United States: Justice Department Reveals How It Evaluates Corporate Compliance Programs

Steven Gordon is a Partner in Holland & Knight's Washington D.C. office


  • The U.S. Department of Justice Fraud Section recently published its "Evaluation of Corporate Compliance Programs," which outlines how it assesses the effectiveness of a corporate compliance program.
  • The publication is divided into 11 areas and sets forth the questions that the Fraud Section commonly asks in determining whether to bring charges or in negotiating plea or other agreements.
  • Companies can use the guidance to help improve the functioning of their compliance programs and reduce the risk of facing prosecution for misconduct.

The U.S. Department of Justice (DOJ) Fraud Section recently published its "Evaluation of Corporate Compliance Programs" that lists 1) the topics it explores and 2) the questions it asks when it assesses the effectiveness of a corporate compliance program in the course of determining whether to bring charges or when negotiating plea or other agreements. This document is a valuable tool not only for companies under criminal investigation but also for any company that wants to objectively evaluate the effectiveness of its existing compliance program. It enables a company to ask itself the hard questions about its compliance program's effectiveness in order to avoid a situation where it might have to answer those same questions being posed by a prosecutor.

The 11 topics covered below canvass the elements of an effective compliance and ethics program laid out in the Sentencing Guidelines, with some modifications.

1. Analysis and Remediation of Underlying Misconduct. Since the document is designed for prosecutors, it starts from the premise that misconduct has been identified. What is the company's root cause analysis of the misconduct at issue? What systemic issues were identified? Who performed the analysis? Were there audit reports or other prior opportunities to detect the misconduct? What is the company's analysis of why warning signs were missed? What specific changes has the company made to ensure the same or similar issues will not occur again?

2. Senior and Middle Management. Next are a series of questions about the conduct at the top of the company. Did senior leaders encourage or discourage the type of misconduct in question? What actions have senior and middle management taken to demonstrate a commitment to the company's compliance and remediation efforts? Does the board of directors meet privately with top compliance officials? What oversight took place in the area in which the misconduct occurred?

3. Autonomy and Resources. These questions focus on the compliance unit. What role, if any, did compliance play with respect to the misconduct — was it involved in relevant training or decisions? What stature does compliance have in the company in terms of compensation levels, rank, reporting line and access to key decision-makers? Do compliance personnel have the appropriate experience and qualifications? Do they have sufficient resources? Do they have independence to pursue and report the results of their investigations? How has the company responded to any concerns raised by the compliance unit?

4. Policies and Procedures. These questions probe the design, implementation and effectiveness of the company's compliance program. How has the company designed and implemented its compliance policies and procedures? Was there a policy or procedure that prohibited the misconduct at issue? Has clear guidance and/or training been provided to key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? How has the company communicated its policies and procedures to relevant employees and third parties? How have policies been rolled out and implemented? What controls failed or were missing? How was the misconduct funded? Did an approval or certification process fail?

5. Risk Assessment. These questions concentrate on risk assessment and management. How has the company identified, analyzed and addressed the risks it faces? What information has the company collected and used to help detect misconduct? How has the risk assessment process accounted for manifested risks?

6. Training and Communications. These questions explore the effectiveness and specific content of training programs and informational resources provided to employees. Has the company provided tailored training for high-risk and control employees in the area where the misconduct occurred? How does the company determine who should be trained and on what subjects? How has the company measured the effectiveness of its training? How does senior management advise employees when an employee is terminated for failure to comply with policies, procedures or controls? What additional guidance resources are available to employees? Do employees know about these resources?

7. Confidential Reporting and Investigation. These questions focus on effectiveness of reporting processes and how companies have handled investigations. How has the company collected and assessed information reported to it? Has the compliance unit had access to all such information? How has the company ensured that investigations are independent, objective, and properly scoped, conducted and documented? How does the company respond to investigative findings? How high up in the company do such findings go?

8. Incentives and Disciplinary Measures. These questions focus especially on the issue of accountability for misconduct. What disciplinary actions were taken and when? Were managers held accountable for misconduct that occurred under their supervision? What is the company's overall record on employee discipline (relating to the type of conduct at issue), including the number and types of disciplinary actions? Has the company ever terminated or otherwise disciplined anyone for the same or similar misconduct? Have disciplinary actions been fairly and consistently applied across the organization? Who makes the disciplinary decisions? How has the company incentivized compliance and ethical behavior?

9. Continuous Improvement, Periodic Testing and Review. These questions explore a company's internal audit process and how it updates its risk assessments and compliance policies, procedures and practices. What types of internal audits are conducted? Did they identify the misconduct at issue? If not, why not? How often are internal audits performed in high-risk areas? What internal audit findings are reported to management and the board on a regular basis? What control testing has the company performed? How often has the company updated its risk assessments and reviewed its compliance policies and procedures?

10. Third Party Management. These questions come into play when the misconduct involves third parties, such as agents (a recurring issue under the Foreign Corrupt Practices Act). What is the business rationale for using the third party? How does this correspond to the nature and level of the enterprise risk identified by the company? Has the company analyzed the third party's incentive model against compliance risks? How has the company monitored the third party? What mechanisms exist to ensure that the contract adequately specifies the services to be performed by the third party, that the described work is performed, that the payment terms are appropriate and that the compensation is commensurate with the services performed? What action (e.g., suspension, termination or audit) has been taken with respect to a third party where compliance issues have arisen?

11. Mergers and Acquisitions (M&A). The final topic deals with problems inherited through a merger or acquisition. The focus of the questions is on both the due diligence process before the M&A and the integration process following the M&A. Was the misconduct identified during due diligence? How is due diligence geared toward identifying risks? How is the compliance function integrated into the M&A process? What has been the company's process for implementing compliance policies and procedures at new entities?

A company that asks itself these questions, answers them candidly and takes any needed corrective actions will improve the functioning of its compliance program. It will also reduce the risk that it will ever have to answer these questions to the satisfaction of a prosecutor who is considering whether to prosecute the company for misconduct.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions