Skip to Main Content

New Guidance Document: How DOJ Evaluates Corporate Compliance Programs


The U.S. Department of Justice (DOJ) has issued compliance guidance for corporations that outlines how the Fraud Section will likely evaluate the corporate compliance program of a company under criminal investigation. "Evaluation of Corporate Compliance Programs" (Compliance Guidance) was issued on February 8, 2017, and is consistent with earlier DOJ policies. The Compliance Guidance contains a series of questions that DOJ will likely ask a company about its compliance program when determining whether to bring charges against a company or negotiate a settlement.

The Compliance Guidance contains 11 different sections:

  1. Analysis and Remediation of Underlying Misconduct
  2. Senior and Middle Management
  3. Autonomy and Resources
  4. Policies and Procedures
  5. Risk Assessment
  6. Training and Communication
  7. Confidential Reporting and Investigation
  8. Incentives and Disciplinary Measures
  9. Continuous Improvement, Periodic Testing and Review
  10. Third Party Management
  11. Mergers and Acquisitions (M&A)

An analysis of the guidance document reveals that several issues continue to be of interest to DOJ under the new presidential administration, including holding individuals accountable for misconduct. Just last month, Deputy Assistant Attorney General Trevor N. McFadden remarked that DOJ is committed to "holding not just companies, but individual actors responsible for corporate misconduct."

DOJ also remains concerned about how a company structures and implements its compliance program. Speaking at the ABA's 31st Annual National Institute on White Collar Crime on March 9, 2017, Daniel Kahn, Chief of the Foreign Corrupt Practices Act (FCPA) Unit, stated that DOJ is most interested in how companies are thinking about compliance, and that DOJ wants to see how a program works. Mr. Kahn also referenced Hui Chen's role as DOJ's compliance counsel expert, and the guidance document is a strong reflection of DOJ's continued focus on compliance plans. Ms. Chen has previously stated that she expects a company to have designed and operationalized its compliance program by focusing on four "primary areas of inquiry:" 1) How thoughtful is the design of the program? 2) How operational is the program? 3) How well do stakeholders communicate? and 4) How well resourced is the program? These "primary areas of inquiry" are embedded in the Compliance Guidance.

The Compliance Guidance applies directly to a company under criminal investigation by DOJ. But even if a company is not under investigation, the guidance represents a potential framework for how a company should analyze its compliance program to ensure it is consistent with the expectations of government regulators. In that vein, here are a few practical questions and considerations for a company evaluating its compliance program:

Internal Investigation
The very first section of the Compliance Guidance contains questions about whether the company conducted a "Root Cause Analysis" of the misconduct at issue. Following the issuance of the Yates memorandum in September 2015, this Root Cause Analysis necessarily includes identifying who committed the misconduct, to include any executives or senior-level managers. When conducting an investigation into alleged misconduct, a company should be thinking about whether it received all of the necessary information (e.g., invoices or expense reports) about all of the alleged wrongdoers, regardless of their positions within the company. In addition, a company's investigation of the misconduct should include understanding whether a senior leader participated in or encouraged the misconduct.

Other questions to ask during an assessment include:

  • What circumstances were present that permitted the misconduct to occur?
  • What can be done to prevent the misconduct from recurring?
  • Are amendments to compliance processes and compliance re-education necessary?

DOJ also remains focused in understanding whether the company had prior opportunities to detect the misconduct at issue, including whether the company had received a complaint about the misconduct in the past. DOJ wants to know what a company did in response to that prior complaint; if a company failed to investigate it, how will the company explain why it "missed" this opportunity?

Effectiveness of Audit Process
DOJ's continued interest in the efficacy of a company's audit processes to identify potential misconduct can also be found in the Compliance Guidance. There are several questions in the guidance document related to how often and how thoroughly a company audits those areas that pose higher compliance risks. For instance, how often does a company audit its relationships with third parties? Questions that a company might want to ask itself include whether the current audit processes take into account a company's evolving relationship with a third-party vendor (e.g., amendments to the terms of a contract or changes in the payment methods).

In addition, DOJ is interested in understanding whether senior management or the Board of Directors was made aware of any prior audit findings, as well as whether the managers or Board followed up on any remedial efforts undertaken. DOJ is also interested in the effectiveness of a company's compliance-related controls or systems to identify, collect and analyze data that it receives related to allegations of misconduct. A company, then, may want to ask itself how it gathers and analyzes evidence of misconduct and what it does with that information.

Third Party Risk Assessment
In the Compliance Guidance, there are several questions related to how a company assesses and incorporates potential compliance risks associated with third parties into its business dealings. In his March 9, 2017 comments, the Chief of the FCPA Unit has expressed that companies should be doing more than ex ante diligence with respect to third parties.

For instance, DOJ is interested in the role played by the company's procurement department, as well as by whoever is managing the relationship with the third party. Sample questions for a company to ask include:

• What is being done to ensure that the contract terms specifically describe the services to be performed?
• What is being done to ensure that the payment terms are appropriate?
• What is being done to ensure that the described contractual work is performed?

Other key areas of interest to DOJ are whether a company has educated the person managing the third party on the compliance risks associated with the relationship, how a company incentivizes a third party to engage in "compliant and ethical behavior," and how any red flags identified from due diligence of third parties are resolved. A company should, therefore, be asking itself these kinds of questions.

The Compliance Guidance is a valuable "best practices" list of questions of use not only to compliance officers, but to boards of directors and other executives and senior managers. Given DOJ's continued interest in compliance programs and holding individuals accountable, companies, boards of directors, executives and senior managers would all be well advised to ask themselves the questions set out in the Compliance Guidance.

For assistance with reviewing the effectiveness of your corporate compliance program, please contact Joe D. Whitley, Robert E. Hauberg or a member of Baker Donelson's Government Enforcement and Investigations Group.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept