• EQS Cockpit
  • Whistleblowing
  • Insider Management
  • Policy manager
  • Investor Targeting
  • Disclosure
  • Webcast
  • Career
Back to overview

DoJ Guideline for the Evaluation of Compliance Programs

Must read for compliance officers: Fresh guidance from the US Department of Justice (DoJ) on effective compliance programs.

Moritz Homann Moritz Homann

    An update from overseas: This week, the US Department of Justice (DoJ) has issued a new version of their guidance document “Evaluation of Corporate Compliance Programs”. With 10 more pages, the new guidelines offer significantly more detail on how prosecutors will evaluate the effectiveness of corporate compliance programs. With the extraterritorial scope of US regulations like the FCPA, this guidance is relevant for all corporates with the slightest link to the US – handling transactions in US dollars might be enough.

    Fundamental Questions & Compliance Frameworks

    The guidance is framed around three ‘fundamental questions’ compliance officers should answer:

    • Is the corporation’s compliance program well designed?
    • Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
    • Does the corporation’s compliance program work in practice?


    As for the design of the compliance program, the DoJ has adjusted the structure to follow common compliance frameworks such as ISO 19600, with the main topics being:

    • Risk Assessment
    • Policies and Procedures
    • Training and Communications
    • Confidential Reporting Structure and Investigation Process (Whistleblowing)
    • Third Party Management
    • Mergers and Acquisitions (M&A)

    All these topics were already part of the guidance’s prior version, but the guidelines now provide a clearer structure and greater insight into the prosecutor’s thinking.

    Reporting Mechanism

    For assessing the effectiveness of the internal whistleblowing system, the DoJ has added:

    Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used?

    The emphasis on the possibility to report anonymously will challenge corporations only offering an email address or a phone number for employees to speak up. From an organizational perspective, offering truly anonymous reporting channels is beneficial: studies indicate that corporates who offer specialized channels receive more reports, and 59% of reporters choose to report anonymously when available.

    Investigation Process

    In addition to guidance on reporting mechanisms, greater emphasis is placed on the investigation structure. The prosecutors want to see that corporations have well-resourced case management systems and processes that ensure allegations and suspicions of misconduct are thoroughly investigated and lessons are learnt:

    Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weakness.

    Risk Assessment

    For the compliance risk assessment, the DoJ now emphasizes the importance of conducting regular reviews – a best practice approach, since risk and the regulatory landscape is constantly changing. The new section in the guidance document:

    Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

    Policies and Procedures

    The DoJ made several changes to this topic. At the bare minimum, corporations must demonstrate a robust code of conduct for the whole organization. Additional to that, the guidance builds on how they will assess how policies and procedures are imbedded in the organization. For instance, prosecutors should consider if the policy and procedure system is rooted in the respective risks and regulatory landscape:

    Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?

    Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?

    With its more comprehensive style, the DoJ provides a clearer guideline for companies about what to expect when under investigation by US authorities. Having an effective compliance program in place by the time of misconduct can have a positive effect on the outcome of the prosecution or resolution, as long as the program matches the key requirements outlined in the guide. Therefore, the updated DoJ guide is essential reading for all compliance professionals – regardless of where their companies’ headquarter are located.

    All compliance solutions in one place

    The EQS Compliance COCKPIT combines the most important compliance workflows in one integrated platform.

    Moritz Homann
    Moritz Homann

    Managing Director Corporate Compliance – EQS Group | Moritz Homann is responsible for the department of Corporate Compliance products at EQS Group. In this function, he oversees the strategic development of digital workflow solutions tailored to meet the needs of Compliance Officers around the world.