Audit, Compliance and Risk Blog

Latest Department of Justice Guidance for Evaluating Corporate Compliance Programs in Criminal Investigations

Posted by Jon Elliott on Tue, May 23, 2017

Dep of Justice cropped.jpgEarlier this year, the US Department of Justice (DOJ) Fraud Section issued additional enforcement guidelines to US Attorneys, entitled “Evaluation of Corporate Compliance Programs.” DOJ’s US Attorneys perform these evaluations to weigh whether and how severely an organization might be charged for illegal conduct by directors, officers, or other employees. But individuals may be committing crimes to further the organization’s goals (remember Volkswagen’s recent use of fraudulent means to defeat emission requirements), or for their own purposes despite organizational efforts. For readers in organizations that aren’t encouraging criminal behavior, these guidelines provide important guidance to the design (and implementation) of effective compliance programs.

How Do DOJ and Other Enforcement Agencies Approach Individual and Organizational Culpability?

Despite their legal “personhood,” organizations can only act through their personnel. Therefore, enforcement agencies have to evaluate the organization’s symbolic “intention” by looking at the intentions of these individuals, filtered through the formal structures the organization has created to guide such actions. Effective policies and procedures designed to prevent or reveal wrongdoing are interpreted to indicate that the organization intended to follow the law, so prosecutors are more likely to consider the organization to have been exploited by rogue personnel. In contrast, organizations with policies and procedures that create incentives to bend or break rules, and/or limited or murky internal controls that facilitate cover-ups, are more likely to be treated as “intentional” wrongdoers themselves.

  • U.S. Sentencing Commission

The United States Sentencing Commission (the Commission) is an independent agency within the federal judiciary, created to address the wide disparities under “indeterminate sentencing” provisions that gave judges wide leeway, and assigned to adopt Sentencing Guidelines intended to narrow those disparities across defendants and across crimes. In its efforts to ensure proportionality, the Commission provides a multi-stage process for evaluating each crime and each criminal. These steps are as follows:

  • Compare all crimes on the books, giving them a numerical Base Offense Level (BOL)—the worse the crime, the higher the number assigned.

  • Compare factors applicable to particular criminals in particular cases, tending either to enhance or reduce the severity of the defendant’s actions—numerical ratings are assigned to each factor, and those numbers are added to or subtracted from the BOL as appropriate.

  • Calculate the total Offense Level, determine whether any unique considerations justify adjustment to this score, look up the sentence in the Sentencing Table and apply the sentence.

Parallel procedures address individual defendants and organizational defendants. One of the formal factors that act to mitigate organizational punishment is the existence of an “effective compliance and ethics program.” (USSG § 8B2.1) As a basic principle, these programs should demonstrate that the organization does both of the following:

  • Exercises due diligence, to prevent and detect criminal conduct; and

  • Promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

The Commission’s Guidelines provided detailed guidance for judges to follow when considering this factor.

  • DOJ Principles of Federal Prosecution of Business Organizations

DOJ provides an extensive “US Attorneys’ Manual,” explaining the Department’s policies for prosecutions. Subchapter 9-28 presents “Principles of Federal Prosecution of Business Organizations,” last changed in 2015 during President Obama’s administration. Section 9-28.800 addresses Corporate Compliance programs, and notes:

“The Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own. [internal cross-reference de deleted] However, the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents. … Prosecutors should therefore attempt to determine whether a corporation's compliance program is merely a "paper program" or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner. In addition, prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts. Prosecutors also should determine whether the corporation's employees are adequately informed about the compliance program and are convinced of the corporation's commitment to it.”

The newly-published guidance provides prosecutors much more detail about how to conduct these evaluations.

What Does the New Evaluation Guidance Recommend?

In February 2017, DOJ’s Fraud Section published the new “Evaluation of Corporate Compliance Programs” guidance (Evaluation Guidance) on the web portal for its ongoing “Compliance Initiative.” The new Evaluation guidance references the US Attorneys’ Manual provision I cited above, noting the need to evaluate a particular program in the specific context of the organization and crime being investigated. While stating that the new Evaluation Guidance is “neither a checklist nor a formula,” the Fraud Section provides eleven common “topics” and representative questions under each, to establish a firm underpinning for each of the hoped-for particularized investigations. The eleven topics are:

  1. Analysis and Remediation of Underlying Misconduct – including a “root cause” consideration of the problem, whether any prior indications had appeared (and how the organization responded), and how to remediate the underlying problem.

  2. Senior and Middle Management - what was their individual and collective conduct, and did it indicate appropriate commitment and oversight.

  3. Autonomy and Resources – of the compliance role (individual(s) and unit(s)) within the organization.

  4. Policies and Procedures – design and content; evaluation of provisions for internal reporting and investigation; and degree of particular attention to particular areas that might be targets of misconduct (purchasing, contracting, and vendor relations and oversight).

