Daniel Coney (danconey@comcast.net), based in Lakewood, Colorado, USA, has been a law enforcement professional for more than 35 years, with the last 29 years being both an agent and supervisor in four different Office of Inspector General organizations.
Compliance can be a difficult and thankless job—until you’re needed. Then the work you’ve been doing behind the scenes is crucial to the long-term sustainability of the company, the board, and leadership. Your diligence is particularly important when law enforcement comes calling—not just having an effective compliance program in place, but in demonstrating that it is worth the paper it is written on. With that in mind, I thought it would help the practitioner to see what advice I’ve given the agents who work for me in the value of understanding the intersection of investigative work and the discipline of corporate compliance.
This article introduces a tool (Table 1) derived from the source that the U.S. Department of Justice uses to evaluate company compliance plans, the Filip Factors. The tool identifies key factors that law enforcement will seek information about and particular questions they may be asking. Taken from the viewpoint of a compliance professional, however, the tool also provides a road map useful in negotiating the nuances behind what makes up a comprehensive program that addresses the seven elements.
The view from my gumshoes
One of the reasons I am myself a CCEP, and why I am sold on the field of corporate compliance, is the truth that corporate compliance, if done properly, will weed out accidental and irresponsible acts. This, in turn, enables government oversight to focus on investigating those who are intentionally trying to thwart the systems in place for their personal advantage. For that reason, we should all applaud and hold in high regard the work of compliance officials.
However, not all companies are created equal. Enron had a model ethics and compliance program—the joke is that former employees of Enron put the model plan on eBay to sell after the company’s collapse…still in the shrink-wrap. The problem with Enron was not that they didn’t have a compliance program, but that the culture of the company was such that everybody knew it was lip service.
For those companies that do have a compliance plan, I point my agents to what they should expect to see: the seven major elements of an effective ethics and compliance plan, which are outlined in chapter eight of the Federal Sentencing Guidelines and are listed below. These components were augmented in the 2010 revisions with the addition of a risk assessment process.
-
The company should have standards of conduct that are understandable and provide the overall tenor of ethical conduct expected at the company. The standards feed into current, updated policies and procedures.
-
The company should name a compliance officer that has adequate authority.
-
There should be an education and training delivery system that focuses on key risk areas for employees and anybody who does business with the company.
-
The company needs to have a plan for how it is going to monitor those risk areas.
-
There must be a system in place for reporting. Employees need to have some way to report problems, and that typically is complemented by an ability to remain anonymous. Non-retaliation policies should also be in place such that there is not a chill placed on employees. That reporting system should trigger the company to undertake some kind of investigative steps to validate the complaint.
-
A company needs to have consistent enforcement when poor conduct is discovered. The minute its top salesperson gets a pass for conduct that another employee was fired for, the compliance program has lost all credibility.
-
The company needs to demonstrate consistent and appropriate responses to identified problem areas. Such responses could include steps that might involve remediation and prevention.
A means to evaluate compliance programs
It’s one thing to say a company should have these seven criteria met, quite another to measure it objectively. From an investigative standpoint, I encourage agents to collect evidence not only of the underlying conduct, but also concerning whether a compliance plan was in place, is operational, and incorporates the seven elements. To do this effectively, I built a tool based on what the Department of Justice calls the Filip Factors, named after then-Deputy Attorney General Mark Filip. Dated 2008, the Filip Factors stem from a memo from Filip and were later incorporated in the United States Attorneys’ Manual. The Filip Factors lay out how the Department of Justice evaluates business organizations for prosecution, hence my interest in making sure we investigators collect appropriate evidence to be able to answer the questions posed in the guidance memo.
The Filip Factors look for the hallmark features that together make an effective compliance plan. The concepts present in the Filip Factors permeate through the questions we ask during interviews, what we seek to obtain in subpoenas or search warrants, and how we conduct investigations. The tool is a checklist that helps break down each of the factors and asks key questions designed to elicit the information that forms the basis for determining how your compliance plan stacks up. If it’s important to how we pursue investigative leads, it likely has relevance for the compliance officer in evaluating risks and designing ways to address the questions we’re likely to ask you.
