Insights from the DOJ: Evaluation of Corporate Compliance Programs
New insights into how the Department of Justice’s (DOJ) Fraud Section evaluates the effectiveness of corporate compliance programs are available through the recently published “Evaluation of Corporate Compliance Programs.” This document provides a brief outline of how the DOJ evaluates the effectiveness of programs in their real-world application of existing guidance materials previously advanced by the DOJ, the Department of Health and Human Services Office of Inspector General, and others. It is a useful measuring tool for compliance officers and general counsel to use in self-examinations of their own clients or as a baseline for independent examinations led by seasoned experts.
At the root of the publication are questions of whether, and to what extent, companies maintain effective compliance programs during a period in which alleged misconduct may have occurred. In the face of scrutiny by the DOJ, a company may have the opportunity to demonstrate the existence and effectiveness of its compliance program as one of many “Filip Factors” that prosecutors are recommended to consider when conducting an investigation of a corporate entity. While effectiveness is determined on a case-by-case analysis with no strictly adhered-to formula, the DOJ routinely focuses its investigations on repeated topics and concerns—whether repeated in a company through multiple indicators, or as broader industry-wide practices that the DOJ has identified over time and deemed worthy of its concern.
In its “Evaluation of Corporate Compliance Programs,” the DOJ highlights eleven axes along which companies under scrutiny may be examined: (1) Analysis and Remediation of Underlying Conduct, (2) Senior and Middle Management, (3) Autonomy and Resources, (4) Policies and Procedures, (5) Risk Assessment, (6) Training and Communications, (7) Confidential Reporting and Investigation, (8) Incentives and Disciplinary Measures, (9) Continuous Improvement, Periodic Testing and Review, (10) Third-Party Management, and (11) Mergers and Acquisitions. Many of these topics already exist in previously promulgated guidelines from the DOJ and other organizations. Under each topic, the DOJ reveals questions frequently asked by prosecutors in the course of their investigations. Most of these questions can be further filtered under three broad categories: communication from the compliance program to senior management and the management’s conduct, the promotion of safeguards and gatekeepers, and the capacity for the company’s compliance program to respond and evolve to new threats.
First, questions regarding the communication pipeline and conduct of senior management include inquiries into the autonomy of the compliance program and the responsiveness from management. For instance:
- Has compliance and other relevant control functions had direct reporting lines to anyone on the board of directors?
- How often does compliance and relevant control function meet with the board of directors, and are members of the senior management present for these meetings?
- Do the compliance and relevant control personnel in the field have reporting lines to headquarters?
- What concrete actions have senior leaders taken to demonstrate leadership in the company’s compliance and remediation efforts?
- What specific actions have senior leaders and other stakeholders taken to demonstrate their commitment to compliance, including their remediation efforts?
Second, the questions demonstrate the DOJ’s objective of ensuring there were established safeguards and gatekeepers outlined in policies and procedures to prevent the misconduct in question. Indeed, the bulk of the guidelines fall under this category, including inquiries into the effectiveness of the reporting mechanism and applicable protocols. Pertinent questions include:
- Has the company had policies and procedures that prohibited the misconduct?
- Has there been clear guidance, training, or both for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct?
- What controls failed or were absent that would have detected or prevented the misconduct?
- What methodology has the company used to identify, analyze, and address the particular risks it faced?
- What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
- Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?
Third, the DOJ’s inquiry into whether procedures are routinely updated, as well as whether they are adapted in response to mechanism failure, demonstrates the desire of the Department to ensure corporations are making good-faith efforts to prevent offenses from reoccurring. For example:
- How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy failures identified in this process?
- How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps have the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
- What specific changes have the company made to reduce the risk that the same or similar issues will not occur in the future?
- What specific remediation has addressed the issues identified in the root-cause and missed-opportunity analysis?
While this publication was not extensively promulgated, its importance should not be overlooked. It emphasizes the level of detail to which senior management and compliance officers are held accountable when the DOJ pursues an inquiry into the effectiveness of a given compliance program.
Berkeley Research Group professionals ensure that corporate compliance officers, senior management, and boards of directors have a clear view into the strengths and opportunities for improvement to their existing compliance programs in order to establish and maintain effective compliance programs.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.