The Checklist That’s Not A Checklist Part 3: What does the new guidance from the DOJ Fraud Section mean?

Listen to this episode

The Department of Justice Fraud Division released the Evaluation of Corporate Compliance Programs in middle of February without any announcement or fanfare. Is it a checklist? It looks like a checklist, but the DOJ says it’s not a checklist or formula. Some of the information in the Evaluation you’ve heard before, but the “checklist” expands on it. If it’s not a checklist, what does it all mean? How can it help you? Eric examines each of the Sample Topics and Questions that the DOJ puts forth in this new guidance.

In this first of what has turned into a three part series, Eric discusses in depth five of the Sample Topics and Questions covered in the Evaluation.  In this edition, Eric talks about:

  1. Remedying Misconduct
  2. Involvement of Senior and Middle Management in the Program Compliance Autonomy and Resources
  3. Policies and Procedures
  4. Risk Assessment

This week, in part two of this special edition, Eric delves into:

  1. Training and Communication
  2. Confidential Reporting and Investigations

In part three, Eric will cover:

  1. Incentives and Disciplinary Measures
  2. Continuous Improvement, Periodic Testing and Review
  3. Third Party Management
  4. Mergers and Acquisitions

Click here to subscribe

If you have a question you want answered on the podcast be sure to reach out below.

LinkedIn -Eric Morehead

Read Full Transcript

>> Welcome to Compliance Beat, the podcast for compliance and ethics professionals. We provide practical insights and answer your questions about compliance and ethics. Together we'll stay up to date on current treads so that your program stays effective. Brought to you by Moorhead Compliance Consulting. Here's your host Eric Moorhead.

Hi and welcome to the third part of a three part special edition of the podcast where we're talking about the evaluation of corporate compliance programs document that came out of the fraud section at the US Department of Justice just a few weeks ago. We've been talking, walking through the different parts of the document and I'm gonna continue on today and finish finally gonna finish today talking about the last few sections.

If you haven't already subscribed to Compliance Beat please do that on our website or on iTunes. Please give us a review, if you have the time to do so, we sure appreciate it. And also check us out at We have some other additional resources there that you might wanna check out.

The next part, incentives and disciplinary measures, looks into an area that I think, as also kind of commonly, I wouldn't say overlooked, but less well developed. The first section, which talks about accountability and discipline, and how a company resolves and responds to misconduct. It relates to the things we were just talking about.

Were managers held accountable, is a question. Did the company's response and consider disciplinary actions for supervisors? So they're really looking at what the company did to discipline in a systematic way for the failure or misconduct. And they're focusing, really, really focusing on data and risk evaluation here because they ask, what is the company's record?

E.g. Number and type of disciplinary actions on employed disciple relating to the types of conduct and issue. So what's the history here? What are the trends? So you need to be able to show when there's been a failure or something of this kind. And that, or an investigation that has led to disciplinary action.

How does that relate? What's the history behind that? Are there trends around that particular type of misconduct? Did you catch that and how did you react to that? And how did the systems Both on the front and the back and change based on that. And your gonna wanna be able to show the disciplinary results.

Going back earlier to the transparency issue that we talked about being able to communicate about this. So, you need to be able to show consistency, show that you have a disciplinary. System that is consistent. You need to be able to communicate about it and you need to be able to show the data.

The second bullet under this section is what's titled Human Resource Process, and it's one simple question. Who participated in making disciplinary decisions for this type of misconduct at issue? So again, going back to the first point, what's the system? What do you have in place. How consistent is it.

How is it communicating? Not just results but how is disciplinary process communicating. In your code of conduct or external. You don't describe what the investigation in disciplinary processes for compliance. Then you're not missing a great opportunity, but also you're not documenting a process that needs to be documented.

The third bullet I've already mentioned, consistency. How consistent is the application of a disciplinary result across the board. If you have a similar issue or the same issue that keeps coming up. I'll hope parties treated equally as their consistency in the disciplinary action. And interestingly. They also include.

When they're talking about consistency. Are incentives consistently applied across the organization? And that leads to our last bullet, the incentive system. The opening salvo here is how has the company incentivized compliance and ethical behavior, what do you have in place, what is your incentive program and secondly have you considered potential negative compliance implications of incentives?

And they say and rewards, I think what they're contemplating here is I know that some organizations although a minority of organizations particularly around whistle blowers have included a bounty or reward program for people coming forward and making reports or claims. I think most organizations have not gone that way and there are good reasons not to do that and I think I discussed that in the whistle blower.

