Quick Read
ISO 37001:2025 restructures internal audit requirements across four distinct sub-clauses (9.2.1–9.2.4), each carrying separate conformity obligations that organisations commonly misunderstand or conflate with general compliance auditing. The standard explicitly references ISO 19011 as the authoritative methodology and requires a dedicated, risk-based audit programme with documented scope, frequency, and independence—not merely anti-bribery questions embedded in broader financial or country audits. Speeki's auditors consistently identify nonconformities across all four sub-clauses where organisations have not updated their anti-bribery management system to reflect the 2025 structure and its heightened expectations.
Executive Summary
For organisations certified — or seeking certification — under ISO 37001:2025, the internal audit requirement in Clause 9.2 is one of the most consistently misunderstood and poorly implemented obligations in the standard. Speeki sees this gap repeatedly during stage-one and stage-two certification audits.
This whitepaper sets out what Clause 9.2 of ISO 37001:2025 actually requires across its four sub-clauses, how those requirements connect to the audit programme discipline defined in Clause 5 of ISO 19011:2018, and what Speeki's auditors expect to see as evidence of conformity. It also confronts the most common misconception in the field: that embedding a few anti-bribery questions into a general financial or country compliance audit constitutes an internal audit programme for an anti-bribery management system (ABMS). It does not.
The standard is unambiguous. The expectations are high. This paper explains why.
1. What Clause 9.2 of ISO 37001:2025 Requires
1.1 The Four Sub-Clauses of Clause 9.2
ISO 37001:2025 significantly restructures Clause 9.2 compared to the 2016 edition. Where the first edition addressed internal audit in two sub-clauses, the 2025 edition establishes four distinct and separately numbered obligations. Each carries its own conformity requirements. Understanding the structure is the starting point for understanding the expectations.
The four sub-clauses are: 9.2.1 (General — the obligation to conduct audits at planned intervals); 9.2.2 (Internal audit programme — the programme design and management obligation); 9.2.3 (Audit procedures, controls and systems — the risk-based content requirement); and 9.2.4 (Objectivity and impartiality — the structural independence requirement). Organisations that have not updated their ABMS to reflect the 2025 structure will carry nonconformities across all four sub-clauses.
1.2 Clause 9.2.1 — The General Obligation
Clause 9.2.1 of ISO 37001:2025 requires the organisation to conduct internal audits at planned intervals to provide information on whether the ABMS conforms to the organisation's own requirements and to the requirements of the standard, and whether it is effectively implemented and maintained.
This sub-clause also carries three important notes in the 2025 edition. Note 1 expressly directs organisations to ISO 19011 for guidance on auditing management systems — making ISO 19011 the authoritative reference standard for ABMS audit methodology. Note 2 recognises that the scope and scale of internal audit activities can vary depending on organisation size, structure, maturity, and locations. Note 3 refers to Annex A.16 for additional guidance. None of these notes limit the core obligation; they contextualise it.
1.3 Clause 9.2.2 — The Audit Programme
Clause 9.2.2 imposes the programme-level obligation. The organisation must plan, establish, implement, and maintain an audit programme or programmes, including frequency, methods, responsibilities, planning requirements, and reporting. The programme must take into account the importance of the processes concerned and the results of previous audits.
Clause 9.2.2 — Audit Programme Requirements (ISO 37001:2025) |
|---|
The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits. a) Define the audit objectives, criteria and scope for each audit. b) Select competent auditors and conduct audits to ensure objectivity and the impartiality of the audit process. c) Ensure that the results of the audits are reported to relevant managers, the anti-bribery compliance function, top management and, as appropriate, the governing body (if any). Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. |
These requirements are not discretionary. They are not satisfied by good intentions or informal review processes. Each element — programme, objectives, criteria, scope, competence, objectivity, reporting, and documented evidence — carries its own conformity obligation.
Critically, Clause 9.2.2 now explicitly requires that audit results are reported to three distinct levels: relevant managers, the anti-bribery compliance function, and top management, with the governing body receiving results as appropriate. A report that goes only to the compliance officer does not satisfy this requirement.
