Audit Interviews Regarding Employee C&E Knowledge

An often useful but not always used self-assessment tool is to include in an audit interview questions to determine if employees have sufficient knowledge of C&E program requirements and resources. Knowledge questions – as these might be called – are intended to be asked in addition to, and not in lieu of, questions about actual violations of law and policy.
C&E knowledge questions might include some of the following – tailored, as appropriate, to the interviewee’s job duties:
• Are you aware of company policy regarding
o Offering and receiving gifts and entertainment?
o Providing travel and other things of value to customers and government officials?
o Engaging third parties to represent the company in dealing with governmental entities?
o Making facilitating payments?
o Having contact with competitors?
o Addressing conflicts of interest?
o Taking annual C&E training?
o Reporting possible misconduct?
Yes answers to any of these of these should trigger follow-up questions designed to test the knowledge the interviewee says she has. Some examples:
• What would you do if a customer asked you to refer his or her family member for a job at the company?
• What are the approval requirements before providing a meal to a government employee?
• What topics are forbidden to discuss with competitors?
• What should be done if you have a possible conflict of interest?
• What are the channels for reporting suspected wrongdoing?
• How would you seek advice on an ethical matter?
• Where can you find copies of company C&E policies?
As noted, questions should be tailored to the interviewee’s duties. For instance, managers (but not necessarily other employees) should generally be asked if they would know what to do – and what not do – if an employee reported suspected wrongdoing to them. Or, selected interviewees might be asked if they would know what to do and not do in the event of a “Dawn Raid.”
The benefit of using C&E knowledge questions in audits is not only in the value of what is learned from the answers. The mere asking of such questions can send a message that may travel widely in a company about the importance of C&E generally to management. Of course, deploying such questions also incurs a cost in terms of the time and resources of audit staff and other employees, and the use of such questions can decrease the time available for taking other important audit measures. However, such questions can be a valuable tool in the audit/assessment tool box, and companies should thus consider the costs and benefits of such a practice.

Assessing risk assessment

When the Federal Sentencing Guidelines for Organizations were first issued in 1991, risk assessment was not among the specified elements of an effective C&E program. By the time risk assessment was added to the definition of an effective C&E program in 2004 (as part of a comprehensive revision of this aspect of the Guidelines), many of those working in the C&E field saw risk assessment as indispensable to program efficacy, a view which has indeed strengthened over the years since then.
Risk assessment can come up in two ways in the program assessment setting.
First, the assessor can be asked to conduct a risk assessment alongside the program assessment. In this model a portion of all or most of the assessment interviews is devoted to posing risk assessment questions about the client organization.
One advantage of such an approach is that it can make the rest of the assessment (i.e., the pure program assessment part) more risk sensitive. Another advantage is economic – combining risk and program assessment might entail a more efficient use of interviewee times and assessor resources than would having two totally separate processes. On the other hand, a combined approach may mean insufficient time for each.
The other way in which risk assessment comes up in a program assessment setting – and this is presumably the case in all program assessments – is that how a company conducts risk assessment should itself be assessed. There is, of course, no one-size-fits-all set of criteria for this analysis, but there are certain questions that are particularly helpful and approaches that seem to work well generally – including the following:
– Is the risk assessment designed to identify information regarding all significant elements of the C&E program? Many risk assessments are designed to produce two types of risk-related information: that which helps the board of directors and senior management oversee the program and that which helps the internal audit function audit the program. These are important, of course. However, as a matter of common sense (and for meeting the pertinent Sentencing Guidelines expectations), the design and operation of all other aspects of the program – e.g., policies, procedures, training, communications, monitoring, the helpline, incentives, accountabilities – should be informed by the results of the risk assessment too.
– Does the assessment produce qualitative – as well as quantitative – information? Most risk assessments produce some quantitative data, particularly with respect to the likelihood and impact of a potential violation. But in assessing a risk assessment, one should also consider whether and how well it produces qualitative data.
One type of qualitative data concerns the “why” of risk. For instance, a risk caused by ignorance or lack of appreciation of applicable C&E standards tends to suggest enhancing relevant training and communications, whereas a risk caused by lack of attention by key personnel may suggest the need for stronger accountability measures.
A second type of qualitative data that risk assessments should generate is based on the “where” and “how” of risk. For instance, it is less helpful to merely identify competition law as a risk than it is to identify particularly risky markets (by geography and/or product/service line) and types of violations (e.g., division of markets) more likely to occur than others.
Finally, in assessing a company’s C&E risk assessment process, one should consider what might be called the risk assessment of every day work. That is, while presumably all companies should have a formal risk assessment process, the particulars of that process may depend in part on how well the company already knows its risks from other aspects of the program, such as monitoring, and indeed from having law or compliance personnel being deeply involved in business planning and operations – and whether the knowledge obtained this way is put to use to help mitigate C&E risk in an effective manner.

Welcome to the Compliance Program Assessment Blog

Rebecca Walker and Jeff Kaplan of Kaplan & Walker LLP are pleased to announce the launch of the Compliance Program Assessment Blog (

“We have each been conducting compliance and ethics [“C&E”] program assessments since the 1990s and are very happy to have this opportunity to share publicly assessment-related best practices and other practical ideas and information,” Kaplan said. “Although program assessments have long been recognized by both enforcement officials and C&E professionals as essential to promoting and maintaining program efficacy, many companies are just now taking their first steps in this area. We hope that the Blog will be of assistance to them in this rewarding but challenging facet of ensuring good corporate citizenship,” Walker added.

The Blog will address, among other topics:

  1. Assessment mandates and benefits. We will survey and analyze the growing body of legal standards and other official expectations for conducting C&E program assessments, as well as business-related reasons to do so.
  2. Assessment methods. The Blog will review the various tools used in conducting assessments – interviews, documents reviews, surveys, focus groups, benchmarking, etc. – and provide guidance on the when, where, who and how of each. We will also address:
    • The issue of when and how to conduct an assessment under the attorney-client privilege and related matters of confidentiality.
    • Questions concerning the size and scope of assessments.
    • What to know and to look out for in formulating findings and recommendations, and in drafting and disseminating an assessment report.
    • How frequently companies should assess their programs.
    • The interplay between program and risk assessments.
    • The role of the board of directors and of senior management in assessments.
    • The use of maturity models and other frameworks in assessments.
  3. Program elements. For each of the major elements and sub-elements of a C&E program – program management and oversight, policies, procedures, training, auditing, helplines, incentives, etc. – we will consider what to look for both in terms of efficacy and opportunities for improvement.
  4. Program attributes. We will explore criteria for use in assessing key characteristics of an effective C&E program that “cut across” individual program elements, such as independence and sufficiency of resources.
  5. Culture. The Blog will discuss the various hallmarks of an ethical organizational culture, and how they can be effectively measured – perhaps the most challenging of all aspects of conducting a program assessment.
  6. Social science research findings and survey data. Increasingly, assessments are expected to have scientific or quantitative dimensions, and the Blog will discuss approaches to meeting those expectations, such as through the use of publicly available survey data and by adapting “behavioral ethics” ideas and information to the compliance program setting.

Our plan is to spend the next few months building the site out with foundational posts. After that, we will encourage other practitioners to submit guest posts (although we will not accept advertising). We may also conduct interviews for the Blog.

We hope that you find the Compliance Program Assessment Blog useful and – in the spirit of its subject matter – that you will let us know how we can continuously improve.