ISO 37001 Audit Checklist: What Auditors Commonly Look For

During an ISO 37001 audit, auditors do not just check documentation, they evaluate whether your anti-bribery system is actually working in real operations. Many companies assume audits are only about policies, but in reality, auditors focus heavily on implementation, evidence, and real-life controls. Understanding what auditors look for can significantly increase your chances of passing the audit on the first attempt. This is especially important for businesses implementing ISO 37001 for SMEs, where practical implementation and employee awareness are often key audit focus areas.

ISO 37001 Audit Checklist: 8 Key Areas Auditors Review

1. Anti-Bribery Policy & Leadership Commitment

Auditors first check whether top management has established a clear anti-bribery policy and whether leadership is actively involved in enforcing it.

They will look for:

• Signed anti-bribery policy
• Evidence of leadership communication
• Assigned compliance function or officer
• Management involvement in decision-making

Weak leadership involvement is one of the most common audit findings.

2. Bribery Risk Assessment

Auditors expect a structured risk assessment that identifies where bribery risks may occur.

They typically check:

• Risk assessment methodology
• Identification of high-risk activities (procurement, tenders, subcontractors)
• Risk evaluation and scoring system
• Updated risk register

No proper risk assessment means major nonconformity risk.

3. Procurement & Third-Party Controls

In construction and contractor industries, auditors focus heavily on third-party management.

They will review:

• Supplier and subcontractor due diligence
• Approval processes for vendors
• Conflict of interest declarations
• Tender and procurement transparency

This is a critical focus area for CIDB G7 contractors.

4. Financial & Operational Controls

Auditors verify whether controls exist to prevent improper payments.

They check:

• Approval workflows
• Segregation of duties
• Payment authorization records
• Expense justification and documentation

Weak financial controls are a common audit failure point.

5. Training & Awareness Programs

Auditors want evidence that employees understand anti-bribery policies.

They review:

• Training attendance records
• Training materials
• Role-specific awareness (especially high-risk roles)
• Ongoing refresher training

“No training evidence” means easy nonconformity.

6. Reporting & Whistleblowing System

A key requirement is having a safe reporting mechanism.

Auditors will check:

• Whistleblowing channel availability
• Confidentiality protection
• Investigation procedures
• Records of reported cases (if any)

Even without cases, the system must exist and be functional.

7. Internal Audit & Continuous Improvement

Auditors expect companies to self-check their system regularly.

They review:

• Internal audit reports
• Corrective action records
• Management review minutes
• Improvement actions taken

ISO 37001 is not “set and forget”, continuous improvement is essential.

8. Real Implementation vs Documentation

One of the most important audit checks is consistency between documented procedures, actual site operations and employee practices. Auditors will interview staff and verify real-life compliance.

ISO 37001 Audit Process Explained

The audit process for ISO 37001 is designed to evaluate whether an organization has effectively implemented an Anti-Bribery Management System (ABMS) that meets international requirements. It is typically conducted in structured stages to ensure both documentation and real operational compliance are verified.

Stage 1: Document Review (Stage 1 Audit)

In the first stage, auditors review all documented information to ensure the foundation of the system is in place. This includes the anti-bribery policy, risk assessment records, procedures, internal controls, and compliance framework. The purpose is to confirm that the system is properly designed and aligned with ISO 37001 requirements before moving to on-site evaluation.

Stage 2: On-Site Audit (Stage 2 Audit)

The second stage involves a physical audit at the company’s premises or project sites. Auditors will verify whether the documented system is actually implemented in real operations. They may interview employees, observe workflows, and check evidence such as procurement approvals, financial controls, and subcontractor management processes.

During the audit, employees at different levels including management, procurement, and site teams may be interviewed. Auditors assess whether staff understand anti-bribery policies, reporting channels, and their responsibilities. This ensures that awareness is not only documented but actively practiced.

After evaluation, auditors will issue findings which may include observations, minor nonconformities, or major nonconformities. Organizations are required to address these issues through corrective actions within a specified timeframe before certification can be granted.

If the organization successfully meets all requirements and closes any nonconformities, the certification body will issue ISO 37001 certification. This confirms that the organization has a compliant and effective anti-bribery management system in place.

The ISO 37001 audit process is not just a documentation check, it is a full evaluation of how well your anti-bribery system is implemented in real operations, across leadership, processes, and employees.

