Senior and Middle Management
· Conduct at the Top: Have senior leaders
encouraged or discouraged this type of
conduct? How is the behavior of senior
· Shared Commitment: What specific
actions have been taken by managers,
finance, human resources, and other stakeholders to demonstrate their commitment
to compliance? How is information shared
among various departments?
· Oversight: What compliance expertise is
available to the board?
Autonomy and Resources
· Compliance Role: Did compliance provide
training relevant to the misconduct?
· Stature: How does compliance compare to
other departments in terms of rank/title,
stature, compensation levels, and access to
· Experience and Qualifications: Are the
experience and qualifications of compliance personnel appropriate for their roles?
· Autonomy: How has the company ensured
the independence of compliance personnel? Do compliance and control functions
have direct reporting lines to the board
· Empowerment: Are there specific
instances where compliance raised
concerns about the area where the wrongdoing occurred? How did the company
respond to these concerns?
· Funding and Resources: Have there
been times where compliance was denied
requests for resources? If so, how were
these decisions made?
· Outsourced Compliance Functions: Does
the company outsource all or part of its
compliance functions? If so, what is the
rationale? How has the effectiveness of the
outsourced functions been assessed?
Policies and Procedures
· Design and Accessibility: Are business
units consulted before new policies and
procedures are implemented? How are
the “owners” of policies held accountable
· Operational Integration: Who is responsible for integrating policies and procedures?
Did controls exist that failed to detect the
misconduct? If a vendor was involved in
the misconduct, what is the process for
vendor selection and did the vendor go
through this process?
· Risk Assessment: How does the company
identify, analyze, and address this type of
risk? How does the company’s risk assessment account for this type of risk?
Training and Communications
· Risk-Based Training: Has the company
provided training that addresses the risk
of this misconduct?
· Form/Content/Effectiveness of Training:
Is training offered in a form that is appropriate for the intended audience?
· Communications about Misconduct: How
does senior management inform employees about the company’s position on the
type of misconduct that occurred?
· Availability of Guidance: What resources
are available to employees who seek guidance on compliance policies?
Confidential Reporting and Investigation
· Effectiveness of the Reporting
Mechanism: Does compliance have full
access to information about reporting
· Properly Scoped Investigation by
Qualified Personnel: How does
the company ensure that investigations are appropriately conducted and