What investigators want to see
So, you’re no doubt puzzling over what this looks like in real life. By way of example, as infrastructure goes, there is nothing more important to a compliance program than the effort being launched by the governing board, typically through a formal resolution of the board and perhaps even by the direct hiring of the chief compliance officer (CCO). This demonstration of commitment to the compliance effort goes a long way toward building a culture that values ethics. It also demonstrates that the board is aware of, and serious about, their fiduciary responsibility, and is not simply being a rubber stamp club. The fact is, the board is ultimately responsible for the company’s conduct, and that could result in personal responsibility if they do not take steps to ensure a compliance program is effective. You might, therefore, see us use subpoenas to ask for the board resolution(s) that established the compliance plan, standards of conduct, and communications regarding the establishment and implementation of a compliance program.
The company’s standards of conduct are a statement of values—it establishes the ethical attitude of the company. Interestingly, the Sarbanes-Oxley Act required publicly traded companies to publish their standards on their website. Think of these as the “constitution” that applies to all employees (management, executive, and line), suppliers, third parties, contractors, and the board of directors. Companies with more sophisticated compliance programs may even integrate the code, or at least the spirit of the code, into employee performance plans as a way to ingrain an ethical culture. The old saying is people do what gets measured.
Flowing from the standards of conduct are the individual policies and procedures. According to the Federal Sentencing Guidelines, the policies must be “reasonably capable of reducing misconduct.” The courts have counseled that those who are subject to the policies should annually acknowledge that they understand their responsibilities and have received a copy of the policies and procedures. They make clear to employees how they are to act as an employee, and what will happen if they digress. The discipline for nonconformance with policies of the company should be clearly spelled out.
How do the courts expect us to measure whether policies and procedures are calculated to reduce misconduct? Without getting too detailed, suffice it to say policies should be specific and address identified risk areas. They should be consistent with laws, regulations, and industry best practices or standards. Further, they should be up to date and accessible to employees. Questions to ask include how policies and procedures are applied each day (i.e., is practice inconsistent with policy), how the policies and procedures are communicated and accessible to employees, whether and how they are tied to performance reviews, whether internal audits have identified duplicative or inconsistent policies, whether version control is in place, and how often they are reviewed and updated. Another quality inquiry would be whether the employee was trained or otherwise schooled on standards of conduct or policies and procedures.
All of this is just a portion of what we might explore in just the first element of corporate compliance plans. I could go on to explore differences in authority and reporting structures for the CCO and attempt to discern why differences exist, because they could be indicative of an ineffective compliance and ethics program. Questions concerning barriers to board access for the CCO and unfettered access to information within the company would be in play. The C-suite, including the general counsel, has a stake in the outcome of compliance functions, and since often they are involved with approving policies that will be the focus of a compliance inquiry, the conflict of interest is inseparable.
Finally, while not part of the original seven elements, the updates to the Federal Sentencing Guidelines added a major element of conducting risk assessments. These assessments form the basis for much of the rest of the compliance program’s activities. Management is responsible for developing an action plan, carried out through the compliance infrastructure, to mitigate the identified risks. While there is no one way to conduct a risk assessment, I advise my investigators—for their purposes—to see whether the company did one. If they did, I ask them to consider whether the compliance plan actually addresses the identified risks, particularly if one of those risks involves the conduct that gave rise to our investigation. This could open the door to proving intent elements of a crime.
Conclusion
Hotlines, anonymous reporting, monitoring, and investigations systems—the list goes on and on. Because of that, I developed a matrix for my agents to conceive of topical areas, develop evaluative questions in those areas, and cross-reference those to the sections of the Sentencing Guidelines where the rule originates. I have shared that in this article so compliance officers across the country have a tool to help assess what can be done better, while also anticipating the questions investigators will be asking if they ever happen to show up on your doorstep.
The views and opinions presented in this paper are the author’s and do not necessarily represent the views of his employer, the Inspector General community, or federal law enforcement as a whole.
