Evaluation of the U.

S Department of Justice (the “DOJ”)

Corporate Compliance ​Programs

On February 2017, the Fraud Section of the U.S. Department of Justice (the “DOJ”)
published a guide for companies called “Evaluation of Corporate Compliance Programs”
(the “Guidance”), also explained in section IV. The Guidance is composed of common
questions that the DOJ asks when evaluating any company compliance program. The
content in this Guidance is also explained in Chapter 8 about how the U.S government
decide the punishments including also conciliations from FCPA from recent years. The
most recent guide stresses its contents around companies that gather and analyze data
in their systems that evaluate their effectiveness. The Guidance also provides a useful
roadmap to the company and its lawyer when the DOJ is involved in any kind of
inspection, for example, how to apply a law or the conditions required to achieve any
conciliation.

The Guidance focuses on the following points:

1. Analysis and Remediation of Underlying Misconduct

During the course of an investigation, the DOJ will look through audit reports,
complaints, and prior investigations of similar misconduct for any missed prior
opportunities to detect the misconduct. Companies should have a system in place to
expose vulnerabilities and implement corrective measures to reduce the risk of repeat
misconduct.

2. Senior and Middle Management

The Compliance Guideline reiterates that compliance starts at the top and the DOJ will
look to whether management properly sets the tone for the company. Additionally, if it
is shared responsibility in relation to the different levels of the company and board of
directors supervision.

3. Autonomy and Resources

A company will want to make sure compliance personnel are independent, have the
appropriate experience and qualifications for their role and responsibilities, maintain a
level of stature that is comparable to other departments within the company, have
access to key decision-makers such as the board of directors, are evaluated by
appropriate senior management, and play a role in the company’s strategic and
operational decisions.

4. Policies and Procedures

This point is divided into two main parts: (a) Design and access and (b) Operational
integration. The questions related in part (a) are around the design, implementation,
guidance, and access to the policies and procedures around the company compliance
program. The questions related to part (b) identifies who is responsible to apply the
policies and procedures, the controls that failed or were absent that could have avoided
improper conduct, the improper financing conduct channels, the process and
certifications related to the improper conduct, the company suppliers management
system if the suppliers were involved in improper conduct.

5. Risk Assessment

It addresses risks for misconduct within the company, the information the company has
gathered and analyzed to detect the improper conduct and how the risk assessment
systems show the manifested risks.
 6. Training and Communications

The DOJ will focus on the type of training provided to employees who work in high-risk
and control positions. Special focus is given in the form, content and effective training,
the corporate communications around compliance. Further, companies must ensure
employees have adequate access to resources that provide guidance on compliance
policies and procedures.

7. Confidential Reporting and Investigation

The DOJ will look at whether the company has implemented an effective reporting
mechanism, the efforts of the company to guarantee the investigations are properly
scoped and handled by qualified people and the company response in the light of the
investigation findings

8. Incentives and Disciplinary Measures

This section concerns about appropriate disciplinary measures implementation upon

identifying misconduct. Also includes the company records related to previous
disciplinary measures to similar behaviors, also the decision makers attitude in relation
to discipline.

In addition to disciplining misconduct, a company should have a process in place to

incentivize good behavior. The DOJ will look for concrete examples of incentives for
compliance and ethical behavior such as promotions and rewards.

9. Continuous Improvement, Periodic Testing, and Review

This item includes compliance that undergo periodic review and auditing to test controls
and identify system vulnerabilities. Additionally, compliance policies, procedures, and
practices will need to be periodically reviewed and risk assessments will need to be
continuously updated.

10. Third-Party Management

When relying on third parties outside of a company’s control, the company will want to
implement a risk-based process to manage those third parties. Due diligence on third
parties must be conducted to identify red flags and the company will need a process to
identify and monitor compliance issues, and the proper follow-ups.

11. Mergers and Acquisitions

The last section is around Mergers and acquisitions must undergo a due diligence
process to identify misconduct or the risk of misconduct. Further, the company will
need a process for implementing their compliance policies and procedures at the new
entity.