corporate-compliance-checklist

# Corporate Compliance Checklist

Generates an assessment-ready compliance program checklist grounded in DOJ ECCP, FSG Chapter 8, and SEC frameworks, covering all major program pillars from board oversight through domain-specific controls.

## Prerequisites

1. Company name, industry sector, and primary business activities
2. Organizational structure (public/private, size, geographic footprint)
3. Regulatory profile (industry-specific regulators, prior enforcement history)
4. Existing compliance materials, audit findings, or regulatory correspondence (if any)
5. Compliance domains to prioritize (or confirm full-spectrum coverage)

## Quick Start

Generate a professionally formatted checklist using ☐ checkboxes grouped under bold subheadings. Reference DOJ ECCP and FSG Chapter 8 explicitly in the preamble. Tailor domain-specific sections to the company's actual regulatory profile — not all domains apply equally.

## Checklist Sections

### 1. Governance & Oversight

**Board/Committee**

| Element | Standard |
|---|---|
| Board compliance oversight charter | Caremark duties (In re Caremark Int'l, Del. Ch. 1996) |
| Audit/compliance committee with direct CCO access | FSG §8B2.1(b)(2) |
| Board-level compliance reporting (≥ quarterly) | DOJ ECCP §I |
| Board training on red flags and regulatory trends | DOJ ECCP §I |

**Chief Compliance Officer** — must have: organizational independence from revenue functions, direct CEO/board reporting line, adequate budget/staffing/authority, documented mandate and delegation matrix.

**Policy Framework** — each policy requires approval authority, effective date, version control, distribution log, employee acknowledgment, and review cycle (≤ 3 years):

| Policy | Key Requirements |
|---|---|
| Code of Conduct | Values, escalation paths, annual certification |
| Anti-Corruption / Anti-Bribery | FCPA compliance, foreign official interactions |
| Gift & Entertainment | Monetary thresholds, pre-approval for government officials |
| Conflict of Interest | Disclosure form, recusal process, committee review |
| Insider Trading | Trading windows, pre-clearance, MNPI handling |
| Related Party Transactions | Arm's-length standard, board approval thresholds |
| Whistleblower / Non-Retaliation | SOX §301, Dodd-Frank §922 requirements |

### 2. Compliance Risk Assessment

- Annual enterprise-wide assessment (refresh on: M&A, new markets, new regulations, significant incidents)
- Inherent vs. residual risk scoring (likelihood × impact)
- Risk inventory by business unit, product line, geography, function
- Third-party risk tiering with enhanced due diligence for high-risk vendors/agents
- Methodology documented and board-reported

Frameworks: COSO ERM (2017), ISO 31000, DOJ ECCP §II.

### 3. Training & Culture

| Audience | Content | Frequency |
|---|---|---|
| Board | Oversight duties, regulatory trends, red flags | Annual |
| Executives | Tone-from-top, accountability, culture indicators | Annual |
| All employees | Code of conduct, reporting channels, key policies | Annual + onboarding |
| High-risk roles | Role-specific scenarios (FCPA, SOX, antitrust, FLSA) | Annual + role-change |

Track: completion records with timestamps, assessment scores (defined passing threshold), records retained ≥ 7 years.

Culture indicators: helpline utilization, anonymous vs. identified report ratio, assessment pass rates, policy acknowledgment rate (target: 100%).

### 4. Monitoring, Testing & Audit

**Continuous** — automated transaction monitoring, expense analytics, vendor screening (sanctions/adverse media), quarterly access reviews, policy exception tracking.

**Periodic** — annual compliance audit, targeted high-risk audits, transaction sampling, control effectiveness testing, remediation follow-up within agreed timelines.

**Independence** — internal audit reports to audit committee (not management), testing independent from business units under review, work papers per IIA Standards.

### 5. Reporting & Investigations

**Channels** (SOX §301 / Dodd-Frank §922): third-party anonymous hotline (24/7, multilingual), web reporting portal, compliance officer intake, direct audit committee channel.

**Investigation protocol:**
1. Intake → triage within 5 business days
2. Assign investigator (expertise + independence)
3. Issue litigation hold if legal exposure identified
4. Document: interview notes, evidence log, timeline, findings memo
5. Remediation plan with owner and deadline
6. Closed-loop reporter notification (where permissible)

**Escalation triggers** (immediate CCO/GC/Board): potential criminal conduct, self-disclosure considerations, C-suite/board involvement, material financial impact.