Takeaways
-
Insight into how investigators may approach potential misconduct by your organization can help you both design better compliance programs and respond to law enforcement inquiries.
-
Compliance officers stand in the gap, helping companies avoid and correct inadvertent mistakes, thus letting government oversight focus on those truly committing crimes.
-
Investigators know to look for the existence and effectiveness of compliance programs.
-
If your compliance planning does not align with your risk assessment, this in itself poses a risk in an investigation.
-
Using the Filip Factors checklist tool will help compliance officers be better situated to address compliance needs.
Topical area |
Evaluative questions |
Reference |
Check? |
---|---|---|---|
Organizational structure |
Conduct at the top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modeled proper behavior to subordinates? What is the pervasiveness of wrongdoing within the corporation, including the complicity in, or condoning of, the wrongdoing by corporate management? Who participated in, condoned, or were willfully ignorant of the offense—the higher degree of their authority, the less people need to be involved for it to qualify as pervasive. |
USSG § 8B2.1(b); FCPA Guide, p. 57; USAM 9-28.500 and 800 Comment; OECD Handbook, C.1, p. 16 et seq.; Chen, Evaluation of Corp. Compliance Programs, pg. 2; USSG § 8B2.1 Commentary § (3) | |
Oversight – What compliance expertise has been available on the governing board? Have the governing board members and/or external auditors held executive or private sessions with the compliance and control functions? What types of information has the governing board and senior management examined in their exercise of oversight in the area in which the misconduct occurred? How can the governing authority demonstrate they are “knowledgeable about the content and operation of the compliance and ethics program...and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”? |
USSG § 8B2.1(b); FCPA Guide, p. 57; USAM 9-28.800 Comment; OECD Handbook, C.1, p. 16 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 2 | ||
Shared commitment – What specific actions have the governing board, senior leaders, and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company? What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis? |
USSG § 8B2.1(b); FCPA Guide, p. 57; USAM 9-28.800 Comment; OECD Handbook, C.1, p. 16 et seq.; Chen, Evaluation of Corp. Compliance Programs, pp. 1, 2 | ||
Underlying misconduct |
Problem identification – What is the nature and seriousness of the offense, including the risk of harm to the public? What are the collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable? |
USAM 9-28.400; 1100 | |
Criminal, civil, admin history – Does the company have a history of similar misconduct? This is an indicator of corporate culture that encourages or condones bad deeds or ignores internal compliance efforts. Has the company been debarred, had poor performance reviews on contracts, had contracts terminated for cause, etc.? Have there been export or import violations that may impact on the present conduct? |
USSG § 8B2.1 Commentary § (2)(D); USAM 9-28.600 | ||
Prior indications – If there is no criminal, civil, or administrative history, there may still be prior opportunities to detect the misconduct in question. Are there audit reports, internal reviews or investigations, or other records identifying relevant control failures, allegations, or complaints on similar issues? Did the compliance or legal units receive any internal employee complaints on similar issues? What did they do with prior complaints? What is the company’s analysis of why such opportunities were missed? |
USSG § 8B2.1 Commentary § (2)(D); Chen, Evaluation of Corp. Compliance Programs, p. 1 | ||
Cooperation – Did the company cooperate in the investigation of its agents by identifying all individuals involved in or responsible for the misconduct at issue, regardless of their position, status, or seniority, and provide all relevant facts relating to that misconduct? Factors to show this is whether the information is sufficient to identify the individual(s) responsible for the conduct; timeliness of cooperation; timely and voluntary disclosure of wrongdoing; the diligence, thoroughness, and speed of any internal investigation; the proactive nature of the cooperation; and cooperation in identifying potentially relevant actors and evidence expeditiously to avoid protracted delays. A company is not required to waive its attorney-client privilege and attorney work product protection. Cooperation means disclosure of the relevant factual knowledge and not of discussions between an individual and their attorneys (though they could choose to disclose this too), i.e., how and when did the alleged misconduct occur? Who promoted or approved it? Who was responsible for committing it? |
USAM 9-28.700, 720; USAM 9-28.900 | ||
