The Justice Department’s “Evaluation of Corporate Compliance Programs” outlines 11 topics and 119 questions that the Fraud Section commonly considers when evaluating corporate compliance programs in the wake of criminal misconduct.
Data lies at the core of the recent guidance. As the DOJ makes clear, compliance and legal professionals are expected to leverage data, metrics, and other objective evidence to demonstrate a compliance program is working effectively.
Data analysis extends far beyond the basics. Training program completion rates and code of conduct confirmation statistics are no longer sufficient. Companies need to use meaningful data to assess and remediate corporate compliance programs, as well as to prove program effectiveness.
Here are examples of some compelling metrics to demonstrate the effectiveness of a compliance program specific to criminal investigations of alleged FCPA violations and related anti-bribery and anti-corruption programs.
Look at the number of transactions or deals that were stopped, modified or more closely examined as a result of compliance concerns. For example, how many payment transactions were more closely examined by Compliance or Legal for bribery and corruption concerns? How many new business deals were cancelled as a result of rejecting a prospective customer’s request for consideration because it demonstrated characteristics of a bribe?
Examine the number of requests for resources by Compliance and Control functions that have been denied.
How many audits did Internal Audit perform in an area related to misconduct? For example, how many payments did Internal Audit flag because they demonstrated characteristics of bribery and corruption? How many new internal controls were implemented in response to Internal Audit findings surrounding bribery and corruption?
Examine the number of red flags identified as a result of due diligence on third parties.
How many third parties were suspended, terminated or audited for compliance issues? For example, how many vendor relationships were terminated as a result of bribery and corruption concerns?
Look at the number of third parties an acquisition target re-evaluated under the acquirer’s standards/policies. For example, how many consultants, distributors, or joint venture partners did the acquirer re-perform third-party due diligence on if the target’s third-party anti-corruption due diligence procedures were deemed ineffective?
How many audits were conducted on acquired business units? The new guidance also makes clear that data analytics and metrics are a critical part of the execution of a corporate compliance program, including in areas such as:
- Analysis and remediation of underlying misconduct. A root cause analysis of identified misconduct is expected. It is often the case that data analyses can be developed to identify situations in which the root causes either would have prevented or detected the misconduct, and would be expected as part of the remediation processes. Establishing and testing the effectiveness of those analyses requires multi-disciplinary skill sets.
- Risk assessment and continuous improvement, periodic testing and review. The DOJ guidance makes it clear that companies must collect data and metrics to help detect potential misconduct as part of the information gathering and data analysis stage of risk assessments. In addition, monitoring, internal control testing and auditing should collect and analyze compliance data in order to property monitor and audit for red flags. Tailored data analytical procedures must be applied in order to root out potential misconduct.
The DOJ has provided a roadmap, though not a checklist or “silver bullet,” on its anticipated evaluation of the effectiveness of corporate compliance programs. Data can prove extremely effective in helping compliance and legal professionals to successfully make their case for the effectiveness of these programs and meet increasing levels of regulatory scrutiny.
Michele Edwards is a Managing Director with StoneTurn in Chicago. Michele has more than 20 years of combined experience in fraud and compliance risk management and financial statement auditing. She specializes in assessing and implementing antifraud and compliance programs, risk assessments, fraud and compliance training, fraud detection and forensic investigations.