In June 2020, the US Department of Justice (DOJ) issued its updated Evaluation of Corporate Compliance Programs (ECCP).1 In July 2020, the DOJ and the US Securities and Exchange Commission (SEC) issued a revised Foreign Corrupt Practices Act (FCPA) Resource Guide (Resource Guide).2 Overall, both sets of guidance reflect increasing sophistication, as the regulators’ views of corporate compliance programs continue to evolve.

This updated guidance contains and outlines the heightened regulatory expectations around risk assessments;

testing and monitoring; issues of program structure, autonomy, and resources; internal investigations; training; confidential reporting; M&A; and third-party programs. Compliance professionals and risk managers should not only be aware of these updates, but should also evaluate what, if any, steps their organizations should take in response, now and over time.

This point of view highlights key expectations in these areas and provides considerations for how to address them. In general, the DOJ and SEC’s expectations continue their trend toward more

Addressing DOJ’s and SEC’s Heightened Expectations for Compliance ProgramsKey features of their updated guidance – and steps for organizations to consider

whether the compliance program is, in actual practice, effective. Also, consider ways of formally incorporating lessons learned from entities facing similar risks, such as industry peers, as well as those learned within the organization, into the risk management program.

Increasing Importance of Internal InvestigationsNew language by the DOJ and SEC in the Resource Guide emphasizes the importance they place on an organization’s response to potential misconduct:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.11

Further emphasizing the importance of consistent discipline after investigations, the ECCP notes that the DOJ expects “the compliance function [to] monitor… investigations and resulting discipline to ensure consistency.”12 Prior changes to the ECCP also emphasize the importance of considering appropriate discipline for supervisors – not only those identified “as responsible for the misconduct, either through direct participation or failure in oversight,” but also for having “supervisory authority over the area in which the criminal conduct occurred.”13

Steps to consider: While well-scoped investigations, root cause analysis, appropriate remediation in light of lessons learns, and thorough and consistent discipline are not new regulatory expectations, the updated language reflects an even more intense focus. Therefore, organizations should review the effectiveness of their compliance programs in these areas, and document their assessment of how investigations are handled from initiation through completion, as well as including any resulting improvements from such assessments.

Higher expectations for risk assessmentsThe DOJ’s expectations are also heightened with respect to risk assessments. The DOJ stated that it will now assess whether the organization’s periodic risk assessment is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions.”14

On its face, the language suggests that it may be imprudent for the compliance program to be rigidly fixed to the results of a static, periodic risk assessment. However, organizations often rely on periodic risk

granularity and complexity, implying that organizations may need to make significant enhancements and, perhaps, investments in their compliance programs in order to meet regulatory expectations. Any such enhancements or investments should be thoughtfully prioritized and incorporated into the existing compliance program in a risk-based, effective manner while avoiding as far as possible unnecessary complexity, reducing silos and redundancies, and managing costs.

Guiding Principles: Design, Implementation, and EffectivenessBoth the DOJ and the SEC, in the updated Resource Guide, emphasize the need for compliance programs to be “well-constructed, effectively implemented, appropriately resourced, and consistently enforced.”3 Both also want to see effective compliance programs “at the time of the misconduct and at the time of the resolution.”4 At a practical level, these expectations impact a number of activities, as more fully discussed below.

Periodic Testing and Review – Use of Data in Assessing EffectivenessFor an organization to be able to demonstrate effectiveness, both the DOJ and the SEC state that it “should take the time to review and test its controls.”5 The DOJ guidance in the ECCP is more detailed here and emphasizes access to and use of data for monitoring, testing, and assessing effectiveness. For example, the ECCP now asks, for the first time, whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”6 It also asks now whether “any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”7

Yet the DOJ is concerned not only with access to data, but also with how data is used in compliance activities such as assessing the effectiveness of training, testing associated with hotlines, assessments relating to investigations and disciplinary actions, third-party life-cycle monitoring, and post-M&A audits – among others.8

Another change to the ECCP describes a new expectation that companies cast a wider net when using lessons learned to enhance their risk management frameworks. Specifically, the DOJ added language to emphasize reviewing and adapting compliance programs based on lessons learned not only within the organization but also those of other organizations “facing similar risks .”9

Steps to consider: Organizations should consider developing specific risk-based procedures to test key aspects of their compliance programs, not only to ascertain whether they are well-designed and “applied earnestly and in good faith,"10 but also

2

Regarding structural impediments to the access and use of data for monitoring and testing, organizations that divide risk- and control-related responsibilities among various functions and units should take steps to break down the silos among those groups, particularly those that could limit effective use of relevant data for testing, monitoring, and program improvements, and to foster appropriate data access and sharing with compliance and relevant control personnel.

Tailored training modulesThe updated ECCP also contains key language regarding training programs.

First, the DOJ continues to emphasize tailored training, and will ask organizations if they have invested in further training and development of compliance and other control personnel. This is consistent with prior updates to the ECCP emphasizing the importance of tailored training for control functions and high-risk employees.

Second, the DOJ has provided additional insight into what it considers effective training. More specifically, it will evaluate “the extent to which the training has an impact on employee behavior or operations.”19 Additionally, the DOJ wants to see training that “enable[s] employees to timely identify and raise issues to appropriate [control] functions,”20 as well as a “process by which employees can ask questions arising out of the trainings.“21

Steps to consider: Consider supplementing training programs with modules geared separately toward control personnel and high-risk employees, taking into consideration the results of the risk assessment. Training should be thoughtful, tailored, and risk-based.

Also, if one is not in place, consider developing a process by which employees can raise issues to control functions and ask questions

assessments for planning purposes, including budgeting, resourcing, testing schedules, etc. Were the DOJ, on the basis of this language, to expect organizations to repeatedly and continually adjust such compliance planning, meeting such an expectation might at times be impractical and inefficient. However, other language in the ECCP points to practical ways to potentially meet this expectation. For example, the DOJ emphasizes the importance of having a process to track and incorporate lessons learned into the risk assessment, and the ECCP also emphasizes post-M&A integration.

Steps to consider: Organizations should consider how changes in their business impact their risk assessment by incorporating lessons learned from investigations, whistleblower reports, M&A activity, and other internal and external events. Organizations facing relatively greater risks, and those with sufficient resources and more mature compliance programs, may want to consider tracking key risk metrics with existing data between periodic risk assessments, to identify potential spikes in risk. For example, if a key distributor were to start winning government tenders at a disproportionate rate compared to its historical rate, or suddenly qualify for substantially greater discounts or margins, a programed alert based on real-time data could flag a potential problem well before it might otherwise be detected.

Increasing emphasis on structure, autonomy, and resources Both the ECCP and the Resource Guide emphasize a compliance program’s structure, autonomy, and resources and both the DOJ and the SEC pose the foundational question of whether the company is applying the compliance program “in good faith” with whether “the program is adequately resourced and empowered to function effectively.”15

In addition, the ECCP explicitly states that the DOJ will seek to understand “why the company has chosen to set up the compliance program the way that it has” and “the reasons for the structural choices the company has made.”16 The DOJ will also want to know “how the company’s compliance program has evolved over time.”17

Also, on the subject of structure, the DOJ will now assess whether compliance and control personnel face impediments that “limit access to relevant sources of data”18 for monitoring and testing. This could potentially pose issues for the many organizations that divide oversight and control responsibilities among various groups (e.g., compliance, legal, HR, procurement, finance, and other functions).

Steps to consider: Organizations should strongly consider documenting the evolution of their respective compliance programs, including changes made and the reasons for the changes.i This effort will be worthwhile if the need to present to the DOJ were ever to arise. Even with a formal system to document the program evolution, it can be challenging to effectively demonstrate in a compliance presentation—often years later—the good faith efforts undertaken by the compliance team to improve the program. Without such a system, it is far more difficult.

i To the extent that there may be privilege or waiver issues that arise as a result, please consult with

counsel.

3

arising from trainings. This might include mechanisms for tracking both questions and issues that arise from the trainings and also modifying future trainings accordingly.

