken by one of the following: a) an independent function or personnel established or appointed for this process; or b) the anti-bribery compliance function (unless the scope of the audit includes an evaluation of the anti-bribery management system itself, or similar work for which the anti-bribery compliance function is responsible); or c) an appropriate person from a department or function other than the one being audited; or Cont… Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – 9.2 Internal Audit …cont. d) an appropriate third party; or e) a group comprising any of (a) to (d). The organization shall ensure that no auditor is auditing his or her own area of work. NOTE See Clause A.16 for guidance. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – A.16 Internal Audit A.16.1 The requirement in 9.2 does not mean that an organization is obliged to have its own separate internal audit function. It requires the organization to appoint a suitable, competent and independent function or person with responsibility to undertake this audit. An organization may use a third party to operate its entire internal audit program, or may engage a third party to implement certain portions of an existing program. A.16.2 The frequency of audit will depend on the organization's requirements. It is likely that some sample projects, contracts, procedures, controls and systems will be selected for audit each year Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – A.16 Internal Audit A.16.3 The selection of the sample can be risk-based, so that, for example, a high bribery risk project would be selected for audit in priority to a low bribery risk project. A.16.4 The audits will normally need to be planned in advance so that the relevant parties have the necessary documents and time available. However, in some cases, the organization may find it useful to implement an audit which the parties being audited do not expect. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – A.16 Internal Audit A.16.5 If an organization has a governing body, the governing body may also direct the organization's selection and frequency of audits as it deems necessary, in order to exercise independence and help ensure audits are targeted at the organization’s primary bribery risk areas. The governing body may also require access to all audit reports and results, and that any audits identifying certain types of higher bribery risk issues or bribery risk-indicators be reported to the governing body when the audit has been completed. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
ISO 37001 – A.16 Internal Audit A.16.6 The intention of the audit is to provide reasonable assurance to the governing body (if any) and top management that the anti-bribery management system has been implemented and is operating effectively, to help prevent and detect bribery, and to provide a deterrent to any potentially corrupt personnel (as they will be aware that their project or department could be selected for audit). Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Audit Stages 1. Adequacy/System/Desktop/Documentation (Stage 1) - Determine the existence of the ABMS and documentation meets the requirements of the selected ABMS standard; - Conducted Internal Audit and Management Review as per requirements. 2. Compliance/Implementation/Effectiveness (Stage 2) - Comprehensive/holistic audit is required to confirm whether the system has been implemented and effective. Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Certification Process Stage 1 Audit Stage 2 Audit Internal Audit Surveillance Audit Management Review • Re-certification Audit Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Audit Planning A-1
Audit Process PDCA applies to Audit Process… Report to Management Review Planning Performing Reporting Follow - up Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Audit Process Internal Audit Planning Execution Reporting Follow-up - Opening Meeting - Collect Information - Verify Information - Closing Meeting - Auditor Selection - Audit Schedule - Audit Plan - Notify the Auditee - Prepare Audit Checklist - Finding Clasification - Report Writing - Report Distribution - Identify Root Cause - Corrective Action - Verification Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Audit Program • OUTPUT OF AUDIT PROGRAM • Audit Scope • Resources • Auditor Competency • Audit Plan • Annual plan • Detail plan
Audit Program • An audit program will be influenced by the following criteria: • The scope, objective and duration of each audit to be conducted • The number, importance, complexity, similarity and locations of the activities to be audited. • Standards, statutory, regulatory and contractual requirements and other audit criteria • Result of previous audit • Significant changes to an organization or its operations • Output of audit program - Auditor selection, audit schedule and audit plan
Details of Audit Plan Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Notify Auditee • Confirm the authority to conduct the audit • Provide information on proposed audit timing and audit team composition • Request access to relevant information , including records • Determine applicable site safety rules • Make arrangements for the audits Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
CHECK LIST • Assists in conducting Audit • Assures thoroughness and consistency • Identifies essential points to be examined • Identifies necessary evidence/ samples • Cross reference to standards identified • Maintains audit direction • 2 types: Questionnaire & Notes • Reference: Standard/Documented Information & Process Approach/Turtle Diagram Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Audit Checklist for ISO 37001:2016 • Prepared based on *process approach • Process analysis may be used as a guideline. • Should cover: • Method • Who • What • Measurements • input, output, etc Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Process Analysis diagram (Turtle diagram) How (Methods/ Procedure/ Techniques) With Who? (Competence/Skills/ Training) PROCESS INPUT OUTPUT With What? (Materials/ Equipment) With What Criteria (Measurement) Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
WITH WHO ? (Competence/Skills/Training) WITH WHAT ?(Materials / Equipment) • Online system • Credit card • Supporting document - officer, - Cashier, • Anti bribery compliance function • Whistle blower - accountant Risk INPUT (What should we received) OUTPUT (What we should deliver) Request for license License application process License approved • Application form contain direction for completion. - Online documentation • Supporting documentation • Procedure and guideline - Mistake on application. • Due diligence • Anti bribery objective - Risk WITH WHAT Key Criteria ?( Measurements/ Indicators) HOW ? (Method/Procedures/Techniques) Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)
Performing Audit A-1
PERFORMING AUDIT • Opening Meeting • Interview • Gather information • Closing Meeting Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC) D - 1
Opening Meeting • Introduction of team • Confirm Objective and Scope • Confirm Audit program • Explaining the audit method • Resources and Facilities • Matters relating to confidentiality • Availability of any guides • The audit is taken on a sample basis • Confirm time of closing meeting • Questions Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC)