On June 1, 2020, the Criminal Division of the U.S. Department of Justice (DOJ) publicized an updated version of its “Evaluation of Corporate Compliance Program” guidance. This is the third version of the document, with the DOJ having issued the guidance in 2017 (which we analyzed here) and revised it in April 2019 (which we analyzed here). This further revision is another reminder of the DOJ’s heightened focus and increasing sophistication regarding evaluating compliance programs during investigations. While the overall structure of the guidance generally remains consistent with the last version, the revisions provide additional insight into the DOJ’s expectations for corporate compliance programs. More specifically, the revisions highlight the importance of an adequately resourced and empowered compliance department, a constantly evolving compliance program based on the company’s current risk profile and relevant compliance issues, and the use of key compliance metrics to test the effectiveness of a compliance program.
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.