The Justice Department published a revision to its document that guides its processes for evaluating corporate compliance in a criminal investigation last week. The revisions give internal audit some important guidelines for assessing the corporate compliance function.
The guidance on Evaluation of Corporate Compliance Programs helps prosecutors ask companies the right questions about their compliance programs when conducting criminal investigations, and also helps professionals in the compliance industry put together their own compliance programs to avoid running afoul of such laws as the Foreign Corrupt Practices Act, anti-money laundering provisions, and others.
The Justice Department first released guidance on corporate compliance evaluation in 2017, and has updated the document several times, with the most recent being April of last year. The most recent guidance contains changes mostly in the details of the questions without sweeping changes to the material.
“The revised guidance on the Evaluation of Corporate Compliance Programs reflects additions based on our own experience and important feedback from the business and compliance communities,” said Brian Benczkowski, assistant attorney general of the DOJ’s Criminal Division, in a statement. “Although much of the substance of the prior version remains unchanged, the updates we have made are in keeping with our continued efforts as prosecutors to improve our own policies and practices to ensure transparency and the effective and consistent enforcement of our laws.”
The guidance is a set of questions that prosecutors ask companies when evaluating their compliance programs during a criminal investigation or potential investigation. The strength of a company’s compliance program can affect how aggressively the DoJ pursues criminal cases brought against corporations and can earn companies goodwill. The guide reflects the expectations and the standards of the Justice Department regarding corporate compliance, and is a useful informal tool for corporations to base their compliance programs around.
Framework Questions
In the three overarching framework questions, the Justice Department replaced asking whether the programs are “being implemented effectively” with the more descriptive “adequately resourced and empowered to function effectively.” The change indicates the focus of the Justice Department on corporations’ resource allotment and support given to compliance programs as a large factor in the consideration of the corporation’s duty to compliance, rather than just the implementation of the program.
According to an article by Michael Volkov of the Volkov Law Group, the Justice Department has noticed that compliance authorities lack authority and were often ignored by senior management when trying to intervene in troublesome transactions. With the change in language of the framing questions, the Justice Department is emphasizing the need to both provide resources for compliance officials to be effective, as well as giving them the authority for them to properly function.
Relating to risk assessment, the guidance adds a sentence highlighting that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has and why and how the company’s compliance program has evolved over time,” showing an emphasis on intent and tracking of the development of the program.
With added details on updates and revisions asking whether periodic reviews are limited to snapshots or based on “continuous access to operational data and information across function” and whether such reviews have led to “updates in policies, procedures, and controls,” the guidance reinforces the emphasis on evolving compliance programs and learning from reviews.
Other changes in the document remind companies of the Department of Justice’s dynamic approach to evaluating third-party risk and the importance of relevant data analytics.
Mike Koehler, the founder and editor of FPCA Professor and a professor at Southern Illinois University School of Law said the guidance has limit impact. “This is non-binding DOJ guidance full of vague and ambiguous terms,” he said. “The document has 168 questions, and the document uses the word ‘effective’ 54 times even though that’s not even a legal standard.”
The vagueness and the informal nature of the guidance can restrict its impact, but the guide is a tool for companies to reference informally as a guideline. The changes in the guidance offers a reminder to companies of areas that the Department of Justice would scrutinize in the case of an investigation. 
Stephanie Liu is assistant editor at Internal Audit 360°