U.S. Department of Justice Evaluation of Corporate Compliance Program
Summary
This color coding system is used in the Status column:
|
---|
I. Is the Corporate Compliance Program Well-Designed? | |||
---|---|---|---|
Source Document |
Narrative |
Response |
Status |
Risk Assessment, P. 2 & 3 |
Has the company’s Compliance Program (CP) been tailored based on a Risk Assessment (RA) and periodically updated? | ||
Risk Management Process, P.3 |
Methodology and metrics collected to address risks? | ||
Risk-Tailored Resource Allocation, P. 3 |
Does the company proportionately devote time to high risk areas vs. low risk areas? | ||
Updates and Revisions, P. 3 |
Is the RA subject to periodic review? Are updates to policies and procedures evident in light of lessons learned? | ||
Policies and Procedures, P. 3 |
Are policies and procedures aimed at reducing risk? Does the COC set forth the organization’s commitment? Policies and procedures incorporate culture of compliance into operations? | ||
Design, P. 4 |
What is the process for designing Policies and Procedures? Who has been involved and have Business Units been involved prior to rolling out the documents? | ||
Accessibility, P. 4 |
Has the company communicated Policies and Procedures to all employees and relevant third parties? Are language barriers addressed? | ||
Operational Integration, P. 4, |
Who has been responsible for policies and procedures rollout? Do employees understand? How are P&P reinforced through internal controls? | ||
Gatekeepers, P. 4 |
What guidance and training has been provided to Gatekeepers in the control process, e.g. those with approval authority? Do the Gatekeepers know how to escalate concerns? | ||
Training and Communication, P. 5 |
Has periodic training occurred for all employees and directors? Does training include education on prior incidents? | ||
Risk-based training, P. 5 |
What training has been offered for employees in control functions? Has there been training that addresses risk where misconduct has occurred? What analysis has been performed to determine the content and risks? | ||
Content and Effectiveness of Training, P. 5 |
Is the training language appropriate? On-line or in-person or both and rationale? How does the company measure the effectiveness of the training? How will the company address those that fail the training? | ||
Communication about misconduct, P. 5 |
What has senior management done to let employees know about the position of misconduct? What communications have occurred for the termination of an employee due to a misconduct? | ||
Availability of Guidance, P. 5 |
What resources are offered to employees to provide guidance regarding P&P? Has the company assessed whether the employees know when and who to seek advice? | ||
Confidential Reporting and Investigation Process, P. 5 |
Is there an existence and well-trusted mechanism for employees to report allegations anonymously or confidentially? Has the complaint process created a workplace atmosphere without fear of retaliation and process to protect whistleblowers? Is there appropriate investigation of complaints of retaliation, timely follow-up and discipline? | ||
Effectiveness of Reporting, P. 6 |
Does the company have anonymous reporting? How has the reporting been communicated to employees? How has the company assessed the seriousness of allegations? Has the CO had full access to the reporting and investigative information? | ||
Investigation by Qualified Personnel, P. 6 |
How are complaints assessed for merit and further investigation? How does the company ensure the investigations are scoped, independent, objective and properly documented? How does the company determine who does the investigation and who makes the determination? | ||
Investigative Response, P. 6 |
Does the company apply timing metrics to ensure responsiveness and monitor outcomes of investigations ensuring accountability to the findings? | ||
Resources and Tracking Results, P. 6 |
Has the company collected, tracked analyzed, and used information from its reporting mechanism? Are their patterns of misconduct or other red flags? | ||
Third Party Management, P. 6 |
Does the company assess and understand the qualifications and associations of third parties, e.g. agents, consultants, distributors? Is there a business need identified with a third-party transaction? Does the company regularly perform due diligence, audits and monitoring, audits, and/or annual compliance certifications by the third party. | ||
Risk-Based and Integrated Process, P. 7 |
How has the company’s third-party management process corresponded to the nature and level of the enterprise identified? Has the process been integrated into procurement and vendor management processes? | ||
Appropriate Controls, P. 7 |
Is there business rationale for the use of third parties? What mechanisms exist to ensure services are being performed, payment terms are appropriate and compensation is commensurate with the services rendered. | ||
Management of Relationship, P. 7 |
