DOJ’s New Corporate Compliance Guidance: Does Your Compliance Program Work? (Part V of V)
The Volkov Law Group has scheduled a free webinar on DOJ’s New Compliance Program Guidance for May 14, 2019, at 12 noon EST. Sign up HERE.
The final issue discussed in the new DOJ Corporate Compliance Guidance is the assessment of whether a company’s compliance program is working – at the time of the offense and at the time of the resolution of an enforcement matter.
Interestingly, DOJ conceded that the existence of misconduct, by definition, does not mean that a compliance program did not work or was ineffective. No compliance program can prevent all criminal activity in an organization.
In examining the effectiveness of a compliance program at the time of the offense, prosecutors will have to determine whether and how the misconduct was detected, what investigation resource were in place to investigate suspected misconduct and the nature of the company’s remedial efforts.
The determination of the effectiveness of a company’s compliance program at the time of a charging decision or resolution, prosecutors have to examine how the program has changed over time to address risks, whether the company undertook an adequate and honest root cause analysis to understand what “contributed” to the misconduct and the extent of remediation needed to prevent similar violations in the future.
DOJ will consider whether the company made significant changes to and investments in its compliance program and internal controls systems and whether remedial improvements have been tested.
Under this section, DOJ’s Guidance is divided into three sections: (1) Continuous Improvement, Periodic Testing and Review; (2) Investigation of Misconduct; and (3) Analysis and Remediation of any Underlying Misconduct.
Continuous Improvement, Periodic Testing and Review
A compliance program has to improve and evolve in response to changes in risk that require program adjustment. A company’s business changes over time, the community in which it operates, the nature of its customers, the law that applies to its activities and industry standards. Companies have to review its compliance program and make sure it is not “stale.”
In this area, DOJ highlighted the importance of a company’s culture and testing of its culture and controls, including periodic audits to ensure that its controls are functioning well. DOJ will examine whether a company has taken “reasonable steps” to “ensure that its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct and “evaluate periodically the effectiveness of the organization’s program.”
In examining these issues, DOJ has keyed onto the important role that internal audit plays in its audit function and in particular, the process by which internal audit determines where and how to conduct an audit. In examining the audit function, DOJ will examine how audits are conducted, the types of audits conducted (and in relation to any potential misconduct), review of audit findings, reporting of audit findings to management and board and how such findings are addressed. In particular, DOJ will examine how often internal audit conducts assessment in high-risk area.
With respect to internal controls, DOJ will question whether the company reviewed and audited its compliance program in an area relating to misconduct, and generally, what testing of controls, collection and analysis of compliance data and interviews of employees and third parties does the company undertake and how are the results report, tracked and resolved.
With respect to updating its compliance functions and programs, DOJ intends to focus on how often a company updates its risk assessments and reviews its compliance policies and practices, including whether the company has conducted a gap analysis to ensure that its policies, controls and/or training address specific risk areas.
Finally, DOJ has added a new and important inquiry address concerning aa company’s culture of compliance. Specifically, DOJ will inquire how often the company measures its culture, whether all levels of employees are asked about their perception of senior and middle management commitment to compliance and how did the company respond to the culture measurement.
Investigation of Misconduct
DOJ again focuses attention on a company’s internal investigation function to ensure that companies maintain an effective investigations structure including documentation of a company’s response to an investigation, including disciplinary or remediation measures taken.
In this important area, DOJ emphasizes the following points: (i) investigations have to be properly scoped, conducted by independent investigators who are objective and conduct a proper investigation that is documented; (ii) investigations have to identify root causes, system vulnerabilities and accountability lapses, including among supervisory manager and senior executives; and (iii) investigation findings have to reported and examined by senior management in appropriate cases.
Analysis and Remediation of Underlying Misconduct
Under this final subject area, companies are expected to conduct root cause analyses of misconduct and timely and appropriately remediate to address the root causes. DOJ will weigh the company’s remedial actions in light of the nature, severity and frequency of the misconduct, as well as disciplinary measures taken and compliance program improvements adopted in response to any misconduct.
In examining this area, DOJ will focus on a company’s:
- Root cause analysis
- Identification of prior weaknesses, including specific controls and/or policies that were violated;
- Payment systems used to fund the misconduct (e.g. purchase orders, reimbursements, discounts, petty cash);
- Vendor selection process (if a vendor was involved);
- Prior indications of potential misconduct, such as audit reports identifying relevant control failures or allegations, complaints or investigations;
- Remediation to prevent recurrence, address the root cause and ensure no future missed opportunities to prevent or detect misconduct; and
Accountability for managers with supervisory responsibility considering the company’s overall disciplinary records relating to this type of misconduct.