Common Elements of U.S. Corporate Compliance Frameworks

Building a comprehensive program to deter noncompliance and manage risks

How much do you really know about your company’s inner operations? How much can you know? If someone in your organization was bribing foreign officials, illegally dumping toxic substances, or falsifying business records, would you know about it before it appeared on federal enforcement radar? If not, a single unscrupulous individual or a small group of conspirators could bring your entire organization down. Given that it’s impossible to oversee every employee action at all times, how do you protect your company from noncompliance that can trigger potentially crushing prosecution? The answer is to implement and maintain a corporate compliance program that deters wrongdoing while qualifying your company for leniency if rogue actors transgress the law.

Consider these recent examples of U.S. Department of Justice leniency for corporate malfeasance:

• AAR CORP, an American provider of aircraft maintenance services, allegedly conspired to bribe officials in Nepal and South Africa for airline contracts. The company was granted a Non-Prosecution Agreement on December 19, 2024. Though AAR CORP. was hit with a $26.4 million penalty and an $18.6 million forfeiture, these amounts constituted a 45 percent discount on potential penalties under federal guidelines.
• BIT Mining Ltd. is a cryptocurrency mining company operating in Mainland China, the United States, and Hong Kong. Accused of bribing Japanese officials for a casino contract on November 18, 2024, the company was fined $10 million. This penalty was reduced from $54 million, and the company was granted a Non-Prosecution Agreement.
• Brazos Urethane, Inc., a commercial roofing, waterproofing, insulation, and sheet metal contractor headquartered in Texas City, Texas, was accused of illegally dumped asbestos at a federal prison site. Granted a Deferred Prosecution Agreement on February 7, 2024, the company received a $300,000 penalty, classified as restitution.
• Cerebral, Inc. is an American telehealth company, providing online mental health services, including therapy, counseling, and medication management for various conditions. The company was accused of improperly promoting controlled substances via its telehealth services. Granted an NPA on November 4, 2024, the company paid a $3.65 million forfeiture and received a $2.92 million fine, deferred due to inability to pay. Leniency also included credit for remediation.
• Evoqua Water Technologies Corp., a Pennsylvania water technology company, drew the ire of the DOJ for securities fraud arising from improper revenue recognition and false statements to its external auditors between late 2016 and 2018. Granted an NPA on May 13, 2024, the company was hit with an $8.5 million penalty, a reduced amount due to the company’s cooperation and remediation.

To what extent these transgressions had blindsided the company’s board and upper management is anybody’s guess. But in each instance, the company received lenient treatment, because it had a corporate compliance program in place and worked with officials to resolve the controversy.

Are you managing the risks of a complex regulatory environment?

In a complex, ever-evolving regulatory environment, businesses must implement comprehensive compliance programs to manage risk, meet legal obligations, and instill strong ethical values. Various U.S regulatory bodies have created compliance frameworks, while industry organizations have also promulgated standards. Despite their diverse and sometimes specialized components, these frameworks share a core set of foundational elements, which set the requirements of an effective corporate compliance program. Businesses hoping to guard against the risks of noncompliance must understand these common elements, no matter their industry.

To help you assess your company’s standing, we’re going to examine the elements common to the following regulatory frameworks:

• Federal Sentencing Guidelines for Organizations (FSGO)
• The Department of Justice Evaluation of corporate compliance programs (DOJ)
• HHS OIG Compliance Program Guidance (HHS OIG)
• Securities and Exchange Commission Sarbanes Oxley Act requirements (SOX)
• Consumer Financial Protection Bureau Compliance Management System guidelines (CFPB CMS)
• The Committee of Sponsoring Organizations internal control framework (COSO)
• International Organization for Standardization standard ISO 37301 (ISO 37301)

Briefly, here are points of emphasis that all these standards share:

• Leadership oversight — An effective compliance program relies on a strong commitment from senior leadership who must set the appropriate tone for compliance. Frameworks, such as FSGO and DOJ, emphasize the “tone at the top,” which companies can amply demonstrate by appointing a chief compliance official, establishing governance committees, and enabling direct access to the Board of Directors for compliance concerns, with accompanying Board level accountability.
• Written standards and policies — Every framework calls for documented policies and procedures, along with codes of conduct, that articulate the organization’s values, expected behaviors, and regulatory requirements. These documents form the foundation for training, enforcement, and accountability. These are central to FSGO, SOX, and OIG guidance.
• Risk assessment — Regular risk assessments maintain vigilance and enable continuous improvements. COSO and ISO 37301 emphasize identifying and prioritizing risks based on industry, location, operations, and emerging threats. Tailored risk assessments allow businesses to allocate resources by priority and stay agile in the face of regulatory change.
• Training and communication — Effective implementation requires adoption by employees at every level. Ongoing, role-specific training ensures employees understand their obligations. Communication channels must support awareness and reinforce compliance. Monitoring and measuring the effectiveness of training programs allows for continuous improvement. Frameworks like FGSO, DOJ, and CFPB CMS prioritize the communication and documentation of these efforts.
• Monitoring and auditing — All frameworks insist that companies evaluate their program’s effectiveness regularly. Internal audits and reviews often uncover gaps in compliance before they trigger liability. Frameworks like COSO and FSGO emphasize continual assessment and improvement.
• Reporting and whistleblower mechanisms — Employees must be able to feel free to speak up and help support an ethical and transparent culture. Confidential and retaliation-free reporting channels, such as hotlines, online portals, and other anonymous reporting mechanisms allow employees to report misconduct more comfortably. Frameworks influenced by SOX and DOJ emphasize the importance of investigating all such reports and taking them seriously.
• Enforcement and disciplinary measures — Clear, consistent disciplinary policies reinforce the importance of compliance. These should include consequences for violations, as well as incentives for ethical behavior. Consistency and fairness in application are crucial to building trust among employees whose support is vital to the program’s credibility.
• Response and remediation — Leadership must quickly investigate and remediate identified misconduct or control failures. Resolution should include a root cause analysis and a revision of policy or controls, if necessary to prevent future occurrences. DOJ and FSGO guidance specifically encourage root cause analysis to prevent repeat violations.
• Culture and continuous improvement — An effective compliance program fosters a culture of integrity, ethical behavior, and continual improvement. Culture assessments, employee surveys, independent external reviews, and feedback mechanisms help businesses measure program effectiveness and course-correct when needed.

While the specific requirements of these frameworks may vary, the foundational elements are consistent. Businesses that build programs around these shared principles are better positioned to meet regulatory obligations, reduce risk, and encourage ethical behavior.

Let NAFA’s expertise support your corporate compliance program

Developing an effective compliance program requires extensive subject-matter expertise. It also requires familiarity with what really works in compliance program implementation, monitoring, and enforcement. The experts here at North American Forensic Accounting have the knowledge and experience to help your business minimize all attendant risks.

NAFA is ready to assist organizations of all sizes with compliance program development, compliance related investigations, training materials, policy review and development, and customized compliance assessments. Contact us today.