Podcast. If I don't, I might have a separate podcast in the future. But I think there are good reasons why you wanna avoid those sort of incentives. But you need to have incentives. It's in the sentencing guideline standards and now it's in this guidance. So what program do you have?

Can you explain your program? Is it systematic? And can you show specific examples of actions taken, e.g. Promotions or awards denied as a result of compliance and ethics considerations. Do you consider ethics in promotion? Do you consider ethics in whether a manager gets an incentive? Whether managers goals include combined in ethics Considerations.

We've talked in the past about how that's probably the best, easiest way to start to integrate incentives into your problem, is to have some objective criteria for managers that makes sure that the manager has some skin in the game. The ninth section is continues improvement periodic testing and review.

So this is our monitoring and auditing portion and the first bullet under this section or the first check box, it's not a check box [LAUGH]. Is internal audit, no surprise here. Internal audit I think is been getting more focus over the last few years. And should be, because again, if we're having a risk based program.

If we're using data to drive our programs, then our best friend is internal audit. The questions here are pretty straight forward. What types of audits, what identified issues relevant to the misconduct? And did they occur? What types of audit findings and mediation progress. Has been reported to the management so you've done these audits, the question is, did you implement changes that were suggested and if not, why not?

And did you report it to the board and management of the organization? And what was the follow up? This is really important, what happened after the audit concluded, it perhaps had suggestions. You either took those suggestions, modified the suggestions or did not take those suggestions. What was the follow up there?

And then lastly, how often has internal audit conducted assessments in high-risk areas? Internal audit may not be looking at everything each year, but the audit plan of the internal audit function of your organization particularly if you have a mature internal audit function should be looking at pieces, I would say on at least on an annual basis in their plan.

If not. I think you need to have some reason explanation as to why it's not occurring. The second bullet is control testing. Has the company reviewed and audited its compliance program and areas relating to misconduct, including testing of relative controls, collections and analysis of compliance data, and interviews of employees and third parties.

So are you doing a risk assessment? Are you doing a program assessment on a regular basis? Are you looking at the program, as the sentencing guidelines suggest, on a periodic basis? What is a periodic basis? Well that obviously varies from organization to organization. But are you doing it on a regular basis?

Do you have a planning place as to how frequently you're going to do that sort of compliants review? And if you don't what's your justification for that? The follow up there also is how do you do it, how results reported and the actions the follow up actions on those recommendations track And what testing do you undertake.

I think that's all part and parcel of a periodic review. And this is separate apart from internal audit. I think this is important distinction. I think sometimes these two areas get blurred. But this is a separate thing. This is looking at your process. This is not looking at an individual piece or compliance risk that internal audit might look at.

This is looking at your program, your resources, from. Code of conduct to monitoring and auditing, to training communication. All seven hallmarks of the program. And then the last bullet I think we reinforces whatever we said a couple times here in the last couple of minutes. How often do you do it?

And do you have a plan for doing it? It's called evolving updates. And I ask how often have you done risk assessments? Reviewed policies, procedures and practices. What steps have you taken to determine what are those policies procedures and practices make sense moving forward? So, do you have a plan?

This is the periodic piece, how often are you gonna examine your complaints program review? Do you go to an outside party for example and if you do what's that process? And how do you maintain consistency. This whole thing you need to consider and you need to be able to show document.

The fact that you have a plan in place. There are the last two pieces of guidance to third party. Management, and mergers, and acquisitions. A lot of this comes directly out of the guidance for FCTA that came out a couple of years ago. And on first blush I think some might say, well this is stuff that really pertains to organizations that have.

Will have that risk, having encryption risk. And that doesn't really ask. We're making widgets in misery, also we don;t really have that sort of risk. I don't think that's true, although again the citations, the sources for this information in this document are the FCPA guide. It's important to note that this document, this evaluation of proper compliance programs is not just for anticorruption.

Issues, it's for any compliance issue. And this two issues are important for everyone and it's important because you have third party risk even if you don't have a single anti-corruption risk and that's, in this highly connective world with a lot of sourcing coming from international areas that hard to even imagine but Just let's take it as read that you don't have anti-corruption risk.

You still have third party management and third party compliance risk. And so you need to take this into account. So under third party management, the first Bullet is risk based and integrated processes. What they're asking here is, have you looked into your third party risk? And after you've identified it, how have you integrated processes into things like procurement and vendor management to address as issues.

I would extend it out even broader than that. Although they specifically talk about procurement and vendor management, it can be a lot of other potential third-party risk out there, as well. But the key thing here is, have you evaluated it, determined what kind of third-party risk you have?