1.4 Clause 9.2.3 — Audit Procedures, Controls and Systems
Clause 9.2.3 is new to the 2025 edition and addresses the content scope of what the ABMS internal audit must cover. The clause states that audits shall be reasonable, proportionate, and risk-based — and that they shall consist of internal audit processes or other procedures which review procedures, controls, and systems for:
Bribery or suspected bribery. [ISO 37001:2025 Cl. 9.2.3 a)]
Violation of the anti-bribery policy or ABMS requirements. [ISO 37001:2025 Cl. 9.2.3 b)]
Failure of business associates to conform to the applicable anti-bribery requirements of the organisation. [ISO 37001:2025 Cl. 9.2.3 c)]
Weaknesses in, or opportunities for improvement to, the anti-bribery management system. [ISO 37001:2025 Cl. 9.2.3 d)]
This clause makes explicit what competent auditors have always understood: an ABMS internal audit is not limited to document review of policies. It must actively review whether controls are operating, whether business associates are conforming, and whether the system has gaps. A checklist confirming that policies exist and no incidents have been reported does not constitute an audit that satisfies Clause 9.2.3. The audit must probe, sample, and assess.
1.5 Clause 9.2.4 — Objectivity and Impartiality
Clause 9.2.4 of ISO 37001:2025 elevates the objectivity and impartiality requirement to its own standalone clause and provides a defined list of the structural options through which the organisation can satisfy it. To ensure objectivity and impartiality, audits must be undertaken by one of the following:
An independent function or personnel established or appointed for this process. [ISO 37001:2025 Cl. 9.2.4 a)]
The anti-bribery compliance function — unless the scope of the audit includes an evaluation of the ABMS itself, or similar work for which the anti-bribery compliance function is responsible. [ISO 37001:2025 Cl. 9.2.4 b)]
Appropriate personnel from a department or function other than the one being audited. [ISO 37001:2025 Cl. 9.2.4 c)]
An appropriate third party. [ISO 37001:2025 Cl. 9.2.4 d)]
A group comprising any combination of a) to d). [ISO 37001:2025 Cl. 9.2.4 e)]
The clause closes with an unambiguous prohibition: no auditor shall audit their own area of work. This is a hard rule, not a guideline. It applies regardless of seniority, expertise, or organisational convenience.
Note the significant implication of option b): the anti-bribery compliance function may conduct audits of operational areas, but it cannot audit the ABMS itself when that review would cover work the compliance function is responsible for. In practice, this means that a full system-level ABMS audit — covering the design and implementation of the programme as a whole — must be conducted by an independent party, not the compliance team that designed and operates it.
1.6 Why 'Planned Intervals' Is Not Optional Language
The phrase 'planned intervals' in Clause 9.2.1 is one of the most commonly misread requirements in the standard. Many organisations interpret it loosely — conducting an audit when something goes wrong, when a certification is approaching, or when management finds time. This is not conformity.
Planned intervals means the frequency and timing of audits is determined in advance, documented in the audit programme, and then executed according to that plan. The programme must account for the relative importance of different processes and risk levels within the ABMS, meaning higher-risk functions or geographies may require more frequent audit coverage than others.
ISO 19011:2018 Clause 5.4.3 reinforces this directly, requiring the audit programme manager to consider the level of risk and opportunity associated with each activity when determining the scope and frequency of audits. Risk-based scheduling is not a nice-to-have feature of a mature programme — it is a programme design requirement.
1.7 The Objectivity and Impartiality Requirement in Context
As set out in Clause 9.2.4, auditors shall be selected to ensure objectivity and impartiality of the audit process. This has significant implications for how ABMS internal audits are staffed.
An audit is not objective if it is conducted by the same function responsible for designing or operating the controls being audited. A compliance officer who built the anti-bribery programme cannot objectively audit the full ABMS without independent oversight or involvement. A regional finance director cannot audit the ABMS for their own region without structural safeguards.
ISO 19011:2018 Clause 5.5.4 addresses this in the context of selecting audit team members, noting that the audit programme manager must ensure auditors have the necessary competence and that the audit team as a whole can operate without bias. Independence is a structural requirement, not an aspiration.
2. How ISO 19011 Clause 5 Defines the Audit Programme
2.1 The Role of ISO 19011 in an ISO 37001:2025 Context
ISO 37001:2025 Clause 9.2.1 Note 1 expressly references ISO 19011 as the guidance standard for auditing management systems. ISO 19011:2018 — Guidelines for Auditing Management Systems — is not simply additional reading. It is the methodology standard to which an ISO 37001:2025 internal audit programme is expected to conform.
Clause 5 of ISO 19011:2018 addresses the management of audit programmes in full. For organisations certified under ISO 37001:2025, this clause provides the operational blueprint. Speeki's auditors assess internal audit programmes against both the normative requirements of ISO 37001:2025 Clause 9.2 and the guidance in ISO 19011:2018 Clause 5. A programme that does not reflect this guidance will not satisfy Speeki's evidence expectations.