  5. Risk Assessment – by the organization, particularized to its situation and activities.

  6. Training and Communications – about risks and policies, how targeted and delivered, and with what follow-up guidance and resources.

  7. Confidential Reporting and Investigation – what mechanism(s) and procedure(s) are available; how are individual investigations scoped, staffed, and conducted; and how does the organization respond.

  8. Incentives and Disciplinary Measures - How the organization establishes and operationalizes incentives and disincentives.

  9. Continuous Improvement, Periodic Testing and Review – including internal audits, control testing, and updates to risk assessments and procedures.

  10. Third Party Management – when are third parties contracted to perform tasks and services, and how are they contracted, overseen and reviewed.

  11. Mergers and Acquisitions – how are the risk identification and management functions applied in M&A episodes.

How Should Organizations Approach These Issues?

Readers should remember that DOJ anticipates using its approach after non-compliance has led to an investigation or prosecution. However, an organization can restructure DOJ’s topics and representative questions when designing and implementing a compliance program that seeks to avoid these problems. The following Self-Assessment Checklist provides one such restructuring.

Self-Assessment Checklist

  • Does the organization have a policy to ensure compliance with applicable legal requirements (laws and regulations, permits), and professional standards (accounting, etc)?

    • Does it provide a generalized policy to comply and/or specify particular requirements to meet?

    • Is it a stand-alone policy and/or integrated within other policy(ies) (e.g., anti-discrimination, workplace safety)?

    • Does it include an independent statement of organizational ethics beyond or additional to compliance?

  • Is it formal and written?

    • Is it readily available to personnel (how: postings, website, emails, etc.)?

    • Is it subject to scheduled periodic review for revision/reconfirmation (and is the schedule met)?

  • Does the policy assign responsibilities?

    • Is every employee, including management personnel, responsible for acceptable behavior, for reporting violations and other unacceptable behavior, and/or for responses to different (specified?) types of situations and incidents?

    • Is it assigned to named individual(s)/unit(s) responsible for administration, implementation, and results? Are they provided with rank, resources, and access sufficient to perform assigned functions?

  • Does the policy provide for ongoing evaluation of the risks of non-compliance, identifying classes of activities (including ongoing activities, changing activities, and mergers and acquisitions) and associated risks, appropriate monitoring and evaluation methods, and appropriate changes to policies and procedures designed to prevent non-compliance and improve compliance?

    • Do these evaluations include activities performed by third parties on behalf of, and/or under contract with, the organization?

  • Does the policy describe incentives for compliance, and disciplinary procedures and mechanisms for non-compliance?

  • Does the policy describe procedures and mechanisms for reporting situations and incidents?

    • If so, does it provide for efforts to appropriately protect confidentiality?

  • Does the policy describe procedures and mechanisms for timely response to situations and incidents?

    • Does it describe procedures and mechanisms for Investigations to determine root cause of non-compliance, and immediate cause and culpable individuals in the situation under review?

    • Do investigations produce findings, and remedial actions to remediate harm and prevent recurrence?

  • Does the policy provide training in the policy, by qualified personnel to all subject personnel?

  • Does the organization fully implement a compliance program consistent with each element in its policy, and designed to provide reasonable assurance of compliance with the policy and with compliance requirements?

  • Has the organization been subject to enforcement?

    • Have agencies investigated suspected violations?

    • Have agencies cited or prosecuted documented violations?

    • Have private parties brought suit, either as aggrieved individuals (employees, shareholders, etc.) or as private enforcement parties (e.g., “citizen suits” allowed under some statutes)?

    • Has the organization responded to each investigation or enforcement measure with appropriate remediation, internal reviews, and revisions to policies and procedures designed to prevent recurrence?

Where Do I Go For More Information?Information available via the Internet includes:

Specialty Technical Publishers (STP) provides a variety of single-law and multi-law services, intended to facilitate clients’ understanding of and compliance with requirements. These include:

Like What You've Read? Subscribe to Our Blog Now

About the Author

Jon Elliott is President of Touchstone Environmental and has been a major contributor to STP’s product range for over 25 years. He was involved in developing 13 existing products, including Environmental Compliance: A Simplified National Guide and The Complete Guide to Environmental Law.

Mr. Elliott has a diverse educational background. In addition to his Juris Doctor (University of California, Boalt Hall School of Law, 1981), he holds a Master of Public Policy (Goldman School of Public Policy [GSPP], UC Berkeley, 1980), and a Bachelor of Science in Mechanical Engineering (Princeton University, 1977).

Mr. Elliott is active in professional and community organizations. In addition, he is a past chairman of the Board of Directors of the GSPP Alumni Association, and past member of the Executive Committee of the State Bar of California's Environmental Law Section (including past chair of its Legislative Committee).

You may contact Mr. Elliott directly at:


photo credit: Andrew Turner Here Lies Hoover via photopin (license)

Tags: Corporate Governance, Business & Legal, Accounting & Tax, Audit Standards, Environmental risks, Environmental, corporate social responsibility, directors, directors & officers