Summary of Compliance Guideline
The Criminal Division’s Fraud Section of the U.S. Department of Justice (the “DOJ”) has released guidance on how the DOJ will determine the effectiveness of a company’s corporate compliance program. The guidance, entitled Evaluation of Corporate Compliance Programs (the “Compliance Guideline”), provides examples of topics and sample questions that are frequently used by the DOJ in the evaluation of a corporate compliance program.
While the topics and questions are not new, the Compliance Guideline does reinforce the message that the DOJ’s focus is on the concrete steps a company’s leadership takes to foster a corporate culture of compliance. The Justice Department’s Compliance Counsel, Hui Chen, emphasized the difference between a “paper program” and a “real program.” “The answers are not in the glossy diagrams of a company’s ‘core values’ or their training slides; rather, they are in what happens in real life, in the smallest details that manifest themselves in the company’s daily operations.”
The Compliance Guidelines provide useful insights for compliance professionals on what to expect in the event of a DOJ investigation and furthermore provide a framework to assess a company’s compliance program, strengthen existing polices, and identify areas that need improvement. While the DOJ does not use an established formula in assessing the effectiveness of corporate compliance programs, the Compliance Guideline does provide transparency into factors the DOJ will take into consideration when evaluating the adequacy of a company’s compliance program. The DOJ is careful to note that the Compliance Guideline is not a checklist or a formula and that many of the topics are found in the United States Attorney’s Manual, the United States Sentencing Guidelines, the Fraud Section corporate resolution agreements, the DOJ and Security and Exchange Commission’s A Resource Guide to the U.S. Foreign Corrupt Practices Act, the Organization for Economic Co-operation and Development Council’s Good Practice Guidance on Internal Controls, Ethics, and Compliance, the United Nations Office on Drugs and Crime, and the World Bank.
Topics and Questions – What the DOJ Will Look to When Evaluating a Compliance Program
The Compliance Guideline sets forth eleven topics and questions investigators may ask when evaluating the adequacy of a compliance program. These are factors prosecutors will take into consideration when conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. Companies should use these topics and questions to serve as best practices to measure corporate compliance programs and further refine existing programs
1. Analysis and Remediation of Underlying Misconduct
During the course of an investigation, the DOJ will look through audit reports, complaints, and prior investigations of similar misconduct for any missed prior opportunities to detect the misconduct. Companies must ensure there are no system vulnerabilities or accountability lapses in detecting issues. Similarly, companies should have a system in place to expose vulnerabilities and implement corrective measures to reduce the risk of repeat misconduct.
2. Senior and Middle Management
The Compliance Guideline reiterates that compliance starts at the top and the DOJ will look to whether management properly sets the tone for the company. The onus will be on senior management, through words or actions, to foster and encourage an ethical culture. Not only should leadership take concrete actions in the company’s compliance and remediation efforts, management at all levels must model appropriate behavior to employees. Further, management has a responsibility to ensure appropriate information is shared among different components of the company – including the board of directors. The board and senior management will need to examine pertinent information in their exercise of oversight, have access to compliance expertise, and the board and external auditors should be holding regular sessions with compliance and control functions.
3. Autonomy and Resources
Whether a company’s compliance department is internal or functions are outsourced to an external firm, investigators will be inspecting to determine whether the compliance department is autonomous and can remain objective from the rest of the company. A company will want to make sure compliance personnel are independent, have the appropriate experience and qualifications for their role and responsibilities, maintain a level of stature that is comparable to other departments within the company, have access to key decision-makers such as the board of directors, are evaluated by appropriate senior management, have a low turnover rate, and play a role in the company’s strategic and operational decisions. Compliance and control personnel must be empowered to identify, escalate, and address problems.
4. Policies and Procedures
It’s not enough to merely have compliance policies and procedures in place, the DOJ will be looking at a company’s process for designing and implementing the policies and procedures, the company’s ability to evaluate the usefulness of policies and procedures, and whether the departments or functions have ownership of and are held accountable for their oversight. In examining the compliance policies and procedures, the DOJ will examine whether there has been clear guidance and training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes. The gatekeepers must be aware of the process in order to properly raise concerns. Further, the policies and procedures must be adequately disseminated and accessible to all employees.