2.2 Programme Objectives — ISO 19011 Clause 5.2
ISO 19011 Clause 5.2 requires that audit programme objectives be established. For an ABMS audit programme, objectives should be specific to the anti-bribery context and aligned with the organisation's overall ABMS objectives under ISO 37001:2025 Clause 6.2.
Generic objectives such as 'assess compliance' are insufficient. Programme objectives should address questions such as:
Are the ABMS controls operating effectively across all functions and geographies within scope?
Do third-party due diligence processes conform to ISO 37001:2025 Clause 8.2 in practice, not just in policy?
Is anti-bribery awareness and training completing at rates consistent with Clause 7.3 requirements (now split into 7.3.1 through 7.3.4 in the 2025 edition)?
Are gifts, hospitality, and facilitation payment records maintained as required by Clause 8.7?
Are concerns raised through the speak-up system being managed in accordance with Clause 8.9?
Are business associates conforming to applicable anti-bribery requirements, as now explicitly required to be assessed by Clause 9.2.3 c)?
Objectives must be documented, reviewed periodically, and updated when the ABMS context changes — for example, when the organisation enters a new jurisdiction, acquires a new entity, or experiences a material change in bribery risk exposure.
2.3 Programme Scope, Frequency, and Risk — ISO 19011 Clauses 5.3 and 5.4.3
Clauses 5.3 and 5.4.3 of ISO 19011 require the audit programme manager to consider multiple factors in establishing the scope and frequency of audits, including the significance of the management system and processes, the complexity of the organisation, relevant legal requirements, and the results of previous audits.
For an ABMS audit programme, this translates directly into risk-based scheduling. Not all parts of an ABMS carry equal risk, and the audit programme must reflect that. At minimum, a well-designed ABMS audit programme will:
Map the ABMS scope — identifying all functions, geographies, and third-party relationships within scope of the ISO 37001:2025 certificate.
Assign risk tiers — classifying functions and geographies by bribery risk level, informed by the organisation's risk assessment under ISO 37001:2025 Clause 4.5.
Set frequency by tier — for example, highest-risk areas audited annually; medium-risk areas every 18 to 24 months; lower-risk areas every three years, consistent with the certification cycle.
Ensure full coverage — every area within scope must be audited at least once within the three-year certification cycle.
Document the rationale — the basis for risk classification and frequency decisions must be recorded.
2.4 Programme Roles and Responsibilities — ISO 19011 Clauses 5.4.1 and 5.4.2
ISO 19011 Clause 5.4.1 requires that the roles and responsibilities of those managing the audit programme be clearly defined. Clause 5.4.2 addresses the competence requirements for the audit programme manager, who must understand audit principles and techniques, the management system standard being audited, and the organisational context.
For ISO 37001:2025 purposes, the audit programme manager must have demonstrated competence in the anti-bribery management system domain — not simply in general internal audit. An internal audit function with strong financial audit skills but no knowledge of ISO 37001:2025, bribery risk assessment methodology, or the specific control architecture of an ABMS does not satisfy this requirement.
Speeki will ask to see documented role definitions, competence records, and audit team qualifications. Auditors conducting ABMS audits should ideally hold ISO 37001 lead auditor credentials or equivalent demonstrated experience in anti-bribery system auditing under the 2025 standard.
2.5 Individual Audit Planning — ISO 19011 Clauses 5.5 and 6
ISO 19011 Clause 5.5 addresses the implementation of individual audits within the programme. Each audit must have:
Defined objectives, scope, and criteria — specific to that audit, not carried forward generically from the programme document. [ISO 19011 Cl. 5.5.2]
A selected audit method appropriate to the objectives — which may include document review, interviews, observation, sampling, or process tracing. [ISO 19011 Cl. 5.5.3]
A designated audit team leader with responsibility for the individual audit. [ISO 19011 Cl. 5.5.5]
A documented audit plan prepared before fieldwork commences. [ISO 19011 Cl. 6.3]
Recorded findings covering all four content areas specified in Clause 9.2.3 — bribery/suspected bribery, policy violations, business associate failures, and system weaknesses. [ISO 37001:2025 Cl. 9.2.3]
An audit report and a follow-up mechanism for any nonconformities identified. [ISO 37001:2025 Cl. 9.2.2 & ISO 19011 Cl. 6.5 / 6.7]
The audit plan for each individual audit is a critical document. It is not the same as the audit programme. The programme governs the overall schedule and framework. The audit plan governs a specific audit engagement — who, what, when, how, and against which criteria.
