In recent Department of Justice (DOJ) plea agreements and Securities Exchange Commission (SEC) orders, the government required CEOs and CCOs to certify the company’s ethics and compliance program effectiveness, specifically related to the misconduct at hand. Against this backdrop, in an article for SCCE’s CEP Magazine, Jonny Frank and Kat Nolan highlight why compliance program attestations provide benefits beyond satisfying government authorities. Additionally, they share ways Sarbanes ICFR management assertions and auditor opinions can be leveraged when issuing compliance program certifications.
Relevant Takeaways Include:
- Post-Settlement. Compliance program certification became a hot topic when DOJ implanted a policy requiring CEO and CCO certifications in all corporate settlements. The SEC asks for similar assurance. as do European-headquartered Management Supervisory Boards.
- Pre-Settlement. Compliance program certifications are an underutilized tool pre-settlement. A company or third-party certification pre-settlement would position the company for significantly lower penalties and no government-imposed monitor. (Further insights on this can be found in an article for Corporate Compliance Insights.)
- Boards and C-Suite. In Europe, supervisory and management boards often ask the CECO to opine on the compliance program and controls. US CEOs should expect similar requests from Boards and C-Suite seeking to mitigate their legal exposure, protect their reputation, and meet the requirements in the Caremark line of cases.
- Business Benefits. Besides satisfying government expectations, compliance program certifications, if done correctly, it will identify opportunities to cut costs, maximize revenues, safeguard tangible and intangible assets, and enhance in-house counsel and compliance function power and prestige.
- Sarbanes Stepchild. Attesting to compliance program effectiveness parallels Sarbanes certification. Sarbanes concentrates on internal controls over financial reporting; companies can apply the same process to certifying internal controls over compliance.
The article explains how counsel and companies can apply Sarbanes ICFR management assertions and auditor opinions to issue compliance program certifications:
- Select a framework (e.g. COSO)
- Develop the certification criteria (e.g. DOJ ECCP)
- Conduct a scenario-based compliance risk assessment
- Remediate deficiencies
- Implement a sub-certification waterfall
- Perform independent testing
Learn more about the five steps CEOs and CCOs should take, and read the full article in CEP Magazine.
Copyright 2023 CEP Magazine, a publication of the Society of Corporate Compliance and Ethics (SCCE).