Improper disclosures – Did the company share with others sensitive information about the investigation that the government provided to the corporation? Did the government request that the information not be transmitted to others—for example, where the disclosure of such information could lead to flight by individual subjects, destruction of evidence, or dissipation or concealment of assets. Did the company otherwise obstruct the investigation? |
USAM 9-28.730 | ||
Obstruction – Did the company engage in conduct intended to impede the investigation? Examples of such conduct could include inappropriate directions to employees or their counsel, such as directions not to be truthful or to conceal relevant facts; making representations or submissions that contain misleading assertions or material omissions; and incomplete or delayed production of records. Is the company attempting to control what their employees say? Are there directions of what to do if the government shows up asking questions or with a search warrant? If so, what is the purpose or consequence of those directions? Does it have a chilling effect on employee honesty or cooperation? |
USAM 9-28.730 | ||
Compliance plan |
Pre-existing compliance plan – Did the company have a pre-existing compliance program? For how long? If not, why not? Was the program chartered by the governing board? Was it by formal resolution of the board? If not, what was the origin? Is there written documentation about the existence of the program? How was the program introduced and supported to employees? |
USSG § 8B2.1(a); USAM 9-28.800 | |
Employee perception – Do employees know that their company has a compliance and ethics program? Can they name their compliance officer? Do they know how to seek guidance or report wrongdoing? Are they comfortable reporting wrongdoing? Do employees believe management acts with integrity? Have employees been asked to do something they believed was illegal? Has the company done anything to ask their employees these kinds of questions, such as a survey to do their own program assessment? | |||
Policies & procedures |
Ethics requirements – Did the company have understandable, written standards of conduct and/or ethics that provide the overall tenor of ethical conduct expected at the company? Did those standards specifically address the conduct at issue? How are those standards disseminated and accessible to employees? |
USSG § 8B2.1(b)(4) | |
Updated policies and procedures – What has been the company’s process for designing and implementing new policies and procedures? Is there a rotation to review and refresh policies? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? Who has been responsible for integrating policies and procedures? With whom have they consulted (e.g., officers, business segments)? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)? What is the compliance function’s role in designing and implementing policies and procedures? |
USSG § 8B2.1(b)(1); FCPA Guide, pp. 57-58; OECD Handbook, C.4 and C.5, p. 27 et seq.; Chen, Evaluation of Corp. Compliance Programs, pp. 2-3 | ||
Applicable policies and procedures – Has the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? What controls failed or were absent that would have detected or prevented the misconduct? If they weren’t present, are controls in place now? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? How has the company implemented policies that are “reasonably capable of reducing misconduct”? What evaluation have they done to show how their policies meet that standard (i.e., how do they measure and are policies directed at identified risk areas)? Are policies and procedures applied consistently? Do they conform with law? Even if there is a policy, are employees telling you practice is different than policy? Are policies tied to performance evaluations? Is version control in place, and is there a regular practice of review and revise? |
USSG § 8B2.1(b)(1); FCPA Guide, pp. 57-58; OECD Handbook, C.4 and C.5, p. 27 et seq.; Chen, Evaluation of Corp. Compliance Programs, pp. 2-3 | ||
Accessible policies and procedures – How has the company communicated the policies and procedures relevant to the misconduct to employees and third parties? How has the company evaluated the usefulness of these policies and procedures? What resources have been available to employees to provide guidance relating to compliance policies? How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so? |
USSG § 8B2.1(b)(1); FCPA Guide, pp. 57-58; OECD Handbook, C.4 and C.5, p. 27 et seq.; Chen, Evaluation of Corp. Compliance Programs, pp. 2-3, 5 | ||
Compliance function |