2.6 Monitoring, Reviewing, and Improving the Programme — ISO 19011 Clauses 5.6 and 5.7
The audit programme is itself subject to review and improvement. ISO 19011 Clause 5.6 requires that the programme be monitored — tracking whether audits are being conducted as planned, whether audit team competence is being maintained, and whether findings are being acted upon.
Clause 5.7 requires periodic review to assess whether the programme's objectives have been achieved and to identify opportunities for improvement. Results of the programme review should feed into the ABMS management review under ISO 37001:2025 Clause 9.3. Note that the 2025 edition introduces a new sub-clause 9.4 — Review by the anti-bribery compliance function — which requires the compliance function to assess on a continual basis whether the ABMS is adequate and being effectively implemented. Internal audit results are a primary input to this review.
A stagnant audit programme — one that repeats the same scope, criteria, and methods year after year without review — does not demonstrate the continual improvement discipline that ISO 37001 requires.
3. The Myth of the Embedded Financial Audit
3.1 A Pattern Speeki Sees Repeatedly
During certification and surveillance audits, Speeki's audit teams frequently encounter the same scenario. The organisation presents its internal audit records as evidence of Clause 9.2 conformity. On closer examination, those records are financial or operational compliance audit reports — country-level financial reviews, internal control assessments, or enterprise risk management audits — into which a small number of anti-bribery questions have been inserted.
The questions typically look like this: 'Has the anti-bribery policy been communicated to staff? Yes. Have any incidents of bribery been reported this year? No. Are gifts and hospitality within policy limits? Yes.'
This is presented as the ABMS internal audit programme required by ISO 37001:2025. It is not. It satisfies none of the four sub-clauses of Clause 9.2.
Inserting three anti-bribery questions into a country financial audit is not an ABMS internal audit. It does not satisfy ISO 37001 Clause 9.2. It will not pass a Speeki certification audit. |
|---|
3.2 Why This Approach Fails
The embedded financial audit approach fails to satisfy ISO 37001 Clause 9.2 for multiple reasons, each of which is grounded directly in the requirements of the standard and the ISO 19011 guidance.
3.2.1 It is not an audit of the ABMS
ISO 37001:2025 Clause 9.2.1 requires the audit to assess whether the ABMS conforms to the standard's requirements and is effectively implemented and maintained. Clause 9.2.3 further requires that the audit specifically cover bribery/suspected bribery, violations of the ABMS, business associate non-conformance, and system weaknesses. A financial audit assesses financial controls, transaction accuracy, and reporting requirements. It does not assess whether the management system architecture — context analysis, risk assessment, leadership commitment, due diligence controls, training effectiveness, speak-up mechanisms, investigation processes — conforms to ISO 37001:2025.
These are fundamentally different audit objectives, requiring different criteria, different evidence, and different auditor competence.
3.2.2 It has no audit plan specific to the ABMS
Each internal audit of the ABMS must have a documented audit plan with defined objectives, scope, and criteria specific to the ABMS and its risk profile, as required by Clause 9.2.2 a). A financial audit plan will not reference ISO 37001:2025 clauses as audit criteria. It will not define ABMS-specific scope. It will not address the risk-based coverage requirements of Clause 9.2.2. There is no conformity without this documentation.
3.2.3 The auditors lack the required competence
Financial auditors are competent to audit financial controls. ISO 19011 Clause 5.5.4 requires audit team members to have competence relevant to the audit criteria being applied. ISO 37001:2025 Clause 9.2.2 b) requires competent auditors specifically. Anti-bribery management system auditing requires knowledge of ISO 37001:2025, bribery risk assessment methodology, due diligence frameworks, speak-up system design, and investigation process governance. General financial auditors do not typically possess this competence.
3.2.4 It does not address the Clause 9.2.3 content requirements
Clause 9.2.3 is new in the 2025 edition and explicitly requires the audit to review procedures, controls, and systems for the four categories listed. A checklist audit that does not actively examine business associate conformance or systematically look for system weaknesses cannot satisfy Clause 9.2.3. The fact that no bribery was reported during the period is not audit evidence — it is the absence of a finding from a process that was not genuinely testing for one.
3.2.5 It does not produce evidence of system effectiveness
ISO 37001:2025 Clause 9.2.2 requires documented information as evidence of the implementation of the audit programme and the audit results. The audit results must address system effectiveness — whether the ABMS is achieving its intended outcomes. Three checkbox answers do not constitute evidence of system effectiveness. They constitute evidence that three questions were asked.
