Compliance Area |
Updated Content |
I. Is the corporation’s compliance program well designed? |
Risk Assessment |
Prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how it has evolved over time
- Updates and Revisions – Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?
- Lessons learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
|
Policies and Procedures |
- Addition to Design – What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time?
- Accessibility – Have the policies and procedures been published in a searchable format for easy reference?
|
Training and Communications |
- An acknowledgment that training programs may contain shorter, more targeted training sessions to identify timely identification and reporting of issues
- Form/Content/Effectiveness of Training
- Whether online or in-person, is there a process for employees to ask questions arising out of the trainings
|
Confidential Reporting Structure and Investigation Process |
- Effectiveness of the Reporting Mechanism
- How is the reporting mechanism publicized to third parties?
- Does the company take measures to test whether employees are aware of the hotline and feel comfortable using
|
Third Party Management |
- Prosecutors should assess whether the company knows the risks posed by third party
- Management of Relationships – Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?
|
Mergers and Acquisitions (M&A) |
- Ensure a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls (noting flawed or incomplete pre-or-post acquisition diligence and integration can allow misconduct to continue at the target company)
- Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not?
- Process Connecting Due Diligence to Implementation – What has been the company’s process for conducting post-acquisition audits at newly acquired entities?
|
II. is the program being applied earnestly in good faith? in other words, is the program being adequately resourced and empowered to function effectively? |
Commitment by Senior and Middle Management |
- Emphasis that the company foster a culture of ethics and compliance “at all levels of the company… from the middle and the top”
|
Autonomy and Resources |
- Structure (where the function is housed) – What are the reasons for the structural choices the company has made?
- Experience and Qualifications – How does the company invest in further training and development of the compliance and other control personnel?
- Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
|
Incentives and Disciplinary Measures |
- Consistency Application – Does the compliance function monitor its investigations and resulting discipline to ensure consistency?
|
III. Does the corporation’s compliance program work in practice? |
Continuous Improvement, Periodic Testing and Review |
- Evolving Updates – Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
|