Legal guidance in the area of C&E program assessments accords with professional wisdom in this area, emphasizing the importance of periodic assessments to an effective program. In this post, we review a few of the relevant legal standards from U.S. authorities. In later posts, we will take a look at assessment guidance from other countries and non-governmental organizations.
The Sentencing Guidelines for Organizations, which contain the most influential set of standards for effective compliance and ethics programs, provide that an organization should periodically evaluate the effectiveness of its program. The Guidelines also provide that, after criminal conduct is detected, an organization should take reasonable steps to prevent further similar criminal conduct, including through assessing and making necessary modifications to the program.
Department of Justice
In February of 2017,the Fraud Section of the Department of Justice published a document on its web site titled “Evaluation of Corporate Compliance Programs,” which lists a number of questions that the Fraud Section “may ask” in determining the effectiveness of a compliance program. That document discusses the importance of review and audit of an organization’s compliance program, including “testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties.” (Available at https://www.justice.gov/criminal-fraud/page/file/937501/download.)
The Department of Justice and Securities and Exchange Commission, in their Resource Guide to the Foreign Corrupt Practices Act (published in November 2012), issued detailed guidance on the importance of program assessment. In the Resource Guide, the DOJ and SEC instruct that compliance programs “should constantly evolve” and that those programs that do not just exist on paper but are followed in practice inevitably uncover weaknesses and require enhancements. It is therefore important to the DOJ and SEC that companies “regularly review and improve their compliance programs and not allow them to become stale.” (Available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.)
The Resource Guide goes on to provide that organizations should take the time to review and test controls and to think critically about potential weaknesses, and also provides some instruction on how to go about doing so. “For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls,” and other companies “periodically test their internal controls with targeted audits.” Regardless of the form of review, DOJ and SEC have promised to “give meaningful credit to thoughtful efforts to create a sustainable compliance program.” They have also stated that “proactive evaluations” can lower the fine that an organization might otherwise be subject to if a violation occurs.
Other U.S. government agency standards similarly emphasize the importance of program assessment. For example, the Securities and Exchange Commission’s final rules requiring investment companies and investment advisors to implement compliance programs require such entities to review the adequacy of the compliance policies and procedures and the effectiveness of their implementation on at least an annual basis. (17 CFR 270.38a-1(a)(3).) Similarly, the Office of Inspector General of the Department of Health and Human Services, in its compliance program guidance for various healthcare organizations, typically includes the requirement of regular (typically at least annual) review of a compliance program. (See https://oig.hhs.gov/compliance/compliance-guidance/index.asp.) The importance of program assessment has also been highlighted in Federal Energy Regulatory Commission compliance program guidance, which provides that, in determining program effectiveness, regulators should consider the frequency with which an organization reviews and modifies its compliance program. (https://www.ferc.gov/whats-new/comm-meet/2008/051508/M-1.pdf.)