3.2.6 The objectivity requirement of Clause 9.2.4 is not satisfied
Clause 9.2.4 of the 2025 edition is now a standalone clause with a defined list of acceptable structural arrangements for ensuring objectivity and impartiality. A financial audit team that has no independence from the function being assessed, and which was not appointed under any of the five arrangements listed in Clause 9.2.4, does not satisfy this requirement. The prohibition that no auditor shall audit their own area of work is explicit. A finance team auditing the financial controls it operates fails this test directly.
3.2.7 It cannot satisfy the 'planned intervals' requirement across the full ABMS scope
A country financial audit covers one geography at a point in time. An ABMS audit programme must plan systematic coverage of all functions, processes, and geographies within the scope of the ISO 37001:2025 certificate across the certification cycle. A series of financial audits, even if conducted in multiple countries, does not constitute a planned, risk-based audit programme for the ABMS unless it has been specifically designed and documented for that purpose — which it has not.
Common Findings in Speeki Certification Audits — ISO 37001:2025 |
|---|
Nonconformity (Cl. 9.2.2): No documented audit programme for the ABMS. General internal audit schedule presented as evidence. Nonconformity (Cl. 9.2.2): Audit criteria not referenced to ISO 37001:2025 clauses. No evidence of clause-by-clause system assessment. Nonconformity (Cl. 9.2.3): Audit does not review business associate conformance. Only internal policy compliance reviewed. Nonconformity (Cl. 9.2.4): Auditors conducted audits of their own area of work. Compliance function audited the full ABMS including its own design and operation. Nonconformity (Cl. 9.2.2): Audit results not reported to anti-bribery compliance function. Results went only to finance director. Nonconformity (Cl. 9.2.2): No individual audit plans produced prior to ABMS audits. Audit reports exist but with no pre-audit documentation. Observation: Audit programme not updated following introduction of ISO 37001:2025 — programme still structured to 2016 clause numbering. Observation: Audit findings not tracked through to verified closure. No linkage to Clause 10.2 corrective action process. |
4. What Speeki Expects to See as Evidence
4.1 Two Layers of Evidence
When Speeki's auditors assess conformity with ISO 37001 Clause 9.2, they evaluate two distinct layers of evidence. The first is the audit programme itself — does a compliant programme exist? The second is the execution of individual audits within that programme — has the programme actually been run, and is there documentary evidence of each audit?
Both layers are required. A well-designed programme that has never been executed demonstrates planning without implementation. A series of audits conducted without a governing programme demonstrates activity without governance. ISO 37001 requires both.
4.2 Audit Programme Evidence
Evidence Item | Speeki Auditor Expectation | Clause Reference |
|---|---|---|
Documented audit programme | A single, maintained document (or document set) that defines programme objectives, scope, risk-based frequency schedule, responsible persons, methods, reporting requirements, and review cycle | ISO 37001:2025 Cl. 9.2.2 / ISO 19011 Cl. 5.2–5.3 |
ABMS scope mapping | Clear documentation of all functions, geographies, subsidiaries, and third-party categories within the ISO 37001:2025 certificate scope, mapped to the audit schedule | ISO 19011 Cl. 5.4.3 |
Risk-based frequency rationale | Documented basis for how bribery risk levels (from Cl. 4.5 risk assessment) have been used to determine audit frequency for each area of the ABMS scope | ISO 19011 Cl. 5.3 / 5.4.3 / ISO 37001:2025 Cl. 4.5 |
Auditor competence records | Qualifications, training records, or experience documentation demonstrating that designated internal auditors have competence in ISO 37001:2025 and ABMS auditing methodology | ISO 19011 Cl. 7.2 / ISO 37001:2025 Cl. 9.2.2 b) |
Objectivity and impartiality records | Documentation showing which of the five options under Clause 9.2.4 has been applied for each audit, and why. Confirmation that no auditor audited their own area of work. | ISO 37001:2025 Cl. 9.2.4 |
Programme roles and responsibilities | Named roles (audit programme manager, audit team leaders) with documented authority and accountability | ISO 19011 Cl. 5.4.1 |
Programme review records | Evidence that the audit programme has been reviewed at planned intervals, with records of findings and any improvements made, including update to 2025 structure | ISO 19011 Cl. 5.7 |
4.3 Individual Audit Evidence
Evidence Item | Speeki Auditor Expectation | Clause Reference |
|---|---|---|
Audit plan | A documented plan prepared before each audit commences, specifying the audit's objectives, scope, criteria (referencing ISO 37001:2025 clauses), methods, audit team, schedule, and interviewees | ISO 19011 Cl. 6.3 / ISO 37001:2025 Cl. 9.2.2 a) |
