The U.S. Department of Justice (DOJ), Criminal Division, Fraud Section, recently released new guidance associated with its Guide to the U.S. Foreign Corrupt Practices Act. The guidance, entitled Evaluation of Corporate Compliance Programs, is framed, in part, as a set of common questions the DOJ’s Fraud Section finds relevant for most criminal investigations.
The DOJ notes that its Fraud Section does not use “a rigid formula” to assess compliance programs and further states that the guidance does not constitute a “checklist nor a formula” for compliance. However, the questions do provide important guidelines for compliance departments and some insight about the DOJ’s expectations for compliance programs. These echo many of the themes NAVEX Global has endorsed in recent years. A review of the topics covered in this guidance – along with a few sample questions related to each topic derived from the guidance – is provided here:
- Analysis and Remediation of Underlying Misconduct. Were there prior opportunities to detect the misconduct in question? What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future?
- Senior and Middle Management. What specific actions have senior leaders and stakeholders…taken to demonstrate their commitment to compliance? What compliance expertise has been available on the board?
- Autonomy and Resources. Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?
- Policies and Procedures. Has the company had policies and procedures that prohibit misconduct? How has the company assessed whether these…are effective?
- Risk Assessment. What methodology has the company used to identify, analyze and address the particular risks it faced? How has the information or metrics informed the company’s compliance program?
- Training and Communications. How has the company measured the effectiveness of training? What has senior management done to let employees know the company’s position on the misconduct?
- Confidential Reporting and Investigation. Has the compliance function had full access to reporting and investigative information? How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted and properly documented?
- Incentives and Disciplinary Measures. Have the disciplinary actions been fairly and consistently applied across the organization? How has the company incentivized compliance and ethical behavior?
- Continuous Improvement, Periodic Testing and Review. How often has the company updated its risk assessments and reviewed its compliance policies, procedures and practices?
- Third-Party Management. Were red flags identified in the due diligence of the third parties involved in the misconduct and how they were resolved?
- Mergers and Acquisitions (M&A). How has the compliance function been integrated into the merger, acquisition and integration process?
As the DOJ notes, many of these topics appear elsewhere, including the US Attorney’s Manual, the United States Sentencing Guidelines, the Resource Guide to the U.S. Foreign Corrupt Practices Act from 2012 and the Anti-Corruption and Compliance Handbook for Business.
What is clear from this publication is that the DOJ is intent on conducting vigorous, holistic assessments of companies’ compliance efforts as part of their criminal investigations and are clearly looking to weed out paper programs. This guidance comes four months after a landmark decision not to prosecute a multinational corporation because of “self-policing” and “prompt self-reporting, thorough remediation, and exemplary cooperation” with investigators.
We strongly encourage compliance professionals everywhere to read and understand this important guidance from the DOJ.