· Response to Investigations: Are investigations used to identify root causes and
accountability lapses, including lapses
among supervisors and senior executives?
Incentives and Disciplinary Measures
· Accountability: Were managers held
accountable for misconduct related to
their areas of supervision?
· Human Resources Process: Who makes
disciplinary decisions for this type
· Consistent Application: Were disciplinary actions and incentives fairly and
consistently applied across the company?
· Incentive System: How does the company
incentivize ethical and compliant behavior? Have promotions or awards been
denied, or other action taken, as a result of
ethical or compliance considerations?
Continuous Improvement, Periodic Testing,
· Internal Audit: Were any audits conducted that would have identified issues
related to the misconduct? How did management and the board follow-up on these
findings? How often are high risk areas
· Control Testing: What control testing has
the company performed? Was the compliance program reviewed and audited to
test controls related to the misconduct?
· Evolving Updates: How often are the
company’s risk assessments and compliance policies updated? How does the
company determine whether policies, procedures, and practices are appropriate for
particular business lines or subsidiaries?
· Risk-Based and Integrated Processes:
How does enterprise risk integrate
into the procurement and vendor
· Appropriate Controls: How does the company ensure that vendor compensation is
commensurate with services rendered?
· Management of Relationships: How has
the company trained managers about the
compliance risks of third-party vendors?
How does the company incentivize ethical
and compliant behavior by third-parties?
· Real Actions and Consequences: Did
third-party due diligence identify any red
flags related to the misconduct? How were
those red flags resolved? Have similar
third parties been audited, suspended, or
terminated due to compliance issues? How
does the company monitor terminated vendors to confirm that they are not used in
Mergers and Acquisitions (M&A)
· Due Diligence Process: Was the risk of
misconduct identified during the due diligence process? Who reviewed the entity for
risk and how was the review conducted?
· Integration in the M&A Process: How is
compliance integrated into M&A?
· Process Connecting Due Diligence to
Implementation: How is any misconduct
identified during due diligence tracked
and remediated? How does the company
implement compliance policies and procedures at acquired/merged entities?
With its question-and-answer format and coverage of many compliance-related topics, the
guidance can serve as a tool to evaluate a compliance program and educate board members
and senior management on the DOJ’s expectations for a corporate compliance program.
1. U.S. Department of Justice, Criminal Division, Fraud Section:
Evaluation of Corporate Compliance Programs. Available at