Audit notifications | Evidence that the auditee was notified of the audit in advance, including the plan and criteria | ISO 19011 Cl. 6.3 |
Working papers and sampling records | Documentation of evidence gathered — documents reviewed, records sampled, observations, interviews — with specific coverage of all four Clause 9.2.3 content areas | ISO 19011 Cl. 6.4–6.5 / ISO 37001:2025 Cl. 9.2.3 |
Audit findings | Documented findings classified as major nonconformity, minor nonconformity, observation, or opportunity for improvement — each with supporting evidence and the specific ISO 37001:2025 clause to which it relates | ISO 37001:2025 Cl. 9.2.2 / ISO 19011 Cl. 6.4.8 |
Audit report | A formal audit report issued to relevant managers, the anti-bribery compliance function, and top management — not a summary email or verbal debrief. Governing body to receive as appropriate. | ISO 19011 Cl. 6.5 / ISO 37001:2025 Cl. 9.2.2 c) |
Corrective action follow-up | Evidence that nonconformities identified in the audit have been addressed through the Clause 10.2 corrective action process (renumbered in 2025 edition), with verification of closure | ISO 37001:2025 Cl. 10.2 / ISO 19011 Cl. 6.7 |
Management and compliance function reporting | Evidence that audit results have been communicated to relevant management and the anti-bribery compliance function, including input to management review (Cl. 9.3) and compliance function review (Cl. 9.4) | ISO 37001:2025 Cl. 9.2.2 c) / Cl. 9.3 / Cl. 9.4 |
5. The Comparison in Practice
The following table summarises the gap between what many organisations do and what ISO 37001 and ISO 19011 require.
What Companies Do | What ISO 37001 + ISO 19011 Require |
|---|---|
Conduct annual financial audits with a few ABMS questions appended | Maintain a documented ABMS audit programme covering all four sub-clauses of ISO 37001:2025 Clause 9.2 with risk-based frequency and full scope coverage |
Use the same internal audit team that manages financial controls | Designate auditors under one of the five Clause 9.2.4 structural options — ensuring no auditor audits their own area of work |
Produce a combined financial/compliance audit report | Produce a separate, formal ABMS audit report referencing ISO 37001:2025 clause criteria and addressing all four Clause 9.2.3 content areas |
Report audit outcomes only to the finance director or compliance officer | Report audit results to relevant managers, the anti-bribery compliance function, and top management — with governing body reporting as appropriate (Cl. 9.2.2 c)) |
Resolve audit findings informally | Log all nonconformities through the Cl. 10.2 corrective action process with documented root cause analysis and verified closure |
Review the programme only when certification renewal is approaching | Review and improve the audit programme at planned intervals per ISO 19011 Cl. 5.7 — with updates when the 2025 standard introduces new requirements |
Assume that no major incidents means no audit findings | Conduct systematic assessment of all four Clause 9.2.3 content areas including business associate conformance and system weakness identification |
Allow compliance function to audit the full ABMS including its own work | Ensure that any audit covering the design or operation of the ABMS itself is conducted by an independent party (Cl. 9.2.4 b) exception applies) |
6. Designing a Compliant Audit Programme: A Practical Framework
6.1 Step One: Establish the Programme Foundation
The starting point is a documented audit programme document — a single, authoritative record that defines:
The objectives of the ABMS audit programme aligned with the organisation's ABMS objectives under ISO 37001:2025 Clause 6.2. [ISO 19011 Cl. 5.2]
The full scope of the ABMS subject to audit — functions, geographies, processes, third-party categories. [ISO 19011 Cl. 5.4.3]
The audit frequency schedule, showing how risk levels (from the Clause 4.5 assessment) drive the interval for each area. [ISO 19011 Cl. 5.3 / 5.4.3]
Named roles: an audit programme manager with documented competence; designated audit team leaders for individual audits. [ISO 19011 Cl. 5.4.1–5.4.2]
The structural arrangement for objectivity and impartiality — specifying which of the five Clause 9.2.4 options applies for each category of audit. [ISO 37001:2025 Cl. 9.2.4]
The methods to be used — document review, interview, observation, transaction sampling, site visit — and how they will be selected for each audit. [ISO 19011 Cl. 5.5.3]
Reporting requirements — who receives audit reports, in what format, within what timeframe — including the anti-bribery compliance function. [ISO 37001:2025 Cl. 9.2.2 c)]
The schedule and process for reviewing and improving the programme itself. [ISO 19011 Cl. 5.6–5.7]
6.2 Step Two: Plan Each Individual Audit
Before any ABMS audit commences, a documented audit plan must be prepared. The plan should specify:
The specific objectives of this audit — what questions is the audit designed to answer?
