The Department of Justice (DOJ) recently published a guidance document titled “Evaluation of Corporate Compliance Programs” that provides insight into how the Fraud Section evaluates compliance programs under criminal investigation. This guidance emphasizes the government’s commitment to fighting corporate fraud under the former Deputy Attorney General Yate’s memorandum and serves as a valuable tool to measuring your organization’s compliance program’s effectiveness.
Here is a summary of the topics and questions that the DOJ finds relevant when evaluating a corporate compliance program under investigation:
- Analysis and Remediation of Underlying Conduct: What is the organization’s root cause analysis of the misconduct at issue? Were there prior opportunities to detect the misconduct in question? What specific changes has the organization made to reduce the risk that the same or similar issues will not occur in the future?
- Senior and Middle Management: What concrete actions have management taken to demonstrate leadership in the organization’s compliance and remediation efforts? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
- Autonomy and Resources: Was compliance involved in training and decisions relevant to the misconduct? What role has compliance played in the organization’s strategic and operational decisions? Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the organization responded to such compliance concerns? Has the organization outsourced all or parts of its compliance functions to an external firm or consultant?
- Policies and Procedures: What has been the organization’s process for designing and implementing new policies and procedures? How has the organization assessed whether these policies and procedures have been effectively implemented?
- Risk Assessment: What methodology has the organization used to identify, analyze, and address the particular risks it faced? What information or metrics has the organization collected and used to help detect the type of misconduct in question?
- Training and Communications: What training have employees received? What has senior management done to let employees know the organization’s position on the misconduct that occurred? What resources have been available to employees to provide guidance relating to compliance policies?
- Confidential Reporting and Investigation: How has the organization collected, analyzed, and used information from its reporting mechanisms? How has the organization ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Has the organization’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives?
- Incentives and Disciplinary Measures: What disciplinary actions did the organization take in response to the misconduct? Did the organization’s response consider disciplinary actions for supervisors’ failure in oversight? Have the disciplinary actions and incentives been fairly and consistently applied across the organization? How has the organization incentivized compliance and ethical behavior?
- Continuous Improvement, Periodic Testing, and Review: What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? How often has the organization updated its risk assessments and reviewed its compliance policies, procedures, and practices?
- Third Party Management: How has the organization considered and analyzed the third party’s incentive model against compliance risks? How has the organization monitored the third parties in question?
- Mergers & Acquisitions: Was the misconduct or the risk of misconduct identified during due diligence? What has been the organization’s process for implementing compliance policies and procedures at new entities?
Remember, maintaining an effective compliance program is an ongoing process that does not stop with taking any one particular action, such as having a binder of compliance policies or one-time training session. A proactive approach is key in ensuring your organization has a program in place that will deter, detect and prevent noncompliance. Review the full guidance document here to see if your organization has the proper internal controls to withstand government scrutiny.