Third, companies would do well to consider ways of measuring the impact of training. For example, an independent assessment of the compliance team can include re-examination of due diligence reports to ascertain whether team members properly identified red flags and recommended appropriate remediation. If this assessment reveals a significant error rate, enhanced training for team members might occur, with re-examination of the team’s handling of the due diligence reports. An objective would be substantial improvement (via a lowering of the error rate) in the follow up assessment on the team’s review of new due diligence files.

Another example might be targeted training to salespeople on gifts, travel, and entertainment if an audit were to discover numerous instances of fraud, waste, or abuse – with follow-up assessments to ascertain whether the exception rate decreased. Such assessments may demonstrate the areas where enhanced training might be needed initially, as well as where such training resulted in an impact on employee behavior and operations in a manner which improves the compliance program.

Confidential reportingConsistent with a key theme of the updated guidance documents, the DOJ’s ECCP provides additional context as to what constitutes effective confidential reporting mechanisms such as whistleblower hotlines. The DOJ will ask whether companies “periodically test the effectiveness of the hotline, for example by tracking a report from start to finish.”22 The DOJ also views effective hotlines as ones where “employees are aware of the hotline and feel comfortable using it”23 and wants to see organizations taking measures to test this.

In one final change, the DOJ calls for publicizing the reporting mechanism, not just to company employees but to “other third parties.”24

Steps to consider: Organizations should considering conducting periodic testing of whistleblower mechanisms, such as hotlines, as part of the overall risk-based testing of compliance programs. Today, many organizations have some level of testing with a specific focus on entity level controls (ELCs). The updated guidance further emphasizes the need for an effective hotline mechanism and program. Further, in an effort to ascertain employees’ and other potential users’ views of those mechanisms, it may be useful to use anonymous surveys to assess employee awareness, comfort, and concerns about use of the hotline, their trust in the investigation process, and any potential retaliation. It might also be useful to assess whether calls are coming in, proportionately, from all areas of the business and countries of operations.

M&A activityBoth the DOJ and the SEC have emphasized post-M&A integration of the acquired entity into existing compliance program structures and internal controls. More specifically, the Resource Guide adds language recognizing the importance of M&A activity generally and of the acquiring entity having “a robust compliance program in place and implement[ing] that program as quickly as practicable at the merged or acquired entity.”25 The DOJ also stresses the need for a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls,” as well as, “post-acquisition audits.”26

Both agencies recognize that pre-M&A due diligence may not always be possible. Nevertheless, the DOJ will want to know “if not, why not?”27 Furthermore, “[i]n such instances, the agencies will look to the timeliness and thoroughness of the … post-acquisition due diligence and compliance integration efforts.”28

Steps to consider: While business units traditionally focus on enhancing efficiencies and otherwise integrating mergers and acquisitions operationally, legacy operations remain one of the more significant anti-corruption risks. Understanding the risks you

4

may be inheriting through proper due diligence (pre- and post-transaction), risk assessments, and compliance testing and auditing, as well as thorough risk-based compliance integration, are not just critical for reducing such risks, they are also important to meet the expectations of the DOJ and the SEC.

Third-party programsConsistent with the changes relating to M&A activity, the DOJ updated its third-party program analysis in the ECCP. Instead of focusing primarily on due diligence, that analysis will examine whether companies “engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.”29 As a result, ongoing monitoring, through such mechanisms as renewal procedures and a risk-based third-party audit program, have increased in importance, particularly for higher risk third parties.

Steps to consider: Examine whether third-party and extended enterprise risk management programs are in place and being implemented, with proper documentation of activities. As the ECCP indicates, while third-party onboarding may often be rigorous, monitoring practices are often less so. Ascertain the soundness of procedures and controls and whether they are operating effectively across the entire lifecycle of relationships, and consider potential enhancements as appropriate. Organizations should also consider their ability to obtain and analyze transactional data related to third parties as part of their on-going monitoring. While this has been a recommended practice, it is now backed with additional language in the updated ECCP.

Adequate internal controls versus an effective compliance programThe DOJ and SEC clarified in the Resource Guide that effective compliance programs are not synonymous with, nor even critical components of, a company’s internal financial controls. Both agencies now assert that effective compliance programs “reinforce” internal financial controls.30

The agencies do, however, see the two as having similarities. For example, both “must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree which it has operations in countries with a high risk of corruption.”31 Also, both must “be tailored to the risks specific to [the company’s] operations.”32 However, there’s nothing in this new language that suggests that certain compliance program elements, such as payment controls relating to high-risk third parties, would not be viewed by the SEC as critical to adequate internal controls.