The scope — which processes, locations, or functions will be covered?
The audit criteria — the specific ISO 37001:2025 clauses and the organisation's own ABMS documentation against which findings will be assessed.
Which of the four Clause 9.2.3 content areas will be specifically examined in this audit (bribery/suspected bribery; policy violations; business associate conformance; system weaknesses).
The structural basis for objectivity — which of the five Clause 9.2.4 options applies and how it is satisfied.
The audit methods — how will evidence be gathered?
The audit team — who will conduct the audit, and what is their competence?
The schedule — interview dates, document request deadlines, reporting timeline.
The auditee — who will be the primary contact and who will be interviewed?
The audit plan is provided to the auditee in advance of fieldwork. It is a commitment by the audit team and a notice to the auditee. It is retained as documented information.
6.3 Step Three: Execute and Document
During fieldwork, auditors gather evidence systematically against the audit criteria defined in the plan. Every piece of evidence considered — every document reviewed, every record sampled, every interview conducted — should be noted in working papers. Findings are documented with supporting evidence and the specific clause or requirement to which they relate.
The auditor's job is not to confirm that the organisation believes it is compliant. It is to gather sufficient objective evidence to reach a conclusion on whether the ABMS conforms to the standard and is effectively implemented. Where evidence is absent, that absence is itself a finding.
6.4 Step Four: Report and Act
The audit report is a formal document. It is not a management presentation summary or an email to the compliance officer. It contains: the audit's objectives, scope, and criteria; the methodology used; a summary of evidence gathered; each finding with its classification (major nonconformity, minor nonconformity, observation, opportunity for improvement); the auditor's overall conclusion on conformity; and any recommendations.
All nonconformities identified must be addressed through the ISO 37001 Clause 10.2 corrective action process — with root cause analysis, corrective actions, implementation, and verification of effectiveness. The audit is not closed until corrective actions have been verified.
6.5 Step Five: Feed Results Into Management Review
ISO 37001:2025 Clause 9.3 requires the inputs to management review to include the results of internal audits. The 2025 edition restructures Clause 9.3 into separate sub-clauses covering top management review (9.3.1), management review inputs (9.3.2), and governing body review (9.3.3). Audit results are a required input to all three levels. Additionally, Clause 9.4 — new in the 2025 edition — requires the anti-bribery compliance function to continually assess whether the ABMS is adequate and being effectively implemented, and to report this assessment to the governing body and top management at planned intervals. Internal audit results are a primary input to this assessment. An audit programme that is not feeding results into both the management review and the compliance function review is failing two separate clauses of the 2025 standard.
The management review discussion of audit results should result in documented decisions — not simply acknowledgement. If the audit has identified a pattern of non-implementation in a specific region, the management review output should address that pattern with specific actions, owners, and timelines.
7. The Speeki Certification Audit: What We Review
When Speeki conducts a stage-two certification audit, or a surveillance audit against ISO 37001:2025, the assessment of Clause 9.2 conformity follows a structured review that covers both programme-level and audit-level evidence across all four sub-clauses — 9.2.1, 9.2.2, 9.2.3, and 9.2.4.
7.1 Programme-Level Review
Speeki's auditors will request the audit programme document and review it against the requirements of ISO 37001:2025 Clause 9.2.2 and the guidance in ISO 19011:2018 Clause 5. We will assess whether the programme is genuinely designed for the ABMS or whether it is a repurposed general audit schedule. We will examine whether risk-based frequency decisions are documented and traceable to the Clause 4.5 risk assessment. We will verify that the programme covers the full scope of the ISO 37001:2025 certificate. We will also check whether the programme has been updated to reflect the 2025 standard's structure — a programme still framed around the 2016 clause numbering will require remediation.
7.2 Objectivity and Impartiality Review — Clause 9.2.4
Speeki will assess conformity with Clause 9.2.4 specifically. We will ask which of the five structural options the organisation has applied for each category of audit, and we will verify that the arrangement is genuinely independent. We will check whether the anti-bribery compliance function has audited the ABMS itself — and if so, whether that audit was conducted within the express limitation of Clause 9.2.4 b) or whether it constituted a nonconformity. We will confirm that no auditor has audited their own area of work.
