Understanding the DOJ’s new guidance for corporate compliance programs
Ensure your organization can answer these 3 key questions
INSIGHT ARTICLE |
The Department of Justice’s (DOJ) Criminal Division published an updated Evaluation of Corporate Compliance Programs Guidance Document (the Guidance) in June 2020 for prosecutors to use in evaluating corporate compliance programs. The Guidance represents a broadening of the Fraud Section’s February 2017 guidance1 on the same topic.
To understand the compliance program areas that corporations should re-evaluate in light of the DOJ's new guidance, RSM has prepared a summary of key incremental recommendations.
The Guidance reinforces that compliance programs should be risk based, and it includes three questions prosecutors will explore when evaluating a corporate compliance program in response to corporate criminal investigations:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
The Guidance demonstrates the significance that the DOJ places on corporate compliance programs, because the answers to these three questions will determine the form of any resolution or prosecution, monetary penalties and the nature of required continued compliance obligations contained in DOJ corporate criminal resolutions (e.g., monitorship or reporting obligations).
Additionally, and perhaps most notably, the Guidance includes an additional focus on the evaluation of whether the internal audit department and internal audit resources are being appropriately utilized for audit aspects of the compliance program and whether their findings are adequately communicated and tracked through remediation.
The DOJ believes that corporations should be asking themselves the following questions to enhance the maturity and effectiveness of their compliance programs in accordance with the DOJ’s expectations.
Is the corporation’s compliance program well designed?
The core of the DOJ’s updated guidance is rooted in whether a corporation has a comprehensive compliance program “designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program” as quoted in the Justice Manual. Highlighted incremental compliance guidance recommendations, categorized below by compliance program elements, include the key questions to consider:
- Does your risk assessment avoid devoting a disproportionate amount of time to policing low-risk areas instead of high-risk areas?
- Is your risk assessment subject to periodic review? Are you continually making updates to policies and procedures in light of lessons learned and risks discovered through misconduct or other problems with the compliance program?
Policies and procedures
- Has your organization developed guidance and training for the key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Guidance should be sufficient so that gatekeepers know what misconduct to look for and how to escalate concerns.
- Have you eliminated linguistic or other barriers to foreign employees’ access?
Training and communication
- Have you performed an assessment to evaluate that policies and procedures have been integrated into the organization, including through periodic training (covering all high risk areas) and certification for all directors, officers, relevant employees and, where appropriate, third-party agents and business partners?
Reporting structure and investigation process
- Have you created procedures to determine which complaints or red flags merit further investigation?
- Is your organization periodically analyzing reports or investigation findings for patterns of misconduct or other red flags to identify compliance weaknesses?
- Have you ensured that contract terms with third parties specifically describe the services to be performed, validate that the third party is actually performing the work and verify that the compensation is commensurate with the work being provided in the same industry and geographical region?
- Are you utilizing audit rights to analyze the books and accounts of third parties?
Mergers and acquisitions
- Do you subject your acquisition targets to appropriate scrutiny during the due diligence process? Proper validation of an acquisition target is indicative of whether an organization’s compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.
Is the program being implemented effectively?
The Guidance continues to emphasize that companies must ensure that their compliance programs are being implemented effectively and as such are successful in practice (not a mere “paper program”). This is an important element, as it separates those programs where compliance simply exists on paper versus those programs where compliance is ingrained in the culture of the corporation and its employees’ values. Companies must always empower compliance personnel with the autonomy and resources to act with authority and independence. Highlighted below are the key categories and questions for consideration under the new guidance:
Commitment by senior and middle management
- Does your program evaluate whether management has tolerated greater compliance risks in pursuit of new business or greater revenues, including whether managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
Autonomy and resources
- Does your organization assess the quality and experience of the personnel involved in compliance, to ensure they are able to identify the transactions and activities that pose a potential risk?
- Does your program take into consideration the authority and independence of the compliance function and the availability of compliance expertise to the board?
- Has your organization evaluated the compliance team to ensure sufficient staffing levels exist (existence of devoted compliance personnel) to effectively audit, document, analyze and act on the results of the compliance efforts?
Does the corporation’s compliance program work in practice?
The Guidance highlights that misconduct does not necessarily indicate that a company’s compliance program did not work or was ineffective. Rather, the identification of misconduct, and timely remediation and self-reporting, are strong indicators that the program is working effectively. Additionally, companies should be assessing whether they have a well-functioning and appropriately resourced investigation response plan and continue to focus on whether a root cause analysis was performed. Highlighted below are the key categories and questions for consideration under the new guidance:
Continuous improvement, periodic testing and review
- Have you assessed the process for determining where, and how frequently, internal audit will conduct an audit and the rationale behind the process?
- Has your organization conducted a gap analysis to determine if particular areas of risk are not sufficiently addressed in your current policies, controls or training?
Investigation of suspected misconduct
- Has your organization developed a well-functioning, and appropriately funded, mechanism for the timely and thorough investigation of any allegations or suspicions of misconduct?
The new Guidance stresses that companies should evaluate risks to inform their compliance programs and take steps to measure their performance. While the Guidance relates to specific enforcement risks (i.e., those associated with the DOJ criminal division), companies should nonetheless consider how the new Guidance can enhance the structure, design, monitoring and enforcement of their compliance programs.
The power to harness data and apply analytical tools and procedures to identify problematic trends, uncover high-risk relationships and detect non-economic transactions can lead to the early identification of fraud schemes and assist in the process of remediation. At RSM, we assist our clients with the application of enhanced data analytics and monitoring to provide valuable program insights. We assist corporate boards, general counsel, compliance professionals, internal audit and external counsel in mitigating risk, reducing exposure and measuring the efficacy of an organization’s compliance programs.
Learn how to identify early signs of fraud and apply best practices in an internal investigation to reduce the financial impact of fraud.
When overseeing third parties, details matter. RSM provides tips on how to manage third-party risks and best practices to follow.
Employing the proper internal controls can limit the financial and reputational damage that a company exposed to a cyberattack may face.