The “Principles of Federal Prosecution of Business Organizations” in the Department of Justice (“DOJ”) Manual describes specific factors that prosecutors should consider in conducting an investigation of a corporation, determining whether to bring charges, and negotiating a plea or other agreements. These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” Recently released DOJ guidance further explains that there are three “fundamental questions” to pose when evaluating corporate compliance programs generally, one of which is “Does the corporation’s compliance program work in practice?”
There really is no better way—and perhaps no other reasonable way—for a company to judge whether its compliance program is “effective” than conducting a compliance audit. It is tempting to conclude that when your company does not experience misconduct, it is because your compliance program is effective, and your employees all behave lawfully. Unfortunately, it is equally plausible that misconduct is prevalent, but is never reported or detected. As the DOJ itself instructs, “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective.” Conversely, the failure to detect misconduct does not, by itself, mean that a compliance program is effective, and waiting for a violation to occur to discover that your compliance program was ineffective is something companies should seek to avoid.
Accordingly, companies should “engage in meaningful efforts to review [their] compliance program . . . and/or conduct periodic audits to ensure that controls are functioning well.” A company may have the most artfully worded code of conduct and strictest procedures to ensure compliance, but if employees do not follow those policies and procedures then they are not worth the paper they are printed on. [See DOJ Guidance at 9, citing JM 9-28.800 (“Prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.”)]
How often should a compliance audit be conducted? Broadly speaking, what does a compliance audit entail?
Though the nature and frequency of compliance audits varies depending on the company’s size, available resources, and overall risk profile, companies should generally strive to conduct regular internal audits of their compliance protocols at predetermined intervals such as annually or quarterly. The purpose of these internal audits is to measure the sufficiency and effectiveness of the company’s controls in specific areas that were identified during the previous risk assessment. An audit of the company’s anti-bribery and corruption (“ABC”) compliance function, for instance, would likely involve reviewing a broad sample of the company’s contracts to ascertain whether standard ABC representations and warranties are incorporated; examining financial records detailing payments made to intermediaries and other service providers for accuracy and regularity; and surveying employees in critical functions with respect to their knowledge of the company’s ABC policies and procedures generally. Internal audits are a critical component of continuous process improvement. By proactively identifying gaps in the company’s compliance program before a legal infraction occurs, an internal auditor can help the company avoid substantial fines and penalties.
In contrast, external audits—whether voluntarily undertaken or required by some regulatory authority—are formal, more objective evaluations of the company’s compliance program by third parties. These audits occur less frequently than internal compliance audits and involve the measurement of the company’s protocols against some extrinsic standard by an arguably more objective auditor than a rank-and-file employee. External audits are conducted on a periodic basis to, among other things, validate the results of internal remediation efforts, perform enhanced pre-integration due diligence and post-acquisition assessments on M&A targets, and satisfy certain regulatory requirements. While typically more costly than internal audits and risk assessments, routine external audits offer valuable insight into the functioning of a company’s compliance program holistically and can be used to benchmark the company’s current program against prevailing industry standards.
Who should conduct the compliance audit? How should the audit be conducted?
Any qualified personnel with relevant subject matter expertise can conduct a compliance audit. In the context of routine internal audits, organizations frequently turn to those in the Legal, Compliance, and Internal Audit functions (among others) to spearhead this initiative. For external audits, companies typically engage law firms and institutional auditors with deep industry knowledge and significant experience in compliance audits specifically.
Although audit methodologies vary considerably, in the compliance and ethics context, the most effective audits will utilize the DOJ’s previously mentioned framework for the evaluation of corporate compliance programs generally. All audits—regardless of methodology—should be focused on identifying all existing deficiencies in company processes and procedures that could lead to a violation of the organization’s legal obligations. This requires complete candor on the part of company employees involved in audited functions and the ability of the auditor to have broad discretion to dig deep into company practices and transactions to ascertain whether any problems exist. Even if a violation of the law later occurs, companies can rely on the audit results in conjunction with any remedial action taken in the aftermath of the audit, to mitigate the potential for the imposition of more serious fines and penalties. As the DOJ’s recent guidance notes, “[p]rosecutors may reward efforts to promote [continuous] improvement and sustainability” and should consider “revisions to corporate compliance programs in light of lessons learned” as factors in determining whether prosecution or some other resolution is warranted.
What is the bottom line with respect to compliance audits?
No organization is immune to compliance challenges. Faced with an increasingly complex legal environment and heightened scrutiny from key regulators (including the DOJ), companies must be prepared to invest more resources into periodic audits of their compliance programs. In the absence of routine and robust internal and external audits, companies will be blind to potential problem areas and unprepared to defend themselves against resulting enforcement actions.
What is compliance risk management?
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Why It’s Important to Have Policies and Procedures: 4 Reasons