**Anti-retaliation** — track employment actions on reporters (12-month lookback), follow-up at 60/120 days, zero-tolerance with disciplinary matrix.

### 6. Domain-Specific Compliance

Include only domains relevant to the company's regulatory profile.

**Employment** — FLSA classification/overtime, Title VII/ADA/ADEA policies and training, OSHA hazard programs (Form 300), FMLA/state leave, FCRA background checks, contractor classification (IRS 20-factor; state ABC tests).

**Data Privacy & Cybersecurity** — CCPA/CPRA, VCDPA, CPA + applicable state laws; privacy notice and consumer rights workflows; data minimization and retention; vendor DPAs; breach notification (state matrix, 30–72 hours); HIPAA/GLBA/GDPR where applicable; NIST CSF or equivalent.

**Financial Controls** — SOX §302/§404 (disclosure controls, ICFR); segregation of duties; revenue recognition (ASC 606); financial close procedures; anti-fraud program (ACFE framework).

**Contracts & Procurement** — review thresholds/approval matrix, standard templates, vendor due diligence, government contract compliance (FAR/DFARS), obligation tracking.

**Environmental** — permit inventory/calendar, CAA/CWA/RCRA/TSCA, SPCC/emergency response, state overlay, annual audit.

**Antitrust** — HSR filing thresholds [VERIFY current amount], competitor interaction policy (no price-fixing/market allocation/bid-rigging), resale price maintenance guardrails, trade association pre-clearance, annual sales/marketing training.

### 7. Documentation & Recordkeeping

| Record Type | Retention |
|---|---|
| Compliance policies (all versions) | Perpetual |
| Training completion records | 7 years |
| Audit work papers | 7 years (SOX) |
| Investigation files | Statute of limitations + 3 years |
| Risk assessments | 7 years |
| Board/committee compliance minutes | Perpetual |
| Employment records | 3–7 years (varies by law) |
| Environmental permits/monitoring | Permit duration + 5 years |

Litigation hold procedures tested annually. Privileged materials clearly marked; sensitive investigations under counsel direction. Centralized system with access controls and audit trail.

### 8. Implementation Roadmap

**Phase 1 — Assessment (0–60 days):** Gap analysis, risk assessment, executive/board commitment and budget.

**Phase 2 — Foundation (60–180 days):** Appoint CCO, draft Code of Conduct and priority policies, launch hotline and investigation procedures, deploy initial training.

**Phase 3 — Expansion (180–365 days):** Full training rollout, monitoring system configuration, first annual audit, metrics dashboard operational.

**Phase 4 — Optimization (ongoing):** Annual DOJ ECCP self-assessment (well-designed? earnestly applied? works in practice?), peer benchmarking, regulatory monitoring (DOJ, SEC, FTC, DOL, EPA, state AGs).

**KPIs**

| Leading | Lagging |
|---|---|
| Training completion (target: 100%) | Violations/incidents count |
| Policy acknowledgment rate | Regulatory findings/citations |
| Hotline utilization | Audit deficiencies |
| Risk assessment coverage (% of BUs) | Investigation cycle time |
| Third-party due diligence completion | Repeat findings rate |

## Guidelines

- Reference DOJ ECCP and FSG Chapter 8 explicitly as the primary evaluative frameworks
- Privilege: recommend sensitive investigation work under attorney direction
- Self-disclosure requires separate legal analysis — flag but do not resolve
- Verify HSR thresholds and state privacy law applicability at time of use [VERIFY]
- SOX §302/§404 is non-negotiable for public companies; note private analogues where useful
- GDPR applies only if company processes EU resident data — confirm before including

## Troubleshooting

**Unclear regulatory profile:** Start with governance, risk assessment, and reporting sections. Add domain-specific sections as regulatory exposure is confirmed.

**Company spans multiple jurisdictions:** Build a jurisdiction matrix first. Layer state/local requirements onto the federal baseline per domain.

**Existing program assessment vs. new build:** For assessments, use the checklist as a gap analysis tool — score each item as implemented/partial/missing. For new builds, follow the phased roadmap in Section 8.

**Privilege concerns with investigation documentation:** Flag that all investigation work product should be created at counsel's direction and clearly marked as privileged. Do not draft investigation protocols that waive privilege.