This article is part 4 in a series on remediation. Read part 1 on Root Cause Analysis here, part 2 on Read Across and Remediation here, and part 3 on Corrective Action Plans here.
Organizations seeking credit for “timely and appropriate” remediation under the DOJ’s Corporate Enforcement Policy (“CEP”) must show they conducted a comprehensive root cause analysis, addressed the root cause findings, and implemented an effective compliance program.[1] Additional guidance on DOJ expectations appears in Criminal Division memos on the evaluation of compliance programs,[2] and the selection of corporate compliance monitors.[3] The SEC has similar expectations.[4]
Building on our discussion of Root Cause Analysis (“RCA”), Similar Misconduct, and Timely and Effective Corrective Action Plans, this article suggests key steps to demonstrate the remediation and compliance program effectiveness to the board, prosecutors, regulators and other stakeholders.
Planning. Communication of remediation efforts and compliance enhancements benefit from early planning, real-time documentation, credible individuals, and separate fact-finding and remediation workstreams.
- When. Commence planning as soon as the internal or government investigation makes it apparent that the organization will need to t demonstrate that it remediated alleged misconduct or compliance violations to the government, board, market or other stakeholders. The DOJ prioritizes completing and testing remediation before resolution. In the Glencore FCPA prosecution, the DOJ imposed a monitor despite the company’s extensive remedial measures because the compliance enhancements were not fully implemented and tested.[5] Conversely, the DOJ has declined prosecution of organizations that completed and tested remediation before resolution.[6]
- Who. Think about who will educate stakeholders on the organization’s program. Who will explain the organization’s RCA, corrective action plan and enhanced compliance program and controls? Organizations often retain compliance consultants, sometimes called “voluntary monitors,”[7] to demonstrate remediation and compliance program effectiveness. In a recent deferred prosecution, the DOJ noted a third-party advisor’s evaluation of the company’s compliance program in awarding the company credit under the CEP and settling on a discount of approximately 15 percent off the bottom of the U.S. Sentencing Guidelines fine range.
- What. Identify the evidence and artifacts the organization plans to use to demonstrate remediation effectiveness.[8] The DOJ and SEC guidance is necessarily general because the Government recognizes that remediation and compliance are not a “one-size-fits-all” process. For example, organizations subject to DOJ scrutiny must demonstrate a “culture of compliance,” which includes soft controls and can be challenging to prove. It will be easier to show that the organization meets expectations by defining early on the benchmarks and criteria to measure remediation and compliance effectiveness.
- How. Gather evidence contemporaneously. Take the RCA, for example. Documenting the organization’s process and findings in real-time is far more effective and cheaper than reconstructing them after the fact. Consider separate, counsel-led remediation and investigation workstreams. Lawyers naturally focus on fact-finding. A separate remediation workstream ensures that the organization and counsel place sufficient attention on remediation and enables the remediation team to avoid the distraction of the investigation. It also helps the company and external counsel protect sensitive issues that may arise during the remediation, including communications among and between the remediation and investigation teams.
Pre-Settlement Certifications, Opinions, and Expert Reports can be powerful for demonstrating the effectiveness of remedial measures, compliance programs, and control suites and carrying equal, if not more, weight than post-settlement certifications.
- Independent Third-Party, Company Representative or Both. Options include independent third parties, senior management, the board of directors, the Chief Compliance Officer (“CCO”), and the internal audit director.
- Compliance Programs and Compliance Controls. Organizations must prove the effectiveness of their overall ethics and compliance program and the policies, processes and controls they rely on to mitigate the recurrence of the conduct that gave rise to the investigation. Certifications, opinions and expert reports can be used for both. For example, an independent third party can issue an expert report akin to an audit opinion confirming the effectiveness of enhanced controls.
- Evidence-Based. Certifications, opinions, and expert reports must be grounded in established criteria or frameworks and supported by credible evidence, providing a solid foundation for the conclusions drawn.
Testing Compliance Programs and Compliance Controls requires forensic audit and investigation skills, knowledge, and experience in risks and controls.
- Independence. The testing function must be independent—it cannot serve as an advocate or review its own work. For example, the CCO lacks the independence to evaluate and test the compliance program and controls the compliance function developed or implemented. Likewise, it would impair the independence of internal or external counsel to conduct testing.
- Conflicts of Interest. The testing function cannot be subordinate to the function, department or business under evaluation. A conflict of interest would arise, for example, if an internal audit simultaneously tested compliance controls and reported to the CCO.
- Testing the Compliance Program differs fundamentally from testing controls. Compliance program testing considers entity-wide issues and activities, such as the corporate culture, risk assessment, technology, compliance and internal audit functions, and incident response and remediation. For testing, the organization and evaluator must first agree on the compliance program elements and then on the assessment criteria and benchmarks. The testing process applies standard audit procedures to assess the design[9] and validate the operating effectiveness[10] against the agreed-upon criteria and benchmarks.
- Compliance Controls Testing pertains to the key policies, processes and controls (“controls suite”) the organization relies upon to prevent and timely detect breaches of the laws and regulations in the investigation. Testing assesses whether the controls suite adequately mitigates legal and regulatory risks. Broadly summarized, the process entails (1) setting risk appetite; (2) selecting applicable laws and regulations; (3) identifying breach scenarios, (4) linking the scenarios to the control suite; (5) linking risks to mitigating policies, processes and controls; (6) auditing control suite design effectiveness; (7) auditing operating effectiveness, assuring control suite found to be effective; and (8) identifying deficiencies, significant deficiencies or material weaknesses.
