The US Department of Justice (DOJ) recently released a checklist of factors that its attorneys will use in evaluating corporate compliance programs. A common theme is ensuring that an effective program is tailored to specific risks and regularly re-assessed.

While not a change from past practice, it helps clarify what companies can expect from the DOJ. The eight-page checklist draws on the much lengthier US Sentencing Guidelines, US Attorney’s Manual, and the FCPA Guide, among other materials.

The checklist is designed as a look backwards, after misconduct has occurred, but can also be used to help companies proactively strengthen their compliance programs. One unique point to consider is “stature”—how does the compliance function compare to other strategic functions in terms of stature, pay, title, resources, and access to key decision-makers, including private sessions with the board and auditors. Similarly, have requests by compliance for resources been denied? And have deals been stopped, modified, or more closely examined as a result of compliance concerns?

While a meaningful compliance program should, of course, be tailored to specific risks, some of the other considerations from the DOJ include:

Compliance culture

  • Is senior and mid-level management setting a tone of compliance?

  • Is the Board of Directors providing additional oversight of compliance?

  • Is the company incentivizing compliance by taking appropriate disciplinary actions against both employees engaging in misconduct and their managers?

Compliance resources and expertise

  • Is the compliance department adequately staffed and funded ?

  • Do employees regularly receive guidance that is tailored to the specific risks faced by each area and to the employees’ language and other abilities?

Policies and procedures

  • Have the company’s compliance policies and procedures been effectively communicated to relevant employees and third parties?

  • Does the company routinely reassess the effectiveness of its policies and procedures?

Risk assessment

  • Does the company take appropriate steps to gather information or metrics to identify, analyze, and address risks?

Internal audits and investigations

  • Is the company conducting regular internal audits that are appropriately scoped to identify areas of possible misconduct, particularly in high-risk areas?

  • Is the company fully investigating reports of misconduct in a way that is appropriately scoped, independent, objective, and documented?

  • Is the company appropriately responding to findings of investigations in a manner that targets root causes of misconduct?

Third party management

  • Does the company conduct appropriate due diligence on vendors and other third parties that analyzes those parties’ own compliance structures?