Appointment of a chief compliance officer – Does the company have a named chief compliance officer (CCO)? Does that person wear more than one hat (i.e., part time, or also has other job tasks that are not compliance related, such as the general counsel [GC] or chief financial officer)? Who hired the CCO? Who has the authority to fire? If GC is acting as CCO, ask when the promotion or hiring of the GC was announced. Did the announcement include CCO duties or title? Is it in the position description? Are CCO duties part of their annual performance assessment? Does that person use CCO as part of their job title (on business card)? What compliance-related training does that person have? Is there a CCEP or other compliance-related certification? |
USSG § 8B2.1(b)(2)(C); Common Best Practices | |
CCO experience and qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities? Are there integrity issues, criminal history, etc., associated with the CCO? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; OECD Handbook, B, p. 10 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 3 | ||
CCO stature – How has the compliance function compared with other strategic functions in the company in terms of stature (are they a senior executive?), compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; OECD Handbook, B, p. 10 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 3 | ||
CCO independence – Can the CCO report directly to the board of directors? Who does the CCO report to? Is there a dotted line to the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function, and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? What has been the bonuses paid to a CCO as compared to other executives in the company? What conflicts of interest exist in the CCO’s reporting line (i.e., if they report to the GC, there is an inherent conflict in that the GC represents the company and is often involved in business decisions that may be directly implicated in a CCO’s findings)? Does the CCO have unfettered access to records of the company to do their job? If not, who controls access? How is independence proven? |
Chen, Evaluation of Corp. Compliance Programs, p. 3; Common Best Practices | ||
CCO empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns? Has the CCO ever stopped a transaction that cost the company money because of a compliance objection? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; OECD Handbook, B, p. 10 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 3 | ||
CCO funding and resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; OECD Handbook, B, p. 10 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 3 | ||
Outsourcing of compliance functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; OECD Handbook, B, p. 10 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 3 | ||
Training |
Adequate training – Fundamentally, how does the compliance function deliver training to those employees involved in the misconduct? How often? How is it documented? Can they produce both the content of the training and a reliable record of who attended the training? Does the overall education and training delivery system focus on key risk areas for employees? For third-party contractors or vendors? What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects? Was compliance involved in training and decisions relevant to the misconduct? Were there other trainings by other than compliance functions? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred? Did the training include direction on how to report problems/concerns/violations? How has the company measured the effectiveness of training? |
USSG § 8B2.1(b)(4); USAM 9-28.800 Comment; Chen, Evaluation of Corp. Compliance Programs, p. 5 | |
Executives too – Has the governing board had any ethics training? Has the executive core taken the same or similar ethics courses the employees are required to take? Are executive bonuses or compensation tied to the success of the compliance program, particularly meeting training metrics? |
USSG § 8B2.1(b)(4); Common Best Practices | ||
Effective training – Are data points used to measure training effectiveness current, relevant, and demonstrate improvement? For instance, can they show a pre-test and post-test result, which would demonstrate short-term memory retention? Or can they show post-test from one year, and a pre-test from the following year to compare how much information was retained long term? Another indicator of effectiveness could be hard data points that show fewer accidents, customer complaints, harassment claims, and the like. How interactive is the training? Can trainees ask questions or is it static? Are there hands-on learning experiences? Is measurement designed to show participation, not just attendance? How often is the training updated? |
USSG § 8B2.1(b)(4); USAM 9-28.800 Comment; Chen, Evaluation of Corp. Compliance Programs, p. 5 | ||
Communications about misconduct – What has senior management done to let employees know the company’s position on the misconduct that occurred? What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)? |
USSG § 8B2.1(b)(4); FCPA Guide p. 59; USAM 9-28.800 Comment; OECD Handbook, C.8, p. 54 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 5 | ||
