Generic DOJ/SEC Compliance Guidance on Corporate Conduct Policies

has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code. Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and doc- umentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC. These types of policies and procedures will depend on the size and nature of the business and the risks associated with the business. Effective policies and procedures require an in-depth understanding of the company’s business model, includ- ing its products and services, third-party agents, custom- ers, government interactions, and industry and geographic risks. Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. For example, some companies with global operations have created web-based approval pro- cesses to review and approve routine gifts, travel, and enter- tainment involving foreign officials and private customers with clear monetary limits and annual limitations. Many of these systems have built-in flexibility so that senior manage- ment, or in-house legal counsel, can be apprised of and, in appropriate circumstances, approve unique requests. These types of systems can be a good way to conserve corporate resources while, if properly implemented, preventing and detecting potential FCPA violations. Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company. Oversight, Autonomy, and Resources In appraising a compliance program, DOJ and SEC also consider whether a company has assigned respon- sibility for the oversight and implementation of a com- pany’s compliance program to one or more specific senior executives within an organization.*”? Those individuals must have appropriate authority within the organization, Guiding Principles of Enforcement adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively?’ Adequate autonomy gener- ally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee)3” Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsi- bility to be delegated to other specific individuals within a company.*® DOJ and SEC recognize that the reporting structure will depend on the size and complexity of an organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complex- ity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk pro- file of the business. Risk Assessment Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.?!” One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low- risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time polic- ing modest entertainment and gift-giving instead of focus- ing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compli- ance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater HOUSE_OVERSIGHT_022560