This is the third in a series of posts where we will explore critical elements of a successful compliance program. In February, the Department of Justice’s Fraud Section offered a new perspective on what the government expects in an anti-corruption compliance program, in the form of a series of questions that companies should be prepared to answer about their program. The guidance offers companies a roadmap for building or assessing their compliance program. In this series, we will explore recent and past guidance on key compliance topics, as well as key takeaways for companies of all sizes.
Policies and Procedures are the cornerstone of a compliance program. While traditional sources of guidance, such as the DOJ and SEC FCPA Resource Guide and DPAs themselves, lay out the government’s fundamental expectations with regard to policies and procedures, the Fraud Section’s new guidance goes deeper, reflecting an approach that will assess not only the existence but also the design and integration of policies and procedures.
The most basic expectation with regard to policies and procedures is that companies will have a code of conduct prohibiting violations of the FCPA and the law’s foreign counterparts. Additionally, companies should have policies and procedures covering, among other things, gifts, travel & entertainment, expenses, political and charitable contributions, and payments to third parties. Finally, traditional sources of guidance make clear that companies should also have a set of finance and accounting internal controls reasonably designed to ensure the maintenance of fair and accurate books and records.
The new guidance does not dwell on lists of policies or even mention a code of conduct – undoubtedly, it presumes these basic components will be present. Instead, the new guidance poses a series of questions designed to uncover insights into the process used to design the policies, how accessible they are, and whether they are truly integrated into the company’s operations. Here are some of the key questions in the new guidance that focus on these heightened expectations:
- Designing Compliance Policies and Procedures – What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?
- Applicable Policies and Procedures – Has the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight?
- Responsibility for Integration – Who has been responsible for integrating policies and procedures? With whom have they consulted (e.g., officers, business segments)? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)?
These questions make clear that any company that aspires to implement an anti-corruption compliance program that can withstand DOJ scrutiny needs to do more than just publish a set of cookie-cutter policies that merely sit on the shelf (or on the shared drive). Policies and Procedures need to be drafted with significant input and buy-in from the business, not simply pushed out by compliance. They should be periodically revisited and revised so that they truly reflect the company’s risk areas and business model. When they are not followed, there must be documented accountability.
With regard to internal controls, while Section 13(b)(2)(B) of the Exchange Act provides basic requirements for an internal controls program, the new DOJ guidance provides deeper insight into how the Fraud Section (and potentially other sections within the Criminal Division) will scrutinize a company’s internal controls following the discovery of misconduct. The questions relating to internal controls reflect a focus on whether controls that could have prevented the misconduct were in place and, if they were, whether they were consistently enforced:
- Controls – What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?
- Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?
- Approval/Certification Process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process?
- Vendor Management – If vendors had been involved in the misconduct, what was the process for vendor selection and did the vendor in question go through that process?
In our experience, designing and implementing effective Policies and Procedures is an iterative process that can take years of revision and training to get right. The Policies and Procedures portion of the new guidance provides a nice source for those responsible for an organization’s anti-corruption compliance to assess how their program measures up to the DOJ’s high expectations.