ISO 37301 Audit — Compliance Management System
Compliance system assessment to ensure regulatory compliance and integrity culture.
ISO 37301:2021 replaced the former ISO 19600 (which was only a guide) and became the first certifiable compliance standard. This change is significant: it means a certification body can formally audit your organization's compliance program against verifiable requirements. What most compliance programs have not resolved is traceability: is there a complete and updated inventory of regulatory obligations? Do compliance officers have real authority and independence? Is training effectiveness measured or only attendance recorded? The most frequent finding is that the program exists in the organizational structure but has no performance indicators or continuous improvement mechanisms. A compliance program without metrics is invisible to senior management — and what is invisible does not receive resources.
Deliverables
Compliance maturity assessment
Assessment of the current state of the compliance program.
Regulatory obligations map
Inventory of applicable legal and regulatory requirements.
Strengthening plan
Prioritized actions to close compliance gaps.
Intervention Flow
Program review
Assessment of compliance policies, procedures and structure.
Culture assessment
Interviews and surveys on compliance perception.
Report and recommendations
Findings, gap analysis and action plan.
Technical Inquiries
ISO 37001 focuses exclusively on bribery prevention, detection, and response. ISO 37301 covers general regulatory compliance — including labor, environmental, tax, privacy, and sector-specific regulations. In practice, ISO 37001 is a subset of ISO 37301: an organization with ISO 37301 in place should cover bribery risk as part of its obligations inventory. However, organizations with high bribery exposure (sectors such as construction, mining, defense, or financial services) frequently adopt both standards in an integrated manner to demonstrate specific rigor to regulators.
A compliance committee is a governance structure; an independent audit verifies whether that structure produces measurable results. The questions the assessment answers are: does the committee have direct access to senior management without filters? Are compliance findings translated into corrective actions with deadlines and owners? Is there evidence that training changed behaviors and not just generated attendance certificates? Experience across 60+ compliance program evaluations shows that 70% of committees operate as informational bodies, not decision-making ones — and that difference has direct legal implications.
Fernando Arrieta offers evaluation, assessment, and methodological guidance services for management systems. These activities are independent of the certification process, which is carried out exclusively by accredited certification bodies.