Risk assessment |
Risk management process – What methodology has the company used to identify, analyze, and address the particular risks it faced? How often is that updated? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; Chen, Evaluation of Corp. Compliance Programs, pp. 4-5; OECD Handbook, B, p. 10 et seq.; USSG § 8B2.1 Commentary § (7) | |
Information gathering and analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; Chen, Evaluation of Corp. Compliance Programs, pp. 4-5; OECD Handbook, B, p. 10 et seq.; USSG § 8B2.1 Commentary § (7) | ||
Manifested risks – How has the company’s risk assessment process/outcome aligned with clear realized risks (i.e., the misconduct or issue that originated your investigation)? |
USSG § 8B2.1(b)(5)(7) and (c); USAM 9-28.800 Comment; Chen, Evaluation of Corp. Compliance Programs, pp. 4-5; OECD Handbook, B, p. 10 et seq.; USSG § 8B2.1 Commentary § (7) | ||
Monitoring |
Existence of a system – In what ways does the company monitor or audit to ensure their policies and procedures are working, and their compliance plan is able to detect misconduct? How is the governing board and executive leadership able to assure accountability, effectiveness, and values of the company are being preserved? This is a risk management question and how it is implemented—boards are obligated to “be knowledgeable about the content and operation of the compliance and ethics program...and exercise reasonable oversight...” Is monitoring based on a risk assessment? Are the monitoring processes in place reasonably designed to provide insight into the identified risk areas? Examples might include process reviews that test internal controls. Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? Other mechanisms may include supervisory controls, customer complaint analysis, independent financial audits, SOX reviews, management analytical reviews, and automated transaction monitoring. Are these paper functions, or is there evidence they actually do them and respond to the results? |
USSG § 8B2.1(b)(1); USSG § 8B2.1(b)(5); FCPA Guide, pp. 61-62; USAM 9-28.800 Comment; OECD Handbook, C.12, p. 72 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 4 | |
Enterprise-wide – Does monitoring involve the entire business line? Did it include the area where the misconduct occurred? Does testing include the confidential reporting system? How has the company learned and adapted based on monitoring efforts? |
USSG § 8B2.1(b)(5) | ||
Payment systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved? |
USSG § 8B2.1(b)(1); Chen, Evaluation of Corp. Compliance Programs, p. 4 | ||
Approval/certification process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process? |
USSG § 8B2.1(b)(1); Chen, Evaluation of Corp. Compliance Programs, p. 4 | ||
Vendor management – If vendors had been involved in the misconduct, what was the process for vendor selection, and did the vendor in question go through that process? See further questions below under Item 9, “Third Party Due Diligence and Payments.” |
USSG § 8B2.1(b)(1); Chen, Evaluation of Corp. Compliance Programs, p. 4 | ||
Gatekeepers – Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns? |
USSG § 8B2.1(b)(1); Chen, Evaluation of Corp. Compliance Programs, p. 4 | ||
Internal audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas? |
USSG § 8B2.1(b)(1); USSG § 8B2.1(b)(5)(A)(B); FCPA Guide, pp. 61-62; USAM 9-28.800 Comment; OECD Handbook, C.12, p. 72 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 4 | ||
Third party management |
Risk-based and integrated processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? How does the company ensure government contractual or regulatory requirements flow down to subcontracts? Is there a gift policy? For overseas operations, was a risk assessment done specific to local customs and cultural sensitivities? |
Chen, Evaluation of Corp. Compliance Programs. p. 7; FCPA Guide, pp. 60-66; OECD Handbook, C.6, p. 38 et seq. | |
Appropriate controls – What was the business rationale for the use of the third parties in question? What due diligence was completed on the third party prior to entering into a contract? Did they check the debarment list? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered? What monitoring processes are in place to ensure third-party contractor compliance? How often is that reviewed or monitored? |
Chen, Evaluation of Corp. Compliance Programs, p. 7; FCPA Guide, pp. 60-66; OECD Handbook, C.6, p. 38 et seq. | ||
Management of relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties? How has the risk of noncompliance been factored into the company’s risk analysis? |
Chen, Evaluation of Corp. Compliance Programs, p. 7; FCPA Guide, pp. 60-66; OECD Handbook, C.6, p. 38 et seq. | ||
Real actions and consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues? How has the company monitored these actions (e.g., ensuring that the vendor is not used again in case of termination)? |
