The DOJ issued New April 2019 Guidance (“Guidance”, or “2019 Guidance”) detailing how prosecutors will evaluate the effectiveness of corporate programs to prevent fraud and other misconduct, a key consideration in determining the penalties imposed against companies. This is an update from the On February 8, 2017, the DOJ published Guidance entitled, “Evaluation of Corporate Compliance Programs”.
The 2019 Guidance contains 12 high-level topics (below) that are grouped to track the Three Core Questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual and candidly are the key questions the board of directors should be asking. After all it’s expected the the organization’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it (See U.S.S.G. § 8B2.1(b)(2)(A)-(C)).
Three Core Questions
- Is the Corporation’s Compliance Program Well Designed?
- Is the Corporation’s Compliance Program Being Implemented Effectively?
- Does the Corporation’s Compliance Program Work in Practice?
The High-level Topics
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process
- Third Party Management
- Mergers and Acquisitions (M&A)
- Commitment by Senior and Middle Management
- Autonomy and Resources
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing, and Review
- Investigation of Misconduct
- Analysis and Remediation of Any Underlying Misconduct
Under each of the above topics, the 2019 Guidance sets forth multiple sample questions that prosecutors are likely to ask during an investigation. A few examples are:
- Risk Assessment: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?
- Training and Communications: Risk Based Training What training have employees in relevant control functions received?
- Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
- Confidential Reporting Structure and Investigation Process: Effectiveness of the Reporting MechanismDoes the company have an anonymous reporting mechanism, and, if not, why not?
- How is the reporting mechanism publicized to the company’s employees?
- Has it been used?
- How has the company assessed the seriousness of the allegations it received
- Has the compliance function had full access to reporting and investigative information?
- Mergers and Acquisitions (M&A): Process Connecting Due Diligence to Implementation What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process
- What has been the company’s process for implementing compliance policies and procedures at new entities?
- Commitment by Senior and Middle Management: Conduct at the Top How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation?
- What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
- How have they modelled proper behavior to subordinates?
- Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
- Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
- Continuous Improvement, Periodic Testing, and Review: Internal AuditWhat is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process?
- How are audits carried out?
- What types of audits would have identified issues relevant to the misconduct
- Did those audits occur and what were the findings?
- What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
- How have management and the board followed up?
- How often does internal audit conduct assessments in high-risk areas?
- Continuous Improvement, Periodic Testing, and Review: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?
Some Other Points of Focus
- Compliance must adopt a risk-based approach (See Closing Thoughts below).
- Compliance must have appropriate processes for the submission of complaints, and processes to protect whistleblowers.
- The word “resource” appears 21 times in the Guidance, so I am certain that if your organization is not properly resourced that will more likely than not be a problem.
- Compliance must have independent access to the Board and Audit Committee.
- Compliance needs to be integrated with other functions like internal audit, and depending on structure, the legal function.
- Compliance must adopt strong third-party controls.
The 2019 Guidance seeks to understand how the organization approaches compliance and then what worked and what didn’t. So, one might consider reading both the old and new Guidance to understand how the evaluation of an organization’s compliance programs has changed.
If you are going to have your organization’s compliance program evaluated and you should!