The Department of Justice Issues Guidance on How It Determines the Effectiveness of a Compliance Program

Recently, the Department of Justice’s (“DOJ”) Fraud Section released guidance entitled “Evaluation of Corporate Compliance Programs,” (“Compliance Memorandum”), which highlights how federal prosecutors investigate the adequacy of an organization’s compliance program during a criminal investigation. The Compliance Memorandum provides additonal guidance for compliance officers who are working to build/enhance their organization’s compliance program.

The Compliance Memorandum contains a list of eleven (11) important topics and sample questions used to determine the effectiveness of the compliance program. Below is the list of the topics and an overview of the sample questions:

Analysis and Remediation of Underlying Misconduct

• Root cause analysis of misconduct
• Indicators of possible non-compliance
• Remediation actions by the organization to address the non-compliance

Senior and Middle Management Involvement

• Conduct at executive leadership level’s commitment to the organization’s compliance program and remediation efforts
• Examples of a “shared commitment” between leadership and stakeholders (e.g., revenue cycle, business and operations, HR, legal, etc.)
• Board and executive leaders exercise of oversight responsibility

Autonomy and Resources

• Compliance role in misconduct
• Stature, independence/autonomy, funding and empowerment of the compliance program
• Experience and qualifications of the Compliance Officer

Policies and Procedures

• Design and implement policies and procedures to prohibit misconduct
• Accessible by employees and 3^rd parties (appropriateness of the communication)
• Adopting effective policies and procedures
• Controls to detect and prevent misconduct
• Integration of policies and procedures into the organization’s operations

Risk Assessment

• Risk management process to identify, analyze and address risks
• Collection and analysis of information/metrics to detect misconduct

Training and Communications

• Training to relevant employees regarding high risk areas and misconduct
• Form and content is appropriate for the intended audience and is effective
• Availability of guidance/resources to employees regarding compliance policies

Confidential Reporting and Adequate Internal Investigation

• Effective reporting mechanism that collects, analyzes and uses information to investigate
• Investigations are properly scoped and performed by qualified personnel
• Response to investigations is appropriate (e.g., identifies root cause, system vulnerabilities and accountability lapses)

Incentives and Disciplinary Measures

• Accountability of all employees, including management, for wrongdoing
• Implementation of disciplinary actions and incentives
• Consistent and fair application of disciplinary actions and incentives

Continuous Improvement, Periodic Testing and Review

• Audit work plan includes the type and frequency of internal audits, and testing and monitoring based on risks, including remediation actions
• Regular updates to risk assessments, compliance policies, procedures and practices

Third-Party Management

• Third-party management process corresponds to the nature and level of the enterprise risk identified and is integrated into the procurement and vendor management processes
• Appropriate controls to manage third party arrangements (e.g., screening and monitoring)
• Training of relationship managers on third-party compliance risks

Mergers and Acquisitions

• Identification of compliance risks in merger and acquisition transactions during the due diligence process
• Integration of compliance in the mergers and acquisitions process
• Process for connecting risks identified during due diligence to implementation

Compliance Memorandum: Five Key Take-Aways

The Compliance Memorandum puts compliance officers (and organizations) on notice that a compliance program must not only be effective on “paper” but more so in practice. This guidance is a valuable resource that provides guidance for compliance officers that seek to establish (and evaluate) a compliance program that (may) satisfies federal regulator’s expectation of what is an effective compliance program.

How should you utilize this guidance?

1. Review the topics and sample questions outlined in the Compliance Memorandum to evaluate the design and day-to-day application of your compliance program.
2. Present the Compliance Memorandum to the Board and executive leadership to emphasize the federal government’s position on the importance of the organization’s tone-at-the-top (i.e., fostering culture of compliance).
3. Evaluate your risk management and audit and monitoring processes to ensure the compliance program is tailored to your organization’s specific needs, risks and challenges.
4. Review the compliance budget and personnel allocation to determine if the compliance program is well-funded, has the necessary resources devoted, and is autonomous and empowered to detect, protect and deter non-compliance.
5. Assess the effectiveness of your compliance program periodically utilizing internal and external resources by:
   • Conducting a compliance survey to determine if compliance is meaningfully integrated within your organization;
   • Testing policies and procedures to ensure they are properly implemented and if they are valid/out dated; and
   • Performing an annual risk assessment to identify risks and set priorities for your auditing and monitoring activities

For more information on how we can assist you in evaluating the effectiveness of your compliance program, contact us today.