Steps to consider: Companies should still strive for effective compliance programs. Of course, having an effective compliance program comes with its own rewards. Not only might an effective compliance program enable a company to negotiate a more favorable resolution with the regulators when facing an enforcement action,33 but—more importantly—it potentially avoids such a risk all together through the deterrence, detection, and prevention that effective compliance programs afford. Further, an effective program can continue to support a culture of compliance and a level of trust within the organization – two critical factors in today’s environment.

Thus, consider gauging the extent to which your organization’s internal controls over financial reporting (ICFR) are geared to the risks of corruption, fraud, waste, and abuse that attend your business, operations, and locations. Carefully consider the extent to which your ICFR may overlap with effective compliance program elements and reap potential efficiencies through avoidance of potential gaps and duplicative or redundant processes.

Effectiveness is the goalIn light of the DOJ's ECCP and the Resource Guide issued by the DOJ and the SEC, it may now be more important than ever to develop meaningful, risk-based testing of the effectiveness of your compliance program and incorporate lessons learned as part of the process of continuous improvement. As part of that mission, it is also key to take steps so that compliance and control personnel have the necessary access to the relevant data.

ContactsMatthew QuelerPrincipal | Deloitte Financial Advisory Services LLP mqueler@deloitte.com 202.220.2156

Holly TuckerPartner | Deloitte Financial Advisory Services LLP htucker@deloitte.com214.840.7432

Jessica RaskinManaging Director | Deloitte Financial Advisory Services LLP jraskin@deloitte.com212.436.6544

5

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2020 Deloitte Development LLC. All rights reserved.

Designed by CoRe Creative Services. RITM0534303

1. US Department of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs, Guidance Document,” June 2020 (updated). https://www.justice.gov/criminal-fraud/page/file/937501/download.

2. Department of Justice, Criminal Division, and US Securities and Exchange Commission, “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” Second Edition– July 2020. https://www.justice.gov/criminal-fraud/file/1292051/download.

3. Resource Guide pg. 57.4. Ibid. pg. 57.5. Ibid. pg. 66.6. ECCP pg. 12.7. Ibid. pg. 12.8. Ibid. at 5-9, 13-18.9. Ibid. pg. 16.10. Ibid. pg. 2.11. Resource Guide pg. 67.12. ECCP pg. 13.13. Ibid. pg. 17.14. Ibid. pg. 3.15. Resource Guide pg. 57.16. ECCP pg. 2.17. Ibid. pg. 2.18. Ibid. pg. 12.19. Ibid. pg. 6.20. Ibid. pg. 5.21. Ibid. pg. 5.22. Ibid. pg. 7.23. Ibid. pg. 6.24. Ibid. pg. 6.25. Resource Guide pg. 29.26. ECCP pg. 9.27. Ibid. pg. 9.28. Resource Guide pg. 29.29. ECCP pg. 8.30. Resource Guide pg. 56.31. Ibid. pg. 40-41.32. Ibid. pg. 41.33. See ECCP pg. 1. An effective compliance program remains one factor that is evaluated under the DOJ’s “Principles of Federal Prosecution of Business

Organizations” (e.g., with respect to “(1) the form of resolution or prosecution, if any; (2) the monetary penalty, if any; and (3) the compliance obligations to be included in any corporate criminal resolution (e.g., monitorship or reporting obligations).” Ibid. (citing Department of Justice, Justice Manual § 9-28.300); see also Department of Justice, FCPA Corporate Enforcement Policy <https://www.justice.gov/criminal-fraud/file/838416/download>.

6

EndnotesThe endnotes in the text of this document reference the following published versions of the ECCP and the Resource Guide:ECCP: US Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (Updated June 2020) < https://www.justice.gov/criminal-fraud/page/file/937501/download > Resource Guide: A Resource Guide to the US Foreign Corrupt Practices Act, Second Edition, July 2020