Has the company analyzed compensation and incentive structure for third-parties against compliance risks? Does the company exercise rights to audit books and accounts of third parties? How does the company train its third-party relationship managers about compliance risk? How does the company incentivize compliance and ethical behavior by third parties? | ||
Real Actions and Consequences, P. 8 |
Are red flags identified from due diligence of third parties and how are they addressed? For companies terminated or involved with misconduct, are there processes identified to prevent rehiring? Have third parties been suspended, terminated or audited as a result of a compliance issue? | ||
Mergers and Acquisitions (M&A), P. 8 |
Are pre-M&A due diligence performed on acquisition targets? | ||
Due Diligence Process, P. 8 |
Was misconduct identified during due diligence? Who conducted the risk review, how was it done and what is the general process? | ||
Integration in the M&A, P. 8 |
How has the compliance function been integrated into the merger, acquisition and integration process? | ||
Process connecting Due Diligence to Implementation, P. 8 |
Is there a process for tracking and remediating misconduct risks identified during due diligence? Are there policies and procedures for new entities? |
II. Does the Corporation’s Compliance Program Effectively Implemented? | |||
---|---|---|---|
Source Document |
Narrative |
Response |
Status |
Commitment by Senior and Middle Management, P. 9 |
BOD and executives set the tone and demonstrate rigorous adherence by example. Examine how middle management have reinforced standards. Governing authority shall exercise reasonable oversight | ||
Conduct at the Top, P. 9 |
Senior leaders through words and actions encourage or discourage compliance. How have they modelled proper behavior to subordinates? Management tolerated greater compliance risks in pursuit of new business or increased revenue? | ||
Shared Commitment, P. 10 |
What actions have senior leaders and middle management taken to demonstrate their commitment to compliance including remediation? Have they persisted in that commitment in the face of competing interests or business objectives? | ||
Oversight, P. 10 |
What compliance expertise has been available on the Board of Directors? Have the BOD and/or external auditors held executive or private sessions with compliance? What types of information have the BOD and Senior Management examined in their exercise of oversight in which misconduct has occurred? | ||
Autonomy and Resources, P. 10 |
Has the company allocated sufficient personnel and resources within the compliance function? Is there sufficient seniority within the organization, sufficient resources and sufficient autonomy from management, direct access to the Board? | ||
Structure, P. 10 |
Where is the compliance function housed? To whom does the compliance function report? | ||
Seniority and Structure, P. 11 |
How does the compliance function compare with other strategic functions in terms of stature, compensation, rank/title, reporting, resources and access to key decision makers? Has there been turnover for compliance? What role does compliance have in operational decisions? Have there been transactions or deals that were stopped, modified, scrutinized as a result of a compliance concern? | ||
Experience and Qualifications, P. 11 |
Does compliance have the appropriate experience and qualifications for their role and responsibility? Has the level of experience/qualification changed over time? Who reviews the performance of the compliance function? | ||
Funding and Resources, P. 11 |
Has there been sufficient staffing for compliance personnel to effectively audit, document and act on the results of the compliance efforts? Have there been times when requests for resources by compliance and control functions been denied and on what grounds? | ||
Autonomy, P. 11 |
Do the compliance and relevant control functions have direct reporting lines to anyone on the BOD? How often do they meet with the directors? Are members of Senior Management present for these meetings? How does the company ensure the independence of the compliance and control personnel? | ||
Outsourced Compliance Functions, P. 12 |
Has the company outsourced all or part of its compliance function to an external firm or consultant? Who is responsible for overseeing the consultant? What level of access does the consultant have to company information? How has the effectiveness of the outsourced process been assessed? | ||
Incentives and Discipline, P. 12 |
Are disciplinary procedures in place, enforced consistently commensurate with the violation? Is there communication to the employees that unethical conduct will not be tolerated? Are incentives in place to promote the Compliance program? | ||
Human Resources Process, P. 12 |
Who participates in making disciplinary decisions including the type of misconduct at issue? Is there a consistent process? If not, why? Are reasons for disciplinary communicated to employees? Are there legal or investigative relations for restricting information? | ||