7.3 Auditor Competence Review
We will ask for competence records for the individuals conducting ABMS internal audits. Relevant qualifications may include ISO 37001 lead auditor certification (aligned to the 2025 standard), documented training in anti-bribery management system auditing, or evidence of substantive experience in the field. General internal auditor qualifications are relevant but not sufficient on their own for an ABMS audit context.
7.4 Individual Audit Review — Including Clause 9.2.3 Coverage
For each internal audit conducted during the certification period, Speeki will expect to see the audit plan, working papers, a formal audit report, and corrective action records. We will specifically examine whether the audit addressed all four content areas required by Clause 9.2.3: bribery/suspected bribery; ABMS policy or requirement violations; business associate conformance failures; and system weaknesses or improvement opportunities. An audit that only assessed internal procedural compliance and did not examine business associate conformance will carry a nonconformity against Clause 9.2.3 c).
Where records are missing — for example, where an audit report exists but no audit plan was produced — we will raise a nonconformity. Where audit reports contain no clause-specific findings or do not address all four Clause 9.2.3 content areas, we will probe the methodology used.
7.5 Reporting Chain Review — Clause 9.2.2 c)
Speeki will verify that audit results were reported to all three specified recipients under Clause 9.2.2 c): relevant managers, the anti-bribery compliance function, and top management, with governing body reporting as appropriate. A report that went only to the compliance officer and was never formally presented to top management is a nonconformity. We will also examine whether audit results were provided as a substantive input to the management review (Clause 9.3) and the compliance function's ongoing review (Clause 9.4).
7.6 The Audit Programme as a System
Speeki assesses the audit programme not simply as a collection of documents but as a functioning system. We ask: Is the programme being executed as planned? Are deviations documented? Are results feeding into management review? Is the programme itself being reviewed and improved? Does the programme reflect changes in the organisation's bribery risk profile?
A programme that looks complete on paper but shows no evidence of active management, real findings, or genuine system assessment will not satisfy our conformity assessment.
An audit programme with no findings is not evidence of a well-functioning ABMS. It is evidence of an audit that did not look hard enough. |
|---|
8. Conclusion
ISO 37001:2025 Clause 9.2 sets a genuine and demanding standard for internal audit within an anti-bribery management system. The 2025 edition strengthens and restructures the requirement across four sub-clauses: the general obligation to audit at planned intervals (9.2.1); the programme design and management obligation (9.2.2); the explicit content requirements covering bribery, violations, business associate conformance, and system weaknesses (9.2.3); and the standalone objectivity and impartiality requirement with five defined structural options (9.2.4). These requirements connect directly to the audit programme discipline in ISO 19011:2018 Clause 5, which provides the operational methodology for compliance.
What ISO 37001:2025 does not accept — and what will not pass a Speeki certification audit — is a general financial audit with anti-bribery questions appended, an informal review process without documented plans, a compliance function auditing its own work without restriction, or a series of audit reports that confirm policy existence without examining business associate conformance or system weaknesses.
For organisations seeking or maintaining ISO 37001:2025 certification, the investment in a properly designed and executed audit programme is not optional. It is a direct requirement of the standard across four distinct sub-clauses. It is also one of the most powerful tools available for ensuring that the ABMS is genuinely functioning — not simply documented.
Speeki's expectations are aligned with the 2025 standard. They are high because the standard is high — and because the purpose of an anti-bribery management system is to prevent bribery, not to demonstrate the appearance of doing so.
To Discuss Your Audit Programme |
|---|
If you are an ISO 37001 certified organisation and would like to assess whether your internal audit programme meets the requirements described in this whitepaper, Speeki's team can assist with a gap assessment. Speeki is an ISO/IEC 17021-1 accredited certification body for ISO 37001, operating across 100+ countries. We provide independent certification and assurance — not consulting. Contact us at speeki.com |
References
ISO 37001:2025 Anti-Bribery Management Systems — Requirements with Guidance for Use. Second edition. International Organization for Standardization.
ISO 19011:2018 Guidelines for Auditing Management Systems. International Organization for Standardization.
ISO/IEC 17021-1:2015 Conformity Assessment — Requirements for Bodies Providing Audit and Certification of Management Systems.
ISO 37001:2025 Annex A — Guidance on the Use of This International Standard, including A.16 (Internal Audit).
ISO 37301:2021 Compliance Management Systems — Requirements with Guidance for Use.
This whitepaper is intended for general informational purposes. It does not constitute legal advice. Speeki is an accredited certification body. We provide certification and assurance services, not consulting.