Department of Justice Evaluation Questions for Corporate Compliance Programs
In early February 2017, the Fraud Section of the Department of Justice (“DOJ”) Criminal Division issued an eight page paper on how DOJ evaluates corporate compliance programs. Those programs are one of the factors used by DOJ in conducting investigations of corporations, determining whether to bring charges and negotiating pleas and other agreements. Although DOJ does not use any rigid formula to assess the effectiveness of corporate compliance programs the DOJ asks common questions that are used in making each individualized determinations. Those questions are summarized in this blog, and repeat many of the topics in the following publications:
United States Attorney’s Manual (“USAM”)
United States Sentencing Guidelines (“USSG”)
Fraud Section corporate resolution agreements,
A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”) published in November 2012 by the Department of Justice and the Securities and Exchange Commission
Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the Organization for Economic Co-operation and Development (“OECD”) Council on February 18, 2010
Anti-Corruption Ethics and Compliance Handbook for Business (“OECD Handbook”) published in 2013 by OECD, United Nations Office on Drugs and Crime, and the World Bank
The questions appear in separate sections, and the highlights are synopsized below.
1. Analysis and Remediation of Underlying Conduct.
What is the root cause and systemic issues of the misconduct at issue?
Were there prior opportunities (audit reports, complaints or investigations involving similar opportunities) to detect the conduct?
What specific changes has the company made to reduce the risk of recurrence?
2. Senior and Middle Management
How have senior leaders, through words and actions, encouraged or discouraged the type of conduct in question?
Are senior leaders and managers commitment to compliance?
What compliance expertise has been available to the board of directors and how have they used it?
3. Autonomy and Resources
Was compliance involved in training and decisions relevant to the misconduct and did they ever raise a concern?
How has the compliance function compared with other strategic functions in the company (stature, compensation, rank, resources)?
Have the compliance personnel had the appropriate experience and qualifications?
What is the relationship of the compliance and control officers to the board of directors?
Has compliance ever raised concerns or objections in the area where wrongdoing occurred?
How much personnel and resources have compliance and control received in light of the company’s risk profile?
Has the company outsourced compliance to an external firm, and how has that process been managed?
4 Policies and Procedure: Design and Integration thereof
How has the company designed and implemented new processes and procedures/
Has the company had policies and policies that were effectively implemented that prohibited the misconduct?
Has the company had clear guidance and training for key gatekeepers (reviewers and payers) in the control process?
Has the company communicated the policies and procedures relevant to the misconduct to its employees and third parties?
Who was responsible for integrating policies and procedures?
What controls failed or were absent that would have detected or prevented the misconduct?
How was the misconduct funded, what processes could have prevented or detected access to these funds, and have these processes been improved?
Did those with approval authority or certification know what to look for?
If vendors were involved in misconduct, what was the process for vendor selection?
5 .Risk Assessment
What method did the company use to identify, analyze and address risks it faced?
What information has the company collected and used to help detect the misconduct in question?
Has the company’s risk assessment process accounted for manifested risks?
6. Training and Communications
What training have employees in relevant control functions received?
Was the training appropriate for the audience?
Has senior management let employees know the company’s position on the misconduct that occurred?
What resources have been available to employees to provide guidance relating to compliance policies?
7 .Confidential Reporting and Investigation
Has the company collected and analyzed and used information from its reporting mechanisms?
How has the company ensured that the investigations were properly scored and were independent and objective?
Have the company’s investigations been used to identify root causes, vulnerability and accountability lapses at all levels?
8 .Incentives and Disciplinary Measures
What disciplinary actions did the company take in response to the misconduct and were managers held accountable?
Who participated in making disciplinary decisions? Were they fairly and consistently applied?
Has the company incentivized compliance and ethical behavior?
9. Continuous Improvement, Periodic Testing and Review
What types of audits would have identified the misconduct and did those audits take place, and what were the results?
Has the company reviewed its compliance program in the area relating to the misconduct and assessed its controls in that area?
How often has the company updated its risk assessments and policies and procedures?
10. Third Party Management
Has the third party management process corresponded to the level of risk identified by the company?
Why were third parties used, and was compensation and oversight of them appropriate?
How has the company considered and analyzed the third party’s incentive model against compliance risk?
Were red flags identified from the due diligence of the third party and how were they resolved?
11. Mergers and Acquisitions
Was misconduct or risk of misconduct identified during due diligence?
How has compliance been integration into the merger and acquisition process?
What is the company’s process for remediating risk or misconduct identified during due diligence?
Comment: Effective compliance programs require that a company use due diligence in identifying its potential risks, and take appropriate and strong actions to mitigate risk, as well as respond to the risks.