casemark/corporate-compliance-checklist

Corporate Compliance Checklist

Generates an assessment-ready compliance program checklist grounded in DOJ ECCP, FSG Chapter 8, and SEC frameworks, covering all major program pillars from board oversight through domain-specific controls.

Prerequisites

1. Company name, industry sector, and primary business activities
2. Organizational structure (public/private, size, geographic footprint)
3. Regulatory profile (industry-specific regulators, prior enforcement history)
4. Existing compliance materials, audit findings, or regulatory correspondence (if any)
5. Compliance domains to prioritize (or confirm full-spectrum coverage)

Quick Start

Generate a professionally formatted checklist using ☐ checkboxes grouped under bold subheadings. Reference DOJ ECCP and FSG Chapter 8 explicitly in the preamble. Tailor domain-specific sections to the company's actual regulatory profile — not all domains apply equally.

Checklist Sections

1. Governance & Oversight

Board/Committee

| Element | Standard | |---|---| | Board compliance oversight charter | Caremark duties (In re Caremark Int'l, Del. Ch. 1996) | | Audit/compliance committee with direct CCO access | FSG §8B2.1(b)(2) | | Board-level compliance reporting (≥ quarterly) | DOJ ECCP §I | | Board training on red flags and regulatory trends | DOJ ECCP §I |

Chief Compliance Officer — must have: organizational independence from revenue functions, direct CEO/board reporting line, adequate budget/staffing/authority, documented mandate and delegation matrix.

Policy Framework — each policy requires approval authority, effective date, version control, distribution log, employee acknowledgment, and review cycle (≤ 3 years):

| Policy | Key Requirements | |---|---| | Code of Conduct | Values, escalation paths, annual certification | | Anti-Corruption / Anti-Bribery | FCPA compliance, foreign official interactions | | Gift & Entertainment | Monetary thresholds, pre-approval for government officials | | Conflict of Interest | Disclosure form, recusal process, committee review | | Insider Trading | Trading windows, pre-clearance, MNPI handling | | Related Party Transactions | Arm's-length standard, board approval thresholds | | Whistleblower / Non-Retaliation | SOX §301, Dodd-Frank §922 requirements |

2. Compliance Risk Assessment

• Annual enterprise-wide assessment (refresh on: M&A, new markets, new regulations, significant incidents)
• Inherent vs. residual risk scoring (likelihood × impact)
• Risk inventory by business unit, product line, geography, function
• Third-party risk tiering with enhanced due diligence for high-risk vendors/agents
• Methodology documented and board-reported

Frameworks: COSO ERM (2017), ISO 31000, DOJ ECCP §II.

3. Training & Culture

| Audience | Content | Frequency | |---|---|---| | Board | Oversight duties, regulatory trends, red flags | Annual | | Executives | Tone-from-top, accountability, culture indicators | Annual | | All employees | Code of conduct, reporting channels, key policies | Annual + onboarding | | High-risk roles | Role-specific scenarios (FCPA, SOX, antitrust, FLSA) | Annual + role-change |

Track: completion records with timestamps, assessment scores (defined passing threshold), records retained ≥ 7 years.

Culture indicators: helpline utilization, anonymous vs. identified report ratio, assessment pass rates, policy acknowledgment rate (target: 100%).

4. Monitoring, Testing & Audit

Continuous — automated transaction monitoring, expense analytics, vendor screening (sanctions/adverse media), quarterly access reviews, policy exception tracking.

Periodic — annual compliance audit, targeted high-risk audits, transaction sampling, control effectiveness testing, remediation follow-up within agreed timelines.

Independence — internal audit reports to audit committee (not management), testing independent from business units under review, work papers per IIA Standards.

5. Reporting & Investigations

Channels (SOX §301 / Dodd-Frank §922): third-party anonymous hotline (24/7, multilingual), web reporting portal, compliance officer intake, direct audit committee channel.

Investigation protocol:

1. Intake → triage within 5 business days
2. Assign investigator (expertise + independence)
3. Issue litigation hold if legal exposure identified
4. Document: interview notes, evidence log, timeline, findings memo
5. Remediation plan with owner and deadline
6. Closed-loop reporter notification (where permissible)

Escalation triggers (immediate CCO/GC/Board): potential criminal conduct, self-disclosure considerations, C-suite/board involvement, material financial impact.

