Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Michele Edwards: Data analysis underlies new DOJ guidance

The Justice Department’s “Evaluation of Corporate Compliance Programs” outlines 11 topics and 119 questions that the Fraud Section commonly considers when evaluating corporate compliance programs in the wake of criminal misconduct.

Data lies at the core of the recent guidance. As the DOJ makes clear, compliance and legal professionals are expected to leverage data, metrics, and other objective evidence to demonstrate a compliance program is working effectively.  

Data analysis extends far beyond the basics. Training program completion rates and code of conduct confirmation statistics are no longer sufficient. Companies need to use meaningful data to assess and remediate corporate compliance programs, as well as to prove program effectiveness. 

Here are examples of some compelling metrics to demonstrate the effectiveness of a compliance program specific to criminal investigations of alleged FCPA violations and related anti-bribery and anti-corruption programs.

Look at the number of transactions or deals that were stopped, modified or more closely examined as a result of compliance concerns. For example, how many payment transactions were more closely examined by Compliance or Legal for bribery and corruption concerns? How many new business deals were cancelled as a result of rejecting a prospective customer’s request for consideration because it demonstrated characteristics of a bribe?

Examine the number of requests for resources by Compliance and Control functions that have been denied.

How many audits did Internal Audit perform in an area related to misconduct? For example, how many payments did Internal Audit flag because they demonstrated characteristics of bribery and corruption?  How many new internal controls were implemented in response to Internal Audit findings surrounding bribery and corruption?

Examine the number of red flags identified as a result of due diligence on third parties. 

How many third parties were suspended, terminated or audited for compliance issues? For example, how many vendor relationships were terminated as a result of bribery and corruption concerns?  

Look at the number of third parties an acquisition target re-evaluated under the acquirer’s standards/policies. For example, how many consultants, distributors, or joint venture partners did the acquirer re-perform third-party due diligence on if the target’s third-party anti-corruption due diligence procedures were deemed ineffective?

How many audits were conducted on acquired business units? The new guidance also makes clear that data analytics and metrics are a critical part of the execution of a corporate compliance program, including in areas such as:

  • Analysis and remediation of underlying misconduct. A root cause analysis of identified misconduct is expected.  It is often the case that data analyses can be developed to identify situations in which the root causes either would have prevented or detected the misconduct, and would be expected as part of the remediation processes. Establishing and testing the effectiveness of those analyses requires multi-disciplinary skill sets.
  • Risk assessment and continuous improvement, periodic testing and review. The DOJ guidance makes it clear that companies must collect data and metrics to help detect potential misconduct as part of the information gathering and data analysis stage of risk assessments. In addition, monitoring, internal control testing and auditing should collect and analyze compliance data in order to property monitor and audit for red flags. Tailored data analytical procedures must be applied in order to root out potential misconduct.

The DOJ has provided a roadmap, though not a checklist or “silver bullet,” on its anticipated evaluation of the effectiveness of corporate compliance programs. Data can prove extremely effective in helping compliance and legal professionals to successfully make their case for the effectiveness of these programs and meet increasing levels of regulatory scrutiny. 


Michele Edwards is a Managing Director with StoneTurn in Chicago. Michele has more than 20 years of combined experience in fraud and compliance risk management and financial statement auditing. She specializes in assessing and implementing antifraud and compliance programs, risk assessments, fraud and compliance training, fraud detection and forensic investigations.

Share this post



  1. Great post!
    Yet another evidence that the corporate world is catching up after the financial industry's long standing data analytical regulatory requirements.

  2. Excellent article Michele.
    You had some really good metrics including the internal control impact and auditing of third parties. At CPA Global, we included number of Level 2 Due Diligence reports on third parties relational to the risk based schedule. To that end we also included targets on receipt of updated third party questionnaires and revised risk scoring on third parties per year.

Comments are closed for this article!