Assessment and Reporting. There is no single method for reporting the results of compliance programs and compliance control testing. The DOJ uses certifications in its settlement agreements. Monitors, for example, must “certify whether the Defendant’s Compliance Programs, including its policies and procedures, are reasonably designed and implemented to prevent and detect violations of laws” and regulations giving rise to the settlement.[11]For audits of internal controls over financial reporting, the Public Company Accounting Oversight Board (“PCAOB”) requires auditors to issue an “opinion on whether the company maintained, in all material respects, effective internal control over financial reporting.”[12] The auditor can issue that opinion if there are no “material weaknesses,” which the PCAOB defines as a “deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”(emphasis in the original).[13] A reasonable possibility is a likelihood that is “reasonably possible” or “probable.”[14] The PCAOB also requires the auditor to provide the basis of the opinion.[15]
We recommend adapting the PCAOB approach. For compliance programs, we regard a certification that the program is “reasonably designed and implemented” as an opinion that compliance program and controls are free of a deficiency or a combination of deficiencies such that there is a reasonable possibility that a material violation of the laws at issue in the investigation will not be prevented or detected on a timely basis.
* * *
Demonstrating effective remediation requires a multifaceted approach that includes detailed planning, real-time documentation, and independent testing of compliance programs. Organizations should start planning once they identify compliance issues, ensuring that credible individuals document remediation efforts contemporaneously and communicate them. Independent testing of compliance programs and controls, free from conflicts of interest, further supports demonstrating effectiveness. By following these steps, organizations can effectively show their commitment to compliance and remediation, meeting the expectations of the DOJ, SEC, and other stakeholders.
[1] DOJ, Criminal Division, Corporate Enforcement and Voluntary Self-Disclosure Policy ¶5(c_ (2023) https://www.justice.gov/criminal-fraud/file/1562831/download.
[2] DOJ, Criminal Division, Evaluation of Corporate Compliance Programs (2023) (“ECCP”) https://www.justice.gov/criminal-fraud/page/file/937501/download.
[3] DOJ, Criminal Division, Revised Memorandum on Selection of Monitors in Criminal Division Matters (2023) https://www.justice.gov/criminal/criminal-fraud/file/1100366/dl.
[4] SEC, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions (2001) https://www.sec.gov/litigation/investreport/34-44969.htm; see generally G. Grewal, The Five Principles of Effective Cooperation in SEC Investigations,” Remarks at Securities Enforcement Forum West 2024 (2024) https://www.sec.gov/news/speech/grewal-remarks-securities-enforcement-forum-west-052324.
[5] Plea Agreement 7, U.S. v. Glencore International A.G. (S.D.N.Y. 2022) https://www.justice.gov/usao-sdny/press-release/file/1508166/dl.
[6] See DOJ, Criminal Division, CEP Declinations (2024) https://www.justice.gov/criminal/criminal-fraud/corporate-enforcement-policy/declinations.
[7] See R. Mokhiber, StoneTurn Partner Jonny Frank on the Rise of the Voluntary Monitor, Corporate Crime Reporter (May 2024) https://www.corporatecrimereporter.com/news/200/stoneturn-partner-jonny-frank-on-the-rise-of-the-voluntary-monitor/; see generally J. Frank et al., Are Voluntary Monitors the Key to Mitigating COVID-19-Related Misconduct Risks? NYU Law School Program on Corporate Compliance and Enforcement (2020). https://wp.nyu.edu/compliance_enforcement/2020/09/04/are-voluntary-monitors-the-key-to-mitigating-covid-19-related-misconduct-risks/.
[8] See generally Deferred Prosecution Agreement 5, U.S. v. ABB Ltd., 22 CR. 220 (ED Va. 2022) (recognizing recidivist’s “extensive remedial measure” and “root cause analysis” in explaining DPA (https://www.justice.gov/d9/press-releases/attachments/2022/12/06/16_2022.12.02_abb_ltd._dpa_508_compliant_1_0.pdf.
[9] Design effectiveness assesses whether the policies, processes and controls, assuming they operate effectively, meet the objectives. Design effectiveness also considers vulnerability to collusion, management override or other circumvention.
[10] Operating effectiveness tests how the compliance program elements work in practice, including the competency and authority of the persons responsible and involved in carrying out the processes.
[11] See, e.g., Plea Agreement, Attachment D, U.S. v. Binance, 23 Cr. 178 (W.D.Wash. 2023). For management, the settlement agreements typically require the CEO and CCO to certify that the “compliance programs are reasonably and effectively designed to detect and prevent” violations of the laws and regulations at issue in the settlement. Id. at Attachment D. The DOJ has not explained why management certifies that the compliance programs are “reasonably and effectively designed” and monitors certify that they are “reasonably designed and implemented.” From an auditor’s perspective, the difference is that management’s certification would cover only design effectiveness, while the monitor’s certification encompasses both design and operational effectiveness. However, there is no reason why DOJ would expect a lower standard from management than the monitor.
[12] PCAOB, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, Reporting on Internal Control, Auditing Standard 2201, ¶85(c) (2007) https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201.
[13] Id. at ¶A7. The PCAOB defines “deficiency” as “when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.” Id. at ¶A.3. The PCAOB defines “significant deficiency as a “deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.” Id. at ¶A.11.
[14] Id.
[15] Id. at ¶85.d.