NAVEX recently hosted a webinar in partnership with Granite GRC about the recent updates to the U.S. Department of Justice (DOJ) and the current Evaluation of Corporate Compliance Programs (ECCP). This posts answers questions received from the audience. To watch the full webinar, click here.
Does DOJ care that an independent expert has evaluated a company’s compliance program and found it to be effective?
Yes, DOJ does care that companies have had independent experts evaluate their compliance program.
First, independent assessments are required by DOJ’s 2020 guidance. Consistent with this guidance DOJ assesses whether companies have periodically audited their compliance programs for effectiveness. Under professional standards audits can only be performed by individuals without conflicts of interest; those who are independent of the matters audited. Periodic assessments by experts external to the organizations are needed to support ongoing monitoring of the program and validate that goals and objectives are being satisfied.
Second, independent assessments are further required by the U.S. Attorneys Manual. Under this Manual, prosecutors are required to consider several specific factors when deciding whether to bring charges, negotiate pleas, or enter into other agreements with companies that have been accused of crimes. These factors include whether the companies have made material efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”
Where programs fail to prevent crimes, their assertions of having implemented adequate and effective compliance programs are frequently met with skepticism. By engaging independent experts to measure program effectiveness, and by addressing their findings, companies support the credibility of their efforts to create and maintain their programs.
For those in the nonprofit sector, there seems to be a challenge getting the leaders to prioritize compliance programs and invest in them since there are limited funds. Are there real cases where nonprofits have been held accountable for having a compliance program?
Yes. In a recent case the DOJ announced a non-profit organization agreed to cease operations and to pay $850,000 in fines and restitution under the Federal False Claims Act*.* This is one example of hundreds of non-profits the DOJ has prosecuted over the years for the misrepresentation or misuse of government funded programs. Non-profit organizations are subject the same laws and regulations as for-profit organizations, with some additional regulation related to their non-profit tax status. All non-profits that accept government-funded financial support or payment for services are fully subject to these laws.
How do you balance being strict on enforcement with not being so punitive that people don’t come forward when they see issues and/or self-report?
Colleagues feel safest reporting when they understand the investigation processes and have confidence their reports will be handled fairly, including when self-reporting mistakes. Companies seeking to improve or maintain the effectiveness of self-reporting should clearly define these processes, educate their colleagues, and consistently execute in a timely and predictable manner. To encourage self-reporting companies should recognize the value of self-reporting and should provide colleagues with “credit” through recognition that self-reported matters are more likely to be mistakes.
Has anyone come up with a benchmark or best practice for compliance spend per employee, or as a percentage of gross or net revenue to address staffing needs?
The Health Care Compliance Association, the largest association of compliance professionals working in heath care and the life sciences, performs an annual survey on compliance spend. This survey provides one touchpoint for professionals working in these fields in the U.S.
Notably, while these surveys may reflect staffing and funding levels within these slices of industry in the U.S., these surveys do not reflect similar staffing or funding outside of these limited areas. Additionally, funding levels themselves are not a singular focus for DOJ and are therefore not an effective litmus test for compliance program effectiveness.
When DOJ considers the appropriateness of compliance funding it considers the matter as part of a larger group of factors that impact compliance effectiveness, including the autonomy, seniority and stature, structure, and experience and qualifications of the personnel leading and working in compliance. DOJ’s focus is on whether the combination of factors, including resource dedication, creates programs that are effective in preventing and detecting compliance violations, and resolving them appropriately, not simply on funding.
What is the opinion about the compliance officer reporting to the general counsel?
There is some controversy over whether compliance officers and compliance functions should report to their organizations’ general counsels. Government guidelines generally require that compliance officers and functions not report to either their companies’ legal or accounting/finance functions. The separation of the compliance function from these functions is believed to help to ensure independent and objective legal reviews and financial analyses. This sentiment was echoed by U.S. Senator Charles Grassley (R-IA) in a letter to Tenet Healthcare Corporation in September, 2003 relating to a Senate Finance Committee investigation into, among other matters, allegations of alleged unnecessary heart operations and procedures; a now infamous quote stating:
“Apparently, neither Tenet nor [its General Counsel] saw any conflict in her wearing two hats as Tenet’s general counsel and chief compliance officer. As general counsel, [Tenet’s General Counsel] zealously defended Tenet against claims of ethical and legal non-compliance, e.g., the April 2001 qui tam suit, while as chief compliance officer, she supposedly ensured compliance by Tenet’s officers, directors and employees. It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement.”