Compliance personnel will need to be responsible for operational integration of the policies and procedures, consult with the appropriate officers or business segments, and roll out the policies and procedures while making sure employees fully understand them. So as to avoid future misconduct, the company must have controls in place to detect and prevent the misconduct, restrict or rigidly control access to funding to prevent abuse, and have a process in place to manage outside vendors. Employees in each department with approval authority or certification responsibilities will need to know what to look for, and when and how to escalate concerns.
5. Risk Assessment
There needs to be a methodology to identify, analyze and address risks for misconduct within the company. The DOJ will examine the type of information or metrics a company has collected to detect misconduct and how that information or metric is being used to inform the company’s compliance program of possible as well as manifested risks.
6. Training and Communications
The DOJ will focus on the type of training provided to employees who work in high-risk and control positions. Corporations must ensure: (1) employees in relevant control functions are receiving adequate and effective training; (2) high-risk and control employees are receiving tailored training that addresses the risks in the area where a misconduct may occur; and (3) appropriate analysis is undertaken of which employees should be trained and on what subjects.
In addition to identifying the employees that must receive appropriate training, companies will want to ensure the training is effectively communicated. The DOJ will look to whether the format of the training (i.e. web-based, in-person seminar, interactive, etc.) and the language that training was conducted in is appropriate for the intended audience. Further, the DOJ will examine whether the company has measured the effectiveness of training that is given.
Leadership will need to communicate to employees the company’s position on any misconduct that has occurred, including when an employee is terminated for failure to comply with a company’s policies and procedures. Further, companies must ensure employees have adequate access to resources that provide guidance on compliance policies and procedures.
7. Confidential Reporting and Investigation
The DOJ will look to whether the company has implemented an effective and confidential reporting mechanism, including the ability to evaluate the risk level or seriousness of reports. Once a report comes in, the company must timely respond to the complaint, adequately analyze and identify the misconduct, and determine the persons involved. If an investigation is warranted, it must be remain independent, properly scoped and documented, and if appropriate, involve all levels of senior leadership up to the board of directors. In response to the investigation, remediation must be appropriate in light of the investigation findings.
8. Incentives and Disciplinary Measures
It is imperative for a company to implement appropriate disciplinary measures upon identifying misconduct. All individuals involved in the misconduct must take accountability for their role, particularly employees that have a management role in the company. Disciplinary actions must be fair and consistent for all employment levels.
In addition to disciplining misconduct, a company should have a process in place to incentivize good behavior. The DOJ will look for concrete examples of incentives for compliance and ethical behavior such as promotions and rewards.
9. Continuous Improvement, Periodic Testing and Review
A well-rounded compliance program will need to undergo periodic review and auditing to test controls and identify system vulnerabilities. Investigators will examine the types of audits or control testing a company conducts on their compliance programs, audit findings, whether remediation progress is reported to management and the board on a regular basis, how management and the board follow-up on those reports, and how often internal audits are conducted in high-risk areas. Additionally, compliance policies, procedures, and practices will need to be periodically reviewed and risk assessments will need to be continuously updated.
10. Third-Party Management
When relying on third parties outside of a company’s control, the company will want to implement a risk-based process to manage those third parties. The business rationale for using a third party will need to be appropriately documented, including payment terms and the work to be performed. Due diligence on third parties must be conducted to identify red flags and the company will need a process to identify and monitor compliance issues, including methods of remediation such as suspension or termination of the third party relationship.
11. Mergers and Acquisitions
Mergers and acquisitions must undergo a due diligence process to identify misconduct or the risk of misconduct. The company will need a process for tracking and remediating misconduct or misconduct risks identified during the due diligence process. Further, the company will need a process for implementing their compliance policies and procedures at the new entity.