U.S. Department of Justice
Criminal Division
Evaluation of Corporate Compliance Programs
(Updated March 2023)
10
Shared Commitment – What actions have senior leaders and middle-management
stakeholders (e.g., business and operational managers, finance, procurement, legal,
human resources) taken to demonstrate their commitment to compliance or compliance
personnel, including their remediation efforts? Have they persisted in that commitment
in the face of competing interests or business objectives?
Oversight – What compliance expertise has been available on the board of directors?
Have the board of directors and/or external auditors held executive or private sessions
with the compliance and control functions? What types of information have the board
of directors and senior management examined in their exercise of oversight in the area
in which the misconduct occurred?
B. Autonomy and Resources
Effective implementation also requires those charged with a compliance program’s day-
to-day oversight to act with adequate authority and stature. As a threshold matter, prosecutors
should evaluate how the compliance program is structured. Additionally, prosecutors should
address the sufficiency of the personnel and resources within the compliance function, in
particular, whether those responsible for compliance have: (1) sufficient seniority within the
organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing,
documentation, and analysis; and (3) sufficient autonomy from management, such as direct access
to the board of directors or the board’s audit committee. The sufficiency of each factor, however,
will depend on the size, structure, and risk profile of the particular company. “A large organization
generally shall devote more formal operations and greater resources . . . than shall a small
organization.” Commentary to U.S.S.G. § 8B2.1 note 2(C). By contrast, “a small organization
may [rely on] less formality and fewer resources.” Id. Regardless, if a compliance program is to
be truly effective, compliance personnel must be empowered within the company.
Prosecutors should evaluate whether internal audit functions [are] conducted at a level
sufficient to ensure their independence and accuracy, as an indicator of whether compliance
personnel are in fact empowered and positioned to effectively detect and prevent misconduct.
Prosecutors should also evaluate “[t]he resources the company has dedicated to compliance,”
“[t]he quality and experience of the personnel involved in compliance, such that they can
understand and identify the transactions and activities that pose a potential risk,” and “[t]he
authority and independence of the compliance function and the availability of compliance
expertise to the board.” JM 9-47.120(2)(c); see also U.S.S.G. § 8B2.1(b)(2)(C) (those with “day-
to-day operational responsibility” shall have “adequate resources, appropriate authority and direct
access to the governing authority or an appropriate subgroup of the governing authority”).
Structure – Where within the company is the compliance function housed (e.g., within
the legal department, under a business function, or as an independent function reporting
to the CEO and/or board)? To whom does the compliance function report? Is the
compliance function run by a designated chief compliance officer, or another executive