Anti-retaliation — track employment actions on reporters (12-month lookback), follow-up at 60/120 days, zero-tolerance with disciplinary matrix.

6. Domain-Specific Compliance

Include only domains relevant to the company's regulatory profile.

Employment — FLSA classification/overtime, Title VII/ADA/ADEA policies and training, OSHA hazard programs (Form 300), FMLA/state leave, FCRA background checks, contractor classification (IRS 20-factor; state ABC tests).

Data Privacy & Cybersecurity — CCPA/CPRA, VCDPA, CPA + applicable state laws; privacy notice and consumer rights workflows; data minimization and retention; vendor DPAs; breach notification (state matrix, 30–72 hours); HIPAA/GLBA/GDPR where applicable; NIST CSF or equivalent.

Financial Controls — SOX §302/§404 (disclosure controls, ICFR); segregation of duties; revenue recognition (ASC 606); financial close procedures; anti-fraud program (ACFE framework).

Contracts & Procurement — review thresholds/approval matrix, standard templates, vendor due diligence, government contract compliance (FAR/DFARS), obligation tracking.

Environmental — permit inventory/calendar, CAA/CWA/RCRA/TSCA, SPCC/emergency response, state overlay, annual audit.

Antitrust — HSR filing thresholds [VERIFY current amount], competitor interaction policy (no price-fixing/market allocation/bid-rigging), resale price maintenance guardrails, trade association pre-clearance, annual sales/marketing training.

7. Documentation & Recordkeeping

| Record Type | Retention | |---|---| | Compliance policies (all versions) | Perpetual | | Training completion records | 7 years | | Audit work papers | 7 years (SOX) | | Investigation files | Statute of limitations + 3 years | | Risk assessments | 7 years | | Board/committee compliance minutes | Perpetual | | Employment records | 3–7 years (varies by law) | | Environmental permits/monitoring | Permit duration + 5 years |

Litigation hold procedures tested annually. Privileged materials clearly marked; sensitive investigations under counsel direction. Centralized system with access controls and audit trail.

8. Implementation Roadmap

Phase 1 — Assessment (0–60 days): Gap analysis, risk assessment, executive/board commitment and budget.

Phase 2 — Foundation (60–180 days): Appoint CCO, draft Code of Conduct and priority policies, launch hotline and investigation procedures, deploy initial training.

Phase 3 — Expansion (180–365 days): Full training rollout, monitoring system configuration, first annual audit, metrics dashboard operational.

Phase 4 — Optimization (ongoing): Annual DOJ ECCP self-assessment (well-designed? earnestly applied? works in practice?), peer benchmarking, regulatory monitoring (DOJ, SEC, FTC, DOL, EPA, state AGs).

KPIs

| Leading | Lagging | |---|---| | Training completion (target: 100%) | Violations/incidents count | | Policy acknowledgment rate | Regulatory findings/citations | | Hotline utilization | Audit deficiencies | | Risk assessment coverage (% of BUs) | Investigation cycle time | | Third-party due diligence completion | Repeat findings rate |

Guidelines

• Reference DOJ ECCP and FSG Chapter 8 explicitly as the primary evaluative frameworks
• Privilege: recommend sensitive investigation work under attorney direction
• Self-disclosure requires separate legal analysis — flag but do not resolve
• Verify HSR thresholds and state privacy law applicability at time of use [VERIFY]
• SOX §302/§404 is non-negotiable for public companies; note private analogues where useful
• GDPR applies only if company processes EU resident data — confirm before including

Troubleshooting

Unclear regulatory profile: Start with governance, risk assessment, and reporting sections. Add domain-specific sections as regulatory exposure is confirmed.

Company spans multiple jurisdictions: Build a jurisdiction matrix first. Layer state/local requirements onto the federal baseline per domain.

Existing program assessment vs. new build: For assessments, use the checklist as a gap analysis tool — score each item as implemented/partial/missing. For new builds, follow the phased roadmap in Section 8.

Privilege concerns with investigation documentation: Flag that all investigation work product should be created at counsel's direction and clearly marked as privileged. Do not draft investigation protocols that waive privilege.