Chen, Evaluation of Corp. Compliance Programs, p. 7; FCPA Guide, pp. 60-66; OECD Handbook, C.6, p. 38 et seq. | ||
Confidential reporting and investigation |
Reporting system – Does the company have a system to report problems? How is it publicized? Are there various mechanisms to report? How does a complaint activate an alert or incident report that results in a review and possible investigation of the complaint? Is there a complaint management system that reliably collects and reports on complaints received? |
USSG § 8B2.1(b)(5)(C) | |
Anonymous/confidential reporting – Has the company taken reasonable steps to publicize a system that provides anonymity and/or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation? How can the company show that employee names are not known in a reporting system? (e.g., Are IP addresses logged? Is there an attempt to identify the complainant?) |
USSG § 8B2.1(b)(5)(C) | ||
Non-retaliation policy – Are any policies intact that provide for whistleblower protections and retaliation protections for employees who come forward with violations? How is it communicated to employees? How is it implemented? How many employees have taken advantage of the provisions of such a policy? How many of those employees remain employed at the company? How many were fired? How many of those employees were reassigned to a different position, division, supervisor, etc., following their complaint? How many of those employees were promoted at any time after their complaint was lodged? |
USSG § 8B2.1(b)(5)(C) | ||
Effectiveness of the reporting mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? How is follow-up documented and disposition recorded? Does the company routinely appoint an inquiry official and a responsible official for making sure corrective actions are taken and there are deadlines set for those corrections? |
USSG § 8B2.1(b)(5); Chen, Evaluation of Corp. Compliance Programs, p. 5 | ||
Properly scoped investigation by qualified personnel – How has the company ensured that the investigations have been properly scoped and were independent, objective, appropriately conducted, and properly documented? |
Chen, Evaluation of Corp. Compliance Programs, p. 5 | ||
Response to investigations – Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go? |
USSG § 8B2.1(b)(5)-(7); Chen, Evaluation of Corp. Compliance Programs, p. 5 | ||
Compliance industry standards – Did the company fail to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation? |
USSG § 8B2.1 Commentary § (2)(B) | ||
Incentives and discipline |
Accountability – What disciplinary actions did the company take in response to the misconduct, and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? Did the company’s response consider disciplinary actions for supervisors’ failure in oversight? What is the company’s record (e.g., number and types of disciplinary actions) on employee discipline relating to the type(s) of conduct at issue? Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue? |
USSG § 8B2.1(b)(6); FCPA Guide, pp. 59-60; USAM 9-28.800 Comment; OECD Handbook, C.11, p. 68 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 6 | |
Human Resources process – Who participated in making disciplinary decisions for the type of misconduct at issue? Does the deciding official have a conflict in the content area or related to the people? |
USSG § 8B2.1(b)(6); FCPA Guide, pp. 59-60; USAM 9-28.800 Comment; OECD Handbook, C.11, p. 68 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 6 | ||
Consistent application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? Is there a table of penalties for misconduct? Does the company treat employees consistent with the table of penalties or are there differing outcomes? If differing, why? |
USSG § 8B2.1(b)(6); FCPA Guide, pp. 59-60; USAM 9-28.800 Comment; OECD Handbook, C.11, p. 68 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 6 | ||
Incentive system – How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? |
USSG § 8B2.1(b)(6); FCPA Guide, pp. 59-60; USAM 9-28.800 Comment; OECD Handbook, C.11, p. 68 et seq.; Chen, Evaluation of Corp. Compliance Programs, p. 6 | ||
Remediation – What remedial actions did the company employ? Were there efforts to implement an effective corporate compliance program or to improve an existing one? To replace responsible management? To discipline or terminate wrongdoers? To pay restitution? To cooperate with relevant government agencies? What specific changes has the company made post-violation to reduce the risk that the same or similar issues will occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? What did the company do to respond to investigative findings promptly and thoroughly? Did the company engage in any conduct to cover up the problem? How was a cover up dealt with? |
USSG § 8B2.1(b)(6), (7), and (c); USAM 9-28.1000; Chen, Evaluation of Corp. Compliance Programs, p. 2 |