And have you integrated it into your processes? And they again, particularly point out procurement and management. And that's again, not just for anti-corruption, but broadly speaking. The second bulletin here, appropriate controls, is really due diligence. They ask some very basic due diligence questions that you would ask, whenever you bring on a third party.

Why are you bringing on a third party? What's the business rationale? And how are you reviewing and including contractual terms that assure compliance with your responsibilities by that third party? The third bullet, management of relationships is going monitoring. So, we do the diligence on the front end when we select these parties and make sure we've got them properly.

But that's not the end. How do you manage those relationships with those third parties and the risk associated with them moving forward? What kind of systems you have in place? How have you trained those responsible for those relationships with third parties to monitor and manage those relationships moving forward?

And they talk about incentives here, how has the company incentivized compliance amongst those third parties? What have you done to encourage the third parties you do business with to To comply with compliance standards. And then lastly, something that is titled very directly, real actions and consequences. What do you do when there is an issue?

When you notice, either in due diligence, or in the ongoing monitoring process that a third has potentially engage a misconduct. How do you handle it? How do you investigate it? How do you resolve an issue once you've determined that it is. Actual misconduct. Do you terminate the relationship?

If not, why not? How do you handle those situations? Another one here that is not specifically mentioned, again that is mentioned has auditing, but if you have audit Right, in your contractual relationship. This is a biggie, that I talk to organizations about a lot. If you have audit rights, and you've never invoked your audit rights with an organization, you need to be prepared to explain why.

The last section, again, I think traditionally when you would look at a list like this and you saw that it came from the FCPA guidance, you'd say well, this is about corruption. And that's mergers and acquisitions and how an organization handles mergers and and acquisition conduct. The first is the due diligence process up front.

How, during the due diligence process, do those responsible for the deal investigate issues of compliance misconduct? What's their process, how deeply do they investigate, or who conducts that review. You need to be able to defend during that process that you were keeping compliance issues, misconduct issues, top of mind in the acquisition process.

How hard do you push? To get information from an acquisition target around these issues. That can sometimes be a very touchy subject and those involved with a deal sometimes don't want to ask those questions and don't want to push. But the downside is that if you can't justify your behavior prior to the merger on the backend you're gonna have a lot of consequences.

The second bullet is, how is compliance integrated into the function? And this really supports the first, I think. If you have a philosophy in your mergers and acquisitions process that compliance has a seat at the table, then you're more Likely to be able to discover those issues up front.

Because presumably the person responsible for compliance would say, hey, this is a black box here and we really need to know more about this before we pull the trigger. So, compliance needs to have a seat at the table. There needs to be some thought about how the organizations are going to merge, not just their business operations but their legal and compliance operations as well.

And they need to be involve in the process. And then the third At last, well it is, how do you follow up? What's the process for connecting the due diligence to implementation? That's the actual phrase. So during the due diligence process, during the acquisition process you discovered either some misconduct or some issues, some controls that were lacking, what's the follow up?

What's the process? What's the plan? How are you gonna move forward? You need to be able to show that you have a plan to do that. So, that's it and I was really a run through. I recognized. These is about twice as long as the first part. I've tried.

I tried to break it in half, but I think I failed. [LAUGH] But I do plan to come back and take some more time to parse this out in the future. But I did want to kinda give some initial thoughts. Again, as I mentioned in the very first part of this, none of this is brand new but it's interesting what they've pulled out, isn't it?

It's very different than what I think many of us would've expect it. It's very data driven. It's very, very data driven. It's very risk. Oriented and that dove tails though with what we've heard from them for the last few years about how they wanna focus on risk. And how they wanna focus on having information.

Backup the choices you make in your compliance program. This is a seat change folks, it's been happening, we've been monitoring it, we've been seeing it over the last few years, but they expect us to continue to evolve and be more data driven. Be more cognizant of risk as we move forward as a profession.

Well thanks for joining us for this third and final special edition of Compliance Bid on the new evaluation of corporate compliance programs guidance or the checklist that's not a checklist. To me as your part to get it done, but I got it done yehey! Again check us out at, subscribe if you haven't already, give us a review on iTunes if you haven't already, and go to more ahead for further resources.

We're gonna redesign our web page there and we're gonna be putting more resources app on the page as we move along. Thanks and till next time.

>> Thanks for listen to compliance beat. Check out our website this podcast is brought to you by Morehead compliance consulting. You sure to check it out at