Common Nonconformities in ISO 37001 Audit

During an ISO 37001 audit, nonconformities are issues where the organization does not fully meet the standard requirements. These are very common, especially for companies implementing the system for the first time. Understanding them early helps reduce audit risks and improve certification success.

Weak or Incomplete Risk Assessment

One of the most common nonconformities is an incomplete bribery risk assessment. Many companies fail to properly identify high-risk areas such as procurement, subcontracting, and tender processes, or they do not update the risk register regularly. This leads to gaps in identifying and controlling bribery risks.

Lack of Leadership Commitment Evidence

Auditors often find that although an anti-bribery policy exists, there is insufficient evidence of top management involvement. This includes missing management review records, weak communication from leadership, or lack of assigned compliance responsibility.

Poor Documentation of Controls

Another frequent issue is missing or inconsistent documentation for key controls such as approval workflows, financial authorization, and procurement procedures. If controls exist in practice but are not documented properly, auditors may still raise nonconformities.

Insufficient Employee Training Records

Many organizations fail to maintain proper records of anti-bribery training. Even if training is conducted, lack of attendance records or unclear training content can result in nonconformities during the audit.

Weak Third-Party Due Diligence

In industries like construction, auditors often find that subcontractors and suppliers are not properly assessed for bribery risks. Missing due diligence records or lack of vendor evaluation processes is a common audit issue.

Ineffective Whistleblowing System

Some companies either do not have a formal reporting channel or fail to communicate it properly to employees. Auditors also check whether confidentiality and investigation procedures are clearly defined and implemented.

Inconsistent Implementation vs Documentation

A major finding in many audits is a mismatch between documented procedures and actual practices on site. For example, procedures may exist on paper, but employees may not follow them consistently in real operations.

Most ISO 37001 audit nonconformities are not due to lack of effort, but due to gaps in documentation, implementation, and evidence. Addressing these areas early significantly improves audit success rates and reduces certification delays.

How to Prepare for ISO 37001 Audit

Preparing for an ISO 37001 audit is not just about documentation, it is about ensuring your anti-bribery system is fully implemented, understood by employees, and supported by strong evidence. Proper preparation can significantly improve your audit success rate and reduce nonconformities.

Step 1: Conduct a Pre-Audit Gap Review

Start by reviewing your current Anti-Bribery Management System against ISO 37001 requirements. This helps identify weak areas such as missing risk assessments, incomplete procedures, or gaps in implementation before the actual audit takes place.

Step 2: Strengthen Documentation & Records

Ensure all key documents are complete, updated, and properly controlled. This includes your anti-bribery policy, risk register, procurement procedures, approval workflows, and training records. Auditors will heavily rely on documented evidence during the audit.

Step 3: Verify Risk Assessment & Controls

Check that your bribery risk assessment is up to date and reflects real operational risks, especially in procurement, subcontracting, and project execution. All identified risks must have clear control measures in place.

Step 4: Train Employees & Increase Awareness

Employees must understand the anti-bribery policy, reporting channels, and their responsibilities. Conduct refresher training sessions and ensure staff in high-risk roles are fully aware of compliance expectations.

Step 5: Conduct Internal Audit Simulation

Perform an internal audit that simulates the certification audit process. This helps identify weak points early and gives your team experience in handling auditor questions and evidence requests.

Step 6: Close All Nonconformities Early

Any issues identified during internal checks should be resolved before the external audit. Delaying corrective actions increases the risk of audit failure or certification delays.

Many companies struggle with ISO 37001 audit preparation due to lack of experience and unclear requirements. Working with an experienced consultant like Connext Consulting helps you identify gaps faster, prepare audit-ready documentation, train employees effectively and increase first-time audit pass rate.

Whether you are starting from scratch or preparing for an upcoming audit, our team provides practical guidance, documentation support, and hands-on implementation to make the process faster and smoother. Contact Connext Consulting today to start your ISO 37001 journey and get audit-ready with confidence.

FAQs

What do auditors check in ISO 37001 audit?
They check policies, risk assessment, controls, training, whistleblowing system, and real implementation.

What is the most common ISO 37001 audit failure?
Weak documentation and lack of real implementation, especially in procurement controls.

How long does an ISO 37001 audit take?
Usually 1–3 days depending on company size and complexity.