While government guidance may be prevalent and language used both colorful and strong, this position is certainly not unanimous. Many believe, as recommended in 2003 in a report from the American Bar Association Task Force on Corporate Responsibility, that organizations’ general counsels have and should retain primary responsibility for the assuring the implementation of an effective legal compliance system within their organizations; a responsibility held directly to their organizations’ boards.
Either organizational structure can be effective, with effectiveness dependent upon the culture, dynamics and structure of the organization as a whole, as well as the knowledge and skills of the organizations’ board and senior management members. Whatever organizations decide to do, it’s important both the compliance and legal functions effectively execute on their responsibilities to their organizations.
With all the recent guidance from DOJ and now OIG, will this finally prompt organizations from no longer having the dual general counsel/chief compliance officer role?
As noted earlier, there is significant guidance that encourages a division of responsibilities between general counsels and chief compliance officers; particularly in healthcare and the life sciences. The Department of Health and Human Services, Office of Inspector General has made it clear that these roles should be separated where practicable. Outside of those industries, however, there is relatively little guidance on this topic. Nor has DOJ adopted a position. As a result, the future of the dual general counsel/chief compliance officer role remains unclear.
How common is it to have the compliance officer report through the internal audit function?
In my experience this is not a common arrangement. Both functions require a level of independence from company management in order to perform their roles effectively. However, the knowledge bases are generally different (financial and accounting vs. legal and regulatory). As a result, most companies keep these functions separate.
Does the DOJ scrutinize titles? (For example, “ethics officer” vs. a “compliance officer”)
While the DOJ does assess the seniority, authority and resources available to the individual responsible for the compliance function, it does not scrutinize the specific titles in terms of “ethics officer” vs. “compliance officer.”
What are some of the essential policies a company must have in its compliance program?
Compliance programs are built around two sets of policies and procedures: operational and risk-based.
Operational policies and procedures establish and govern how companies approach their controls governing compliance, such as compliance management leadership and scope, their approach to policies, procedures and training, auditing and monitoring strategies and methods, investigational standards and techniques, lines of communication and similar matters.
Risk-based policies and procedures focus on mitigating and managing the specific substantive areas of risk the companies face. Both sets of policies and procedures are essential for effectively running compliance programs.
What is the balance of financial incentives without running afoul of IRS and/or append to staff taxable salary?
It is no secret that financial incentives can be very influential in steering colleague behavior. At the end of the day most colleagues prioritize what they get paid to prioritize. At the same time, most financial incentives including those related to ethics and compliance, are likely to be taxable compensation. Being taxable, however, does not render ethics and compliance incentives ineffective any more than paying colleagues taxable compensation for other responsibilities renders those incentives ineffective. Moreover, providing incentives that are designed to lead to higher compensation in the future, such as improving the likelihood of promotions, are not taxable.
Are internal audit (which is “independent” per audit standards) activities considered less persuasive than external evaluations?
While both internal and independent audits can be persuasive, independent audits are generally more persuasive. In addition to better satisfying DOJ’s guidance as described above, Federal legal requirements prefer or require independent audits. In this regard it is recognized that assessments performed by independent auditors reduce the risks of inaccuracies, raise the quality and credibility of the work performed, and provide important insights into the matters assessed.
For reference, see 17 CFR 2.2-01 (qualifications for accountants), providing that conflicts to be avoided include situations that: (1) create mutual or conflicting interests between the auditor and the organization being audited; (2) place the auditor in the position to audit their own work; (3) result in the auditor acting as management or an employee of the organization being audited; and (4) place the auditor in a position of being an advocate for the organization being audited.
Is there a resource/check list for navigating each question within the DOJ Guidance?
There is no specific checklist for navigating each question. However, help is available for companies seeking assistance. The annotated guidance from the March 2023 ECCP updates provided by NAVEX is a resource that can help understand what has changed and highlights the key action points you need to know.
What are leadership concerns about having so much training and so many policies that they feel messaging can’t sink in? Is there a better way we as compliance professionals can streamline our messaging?
Effective policies, procedures and training can follow a basic formula – “Keep it simple, Simon.” Policies should state companies’ standards of behavior in simple, easy to understand language. Procedures should provide the companies’ specific directives for following those policies. Training should reference those policies and procedures, provide the “why,” and demonstrate them in action.
Remember – once the policies are approved by senior management your colleagues do not want or need a lengthy exposition of the law, or a high-definition description of your efforts to keep them compliant. All they need is for you to answer one simple question – “What do you want me to do?” By focusing on that question, you will focus your efforts on what needs to be governed and said, reduce the length and complexity of policies, procedures and training, and address most of leadership’s concerns.
For more in-depth information about mastering DOJ compliance guidance, watch the full webinar on-demand.
Jeffrey Miller can be reached via email at jbm@granitegrcconsulting.com for further information and consulting services.