Consistent Application, P. 12 |
Are disciplinary action and incentives consistently applied across the organization? Are there similar instances of misconduct that were treated disparately and if so, why? | ||
Incentive Systems, P. 13 |
How does the company incentivize compliance and ethical behavior? Are there examples of actions taken as a result of compliance and ethics considerations? Who determines the compensation, bonuses, discipline and promotion of compliance personnel? |
III. Does the Corporation’s Compliance Program Work in Practice? | |||
---|---|---|---|
Source Document |
Narrative |
Response |
Status |
Does the CP work in practice? Has the company made significant investments in, improvements to the CCP and internal controls? P. 13 |
In assessing whether a company’s CP is working effectively at the time of misconduct, did the company perform a root cause analysis to understand both what contributed to the misconduct and remediation efforts were implemented to prevent such action from occurring again? | ||
Continuous Improvement, Periodic Testing and Review, P. 14 |
Has the company engaged in meaningful efforts to review its CP and ensure that it is not stale? Gauging the compliance culture and evaluation the strength of controls and periodic audits and evaluations are crucial. Are revisions to the CP evident on lessons learned? | ||
Internal Audit, P. 14 |
What is the process for determining where and how frequently audits are performed? What were the findings? How have the management and the BOD followed up? How often are assessments in high-risk areas conducted? | ||
Control Testing, P. 15 |
Has the company audited its CP in the area relating to the misconduct? What testing of controls, analysis of data, interviews been undertaken? How are the results reported and action taken? | ||
Evolving Updates, P. 15 |
How often has the company updated its risk assessment, policies, procedures and practice? Has a gap analysis been completed regarding policies, controls or training? What steps have been taken to make sure the policies, procedures and practices make sense for business segments? | ||
Culture of Compliance, P. 15 |
How often does the company measure its culture of compliance? Is input obtained from all levels of employees? What steps are taken in response to the measurement of the culture? | ||
Investigation of Misconduct, P. 15 |
Does the company have an effective means of documenting the company’s response, disciplinary action or remediation? | ||
Properly Scoped Investigation by Qualified Personnel, P. 15 |
Has the company’s investigations been used to identify root causes, system vulnerabilities, accountability of lapses, including among supervisory manager and senior executives? | ||
Response to Investigations, P. 15 |
Has the company’s investigations been used to identify root causes, system vulnerabilities and accountability lapses, to include senior management and executives? What has been the process? | ||
Analysis and Remediation of Any Underlying Misconduct, P. 16 |
Does the company perform a root cause analysis of misconduct and remediate the cause? Is the number and level of corporate employees involved, seriousness, duration, frequency, and any remedial action (including disciplinary action against past violators) include revisions to the CCP in light of lessons learned? | ||
Root Cause Analysis, P. 16 |
What is the company’s root cause analysis of the misconduct at issue? Were systemic issues identified? Who in the company was involved in making the analysis? | ||
Prior Weaknesses, P. 16 |
What controls failed? Were policies and procedures effectively implemented that should have prohibited the misconduct and functions that had ownership of the policies and procedures held accountable? | ||
Payment Systems, P. 16 |
How was the misconduct in question funded (purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved? | ||
Vendor Management, P. 17 |
If vendors were involved in the misconduct, what was the process for vendor selection and did the vendor undergo that process? | ||
Prior Indications, P. 17 |
Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complains or investigations? What is the company’s analysis of why such opportunities were missed? | ||
Remediation, P. 17 |
What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What remediation has addressed the issues identified in the root cause and missed opportunity analysis? | ||
Accountability, P. 17 |
What disciplinary actions did the company take in response to the misconduct and were they timely? Were managers held accountability? Was disciplinary action for failure to supervise imposed? What is the company’s record (number and type) of employee discipline relating to the types of conduct at issue? Has the company ever terminated or disciplined (reduced or eliminated bonuses, written warnings) for the type of misconduct at issue? |