The DOJ issued New April 2019 Guidance (“Guidance”, or “2019 Guidance”) detailing how prosecutors will evaluate the effectiveness of corporate programs to prevent fraud and other misconduct, a key consideration in determining the penalties imposed against companies. This is an update from the On February 8, 2017, the DOJ published Guidance entitled, “Evaluation of Corporate Compliance Programs”.
Brian Benczkowski, the head of the Justice Department’s criminal division, said the revised guidance is intended to aid not only prosecutors but also companies, giving them deeper insight into what the government will demand of compliance programs.
The 2019 Guidance contains 12 high-level topics (below) that are grouped to track the Three Core Questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual and candidly are the key questions the board of directors should be asking. After all it’s expected the organization’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it (See U.S.S.G. § 8B2.1(b)(2)(A)-(C)).
Three Core Questions
- Is the Corporation’s Compliance Program Well Designed?
- Is the Corporation’s Compliance Program Being Implemented Effectively?
- Does the Corporation’s Compliance Program Work in Practice?
“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process,” according to the Guidance. “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant federal laws that is accessible and applicable to all company employees.”
Prosecutors, according to the guidance, “should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.”
The High-level Topics
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process
- Third Party Management
- Mergers and Acquisitions (M&A)
- Commitment by Senior and Middle Management
- Autonomy and Resources
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing, and Review
- Investigation of Misconduct
- Analysis and Remediation of Any Underlying Misconduct
The 2019 Guidance has a twelfth topic because it split the 2017 Guidance’ topic of “Confidential Reporting and Investigation” into two separate sections—”Confidential Reporting Structure and Investigation Process” (4) and “Investigation of Misconduct (11).”
Under each of the above topics, the 2019 Guidance sets forth multiple sample questions that prosecutors are likely to ask during an investigation. A few examples are:
- Risk Assessment: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?
- Training and Communications: Risk Based Training What training have employees in relevant control functions received?
- Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
- Confidential Reporting Structure and Investigation Process: Effectiveness of the Reporting MechanismDoes the company have an anonymous reporting mechanism, and, if not, why not?
- How is the reporting mechanism publicized to the company’s employees?
- Has it been used?
- How has the company assessed the seriousness of the allegations it received
- Has the compliance function had full access to reporting and investigative information?
- Mergers and Acquisitions (M&A): Process Connecting Due Diligence to Implementation What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process
- What has been the company’s process for implementing compliance policies and procedures at new entities?
- Commitment by Senior and Middle Management: Conduct at the Top How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation?
- What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
- How have they modelled proper behavior to subordinates?
- Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
- Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
- Continuous Improvement, Periodic Testing, and Review: Internal AuditWhat is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process?
- How are audits carried out?
- What types of audits would have identified issues relevant to the misconduct
- Did those audits occur and what were the findings?
- What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
- How have management and the board followed up?
- How often does internal audit conduct assessments in high-risk areas?
- Continuous Improvement, Periodic Testing, and Review: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?
Some Other Points of Focus
- Compliance must adopt a risk-based approach (See Closing Thoughts below).
- Compliance must have appropriate processes for the submission of complaints, and processes to protect whistleblowers.
- The word “resource” appears twenty one (21) times in the Guidance, so I am certain that if your organization is not properly resourced that will more likely than not be a problem.
- Compliance must have independent access to the Board and Audit Committee.
- Compliance needs to be integrated with other functions like internal audit, and depending on structure, the legal function. See discussion on whether the compliance should be a separate function!
- Compliance must adopt strong third-party controls.
- Root cause was mentioned nine (9) times in the Guidance! Treating symptoms and the not the root cause could at some point result in recidivism, which will more likely than not be problematic!
The 2019 Guidance seeks to understand how the organization approaches compliance and then what worked and what didn’t. So, one might consider reading both the old and new Guidance to understand how the evaluation of an organization’s compliance programs has changed.
If you are going to have your organization’s compliance program evaluated and you should!
Why? Prosecutors must evaluate if the organization has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.
Then you might want to first make sure your risk profile is up to date as well as your fraud or misconduct risk assessment! Why? The section within the Guidance on “Risk Assessment” was moved to be first of the 12 topics addressed in the 2019 Updated Guidance (Note: It was the fifth topic addressed in the 2017 Evaluation Guidance) and just maybe the DOJ is sending a subliminal message here, which some of us have already picked up and that is the risk assessment drives the compliance program!
By the way if you’re already a client don’t worry. We have been doing all of this for some time and this is not a best practice guide! This doesn’t mean the writing should be ignored, I use it as a tool to help me think through compliance programs strategically and evaluate risk. Boards and senior management should use the guidance for the same.
I welcome your comments.
Jonathan T. Marks, CPA, CFE