The U.S. Department of Justice (DOJ) Criminal Division, Fraud Section recently issued guidance, “Evaluation of Corporate Compliance Programs,” that provides a succinct resource to guide companies in their review and evaluation of their compliance programs. Notably, this is the first formal guidance on corporate compliance issued by the DOJ under the Trump administration and newly appointed Attorney General Jeff Sessions. Much of the guidance can be gleaned from other sources, such as the United States Sentencing Commission’s “Guidelines Manual” or the “United States Attorneys’ Manual,” however the new guidance is a useful collection of topics and sample questions that may be asked during a fraud investigation.
In its introduction, the guidance references the commonly known “Filip Factors” that “describe specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements.” These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program,” as well as “the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.”
The DOJ’s new guidance “provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program,” focusing on 11 high-level topics:
- Analysis and Remediation of Underlying Misconduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers and Acquisitions
Each topic is followed by sample questions that prosecutors are likely to examine during the course of an investigation. Examples include:
- Analysis and Remediation of Underlying Misconduct: Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues?
- Senior and Middle Management: How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question?
- Autonomy and Resources: Was compliance involved in training and decisions relevant to the misconduct?
- Risk Assessment: What information or metrics has the company collected and used to help detect the type of misconduct in question?
- Confidential Reporting and Investigation: How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted and properly documented?
- Continuous Improvement, Periodic Testing and Review: Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties?
As the guidance states at the outset, this is a collection of guidance factors offered in various DOJ and SEC publications. Therefore, this guidance is familiar and collects practices of U.S. law enforcement in assessing corporate compliance programs that have been used over the years. Nevertheless, this guidance is particularly important and instructive for all corporate counsel, officers and directors, and should be reviewed by corporate compliance professionals to ensure existing compliance programs and practices meet the DOJ requirements. Indeed, the guidance can be a useful tool when designing any new compliance program or when testing an existing program.