Most companies in Germany have recently established compliance departments. It seems to be an unwritten law to set up and maintain such departments. Very often, however, the efficiency of compliance programmes is not questioned. The fact is: there is no generally binding German or international standard for the certification of compliance programmes. We spoke to Michael Malterer, partner in the Munich office of Norton Rose LLP, about legal compliance audits.

Why does the management of a company have to care about compliance organisation?

The company management is responsible for compliance with applicable law and statutes, internal guidelines and ethical principles. It is necessary to define and implement corporate governance standards aiming at risk identification and damage prevention. The director of a stock corporation and the management of a limited liability company are liable under corporate law if these requirements are not met, i.e. if the company management has not made sufficient efforts to ensure prevention and the company has suffered damage as a result. The day-to-day implementation may be delegated – guiding decisions are, however, definitely a matter for the management level and there can be no alternative to fulfilling these requirements.

The USA has very strict provisions on Compliance. How does German law differ from US law in this respect?

In the USA, efficient compliance is proven through a whole set of guidelines. This includes behavioural guidelines, management and supervision of personnel, selection of the group of people when it comes to the delegation of responsibilities, audit and revision but also communication and training. In Germany, there is no comparable statutory catalogue of requirements. The German corporate law simply requires accepting compliance as a primary duty of the company management. If business managers violate their organisational duties, they are liable with their personal assets. The individual obligations of the compliance officers are defined through market practice, the benchmark set by competitors and everything that can be reasonably expected of the business management. The standard is set by the Stock Corporation Act, which makes it an obligation of the management board to provide an early warning system for risks, and the Regulatory Offences Act, which stipulates the business management’s duty to ensure that the employees behave in conformity with the law. Cost reasons are not an excuse for compliance violations.

What are the possibilities for audits or certifications?

So far, there is neither a uniform audit standard nor a clear allocation of competencies, which would be necessary for an official certification. Viewed realistically, it is not possible to provide a company with an extensive formal confirmation stating that all corporate governance requirements have been complied with and that therefore no regulations were violated. We do, however, already have audits and individual internal investigations, the latter as a means of unconditional establishment of the truth if there are already indications of violations. In the course of an audit, is it in particular examined whether compliance rules are in fact implemented in operational departments. If the business management cannot judge this by itself, it has to instruct external advisors with the audit. All audit methods concentrate on the comprehension of the business model and the individual operating procedures and deal with company's internal compliance organisation. Another factor is the evaluation of compliance-conducive values and behavioural guidelines and their application to corporate culture. Efficient value management ensures that compliance is not only about adherence to norms or violations of norms. It is also about ethics and the question as to which values a company represents and why complying with a certain norm is good and beneficial.

Law firms increasingly offer legal compliance audits. What exactly are they?

Legal compliance audits carried out by lawyers aim to reduce law violations, liability and damage. A compliance report prepared by a law firm can be compared to a well-structured due diligence review or a legal opinion. At the first stage, the business model and operating procedures are examined and the contact points between compliance programmes and corporate values are established. This also includes the preparation of country reports giving a detailed view of the individual jurisdictions and factual, geographical and political risks. At the second stage, a target-performance comparison is made. At the third and final stage, the result is evaluated, showing gaps, choices of action, training requirements and, if applicable, the need for ethics advisors or other advisors. It is an illusion to think that everything is in best order in one's own company.  

This interview first appeared in German legal publication PLATOW Recht on 21 August 2009