Subscribe to access world-class global resources and education: Subscribe
Subscribe to access world-class global resources and education: Subscribe


Operationalizing Compliance Programs

By Thomas R. Fox


In February 2017, the U.S. Department of Justice (DOJ) quietly released a document titled Evaluation of Corporate Compliance Programs (the “Evaluation”) on its Fraud Section website. The document is an 11-part list of questions that encapsulates the DOJ’s current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every Foreign Corrupt Practices Act (FCPA) compliance practitioner.

The Evaluation generally follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one overriding theme in the Evaluation, it is the DOJ’s emphasis on operationalization of compliance, as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks. It clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. It is likely that DOJ Compliance Counsel Hui Chen not only helped the DOJ to understand what constitutes an effective compliance program but also provided solid information to the greater compliance community on this score.

It is through this list of questions the DOJ will consider if a company has an effective anti-corruption compliance program. This inquiry is critical because if the DOJ makes such a determination, a company may fully escape all liability, even if it has sustained an FCPA violation. At the very least, it may lead to the company receiving a significant discount if a fine or penalty is warranted. The Evaluation states that it provides “common questions that we [the DOJ] may ask in making an individualized determination. This document provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program. The topics and questions below form neither a checklist nor a formula. In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue.”

Let’s look a bit deeper into how the Evaluation plays a role in the operationalization of your global corporate compliance program.

Global Payroll—Compliance in Action

For the global payroll specialist, there is a significant role in the operationalization of your corporate compliance program, found in Prong 4, titled “Operational Integration,” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place, specific inquiries into the role of the company payment system in any FCPA violation, and how oversight is dedicated in your organization. The questions posed are:

Payment Systems

  1. How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)?
  2. What processes could have prevented or detected improper access to these funds? Have those processes been improved?

This is immediately followed by an equally important set of questions:

Approval/Certification Process

  1. How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns?
  2. What steps have been taken to remedy any failures identified in this process?

Finally, the questions around payment systems are preceded by the following:


  1. What controls failed or were absent that would have detected or prevented the misconduct?
  2. Are they there now?

Taken together, these three groups of questions may not seem particularly new, innovative, or even something different from what global payroll currently does for an organization. However, the DOJ Evaluation, with its emphasis on the operationalization of a corporate compliance program, clearly demonstrates the role of global payroll in compliance. The Evaluation requires that global payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, global payroll is on the front lines of any attempts to prevent, detect, and then remediate FCPA compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises in order to obtain or retain business.


This “anything of value” is almost always money—and that money must come from somewhere inside the company. While the U.S. Watergate presidential scandal intonation to “follow the money” certainly continues to be valid in any FCPA issue, the DOJ Evaluation speaks in much more depth around global payroll’s responsibility in a corporate compliance program. Demonstrable controls must be in place that not only detect fraudulent payments but would work to prevent any such payments as well.

Tasking Global Payroll to Prevent Fraudulent Activities

When the three inquiries are read together, they paint a broader picture than one of simply tasking global payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval/certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain from individual employees up through their manager(s), and eventually to the highest level of management involved in the process. This level of operationalization is designed to not only put a set of brakes in place but also work to put a second set of eyes on the entire payroll process.

The Remediation Prong—Root Cause Analysis

Finally, the questions following the payment systems questions speak to the remediation prong of any best practices compliance program. If a global payroll control failure led to or even allowed an FCPA compliance violation, what was done to fix the control issue? Here global payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should it ever come knocking, or even to your own corporate auditors.

The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be best administered by the appropriate business unit with the requisite subject matter expertise. When it comes to following the money, global payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.