skip to main content
AICPA

DOJ Updates Corporate Compliance Program Evaluation Guidance

DOJ Website

First, DOJ updated its interpretation of one of the three “fundamental questions” that an evaluating prosecutor should ask. In addition to determining whether the company’s compliance program (1) is well designed and (2) works in practice, prosecutors should also consider (3) whether the program is being applied earnestly and in good faith. The updated guidance explains that this third question requires prosecutors to determine if the program is “adequately resourced and empowered to function effectively.” 

Second, prosecutors are instructed to determine whether the company is actively modifying its program to conform to best practices, including lessons learned internally as well as from government enforcement actions against others. New areas for inquiry include:  

  • Whether the company’s periodic review of its risk assessment is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions?” and whether this review has “led to updates in policies, procedures, and controls?”
  • Whether the company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
  • Whether the company tracks who accesses its policies to determine which “policies are attracting more attention from relevant employees,” which can alert the company to potential problems.
  • Whether compliance personnel have sufficient access to sources of data to permit effective control testing and monitoring and what impediments exist to this access.

Third, the updated guidance focuses on evaluating the mechanics of employee training and testing, including determining:

  • Whether compliance policies and procedures are available in a searchable format.
  • Whether training is conducted online or in-person (or both) and how employees can ask follow-up questions.
  • How the company evaluates whether and to what extent compliance training impacts employee behavior.
  • Whether the company tests whether employees are aware or and comfortable using the compliance hotline.

These factors, and others unchanged from prior iterations of the guidance, are to be considered in light of each company’s “size, structure, and risk profile” and other relevant circumstances.

Finally, the guidance stresses that prosecutors should consider a company’s compliance program “both at the time of the offense and at the time of the charging decision and resolution,” which DOJ already does in practice. “[P]rosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”  For an example of the important role that post-incident compliance modifications can play in securing a favorable resolution, see my recent article, “Corporate Criminal Liability in the COVID-19 Era:  Compliance Programs Offer Companies an Opportunity to Mitigate Risk,” which discusses lessons from a recent deferred prosecution agreement.

Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.