DOJ Issues New Guidance on Corporate Compliance Program Evaluations.

Date posted: April 6, 2017

The Department of Justice (DOJ) recently issued guidance on the effectiveness of corporate compliance programs.  The guidance lists important topics and sample questions that the DOJ Fraud Section commonly uses when it evaluates compliance program effectiveness.  The list provides significant insight for compliance officers, from all industry sectors, that are working to build and enhance their compliance programs.  These compliance program topics are also addressed in the United States Sentencing Guidelines and other compliance related federal guidance documents.

The eleven topics listed in the DOJ guidance include the following questions:

  1. Analysis and Remediation of Underlying Misconduct
  • Has the company identified the root cause of the misconduct?
  • Has the company identified a systematic failure in compliance?
  • Did the company miss prior opportunities to detect the misconduct?
  • Has the company analyzed why those opportunities were missed?
  • Has the company remediated the risk of similar issues occurring in the future?
  • What specific changes has the company made to address the root cause of the issue and prevent future missed opportunities?
  1. Senior and Middle Management
  • Did senior managers, through their words and actions, encourage or discourage the misconduct in question?
  • Has senior leadership taken concrete steps to demonstrate commitment to compliance and remediation efforts?
  • Does the Board have access to the right expertise and information to help perform its oversight function?
  1. Autonomy and Resources
  • Does the compliance function have the right resources and stature within the company to perform effectively?
  • Was compliance involved in the training and decisions relevant to any misconduct?
  • Does the compliance function have an appropriate level of resources and independence?
  1. Policies and Procedures
  • Did the company have policies and procedures that prohibited the misconduct?
  • Has the company assessed whether its policies and procedures were effectively designed and implemented?
  • Are key gatekeepers adequately trained in the control processes relevant to the misconduct?
  • Was the program properly integrated and were adequate controls put in place to detect misconduct?
  1. Risk Assessment
  • What methodology has the company used to identify, analyze, and address the risks it faced?
  • Does the company collect information and metrics to adequately assess risks?
  1. Training and Communications
  • What training was in place and is it properly tailored for employees in high-risk or control function areas?
  • Is the training offered in the right form and language for the target employees?
  • How does the company communicate to employees about any misconduct that has occurred?
  1. Confidential Reporting and Investigation
  • Does the company have an effective way of collecting and analyzing allegations of misconduct?
  • Does the company ensure investigations have been properly scoped, conducted, and documented?
  • Did the investigation look to root causes of the misconduct?
  • Did the investigation escalate high enough in the company?
  1. Incentives and Disciplinary Measures
  • Is there disciplinary accountability for managers?
  • Is the application of discipline consistent?
  • Is there an incentive program for good compliance and ethical behavior?
  • Can the company point to specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?
  1. Continuous Improvement, Periodic Testing, and Review
  • What types of audits would have identified the misconduct at issue and were they conducted?
  • Do management and the Board follow up on audit findings and failures? Does the company test its controls?
  • Does the company routinely update its Compliance Program and make sure it adequately addresses current risks?
  1. Third-Party Management
  • Does the company’s third-party management process adequately analyze risk?
  • Are there appropriate controls with regard to third parties?
  • Does the company adequately respond to third-party red-flags?
  • Has the company suspended, terminated, or audited a third party as a result of compliance issues?
  1. Mergers and Acquisitions (M&A)
  • In the event that misconduct is discovered after a merger, was proper due diligence conducted during the M&A process?
  • How has the compliance function been integrated into the M&A process?

The DOJ guidance is available at:

‹ Return to the Main News Page
‹ Return to the CRC Homepage