Corporate Compliance Checklist

Corporate Compliance Checklist

Generates an assessment-ready compliance program checklist grounded in DOJ ECCP, FSG Chapter 8, and SEC frameworks, covering all major program pillars from board oversight through domain-specific controls.

Prerequisites

1. Company name, industry sector, and primary business activities
2. Organizational structure (public/private, size, geographic footprint)
3. Regulatory profile (industry-specific regulators, prior enforcement history)
4. Existing compliance materials, audit findings, or regulatory correspondence (if any)
5. Compliance domains to prioritize (or confirm full-spectrum coverage)

Quick Start

Generate a professionally formatted checklist using ☐ checkboxes grouped under bold subheadings. Reference DOJ ECCP and FSG Chapter 8 explicitly in the preamble. Tailor domain-specific sections to the company's actual regulatory profile — not all domains apply equally.

Checklist Sections

1. Governance & Oversight

Board/Committee

Element	Standard
Board compliance oversight charter	Caremark duties (In re Caremark Int'l, Del. Ch. 1996)
Audit/compliance committee with direct CCO access	FSG §8B2.1(b)(2)
Board-level compliance reporting (≥ quarterly)	DOJ ECCP §I
Board training on red flags and regulatory trends	DOJ ECCP §I

Chief Compliance Officer — must have: organizational independence from revenue functions, direct CEO/board reporting line, adequate budget/staffing/authority, documented mandate and delegation matrix.

Policy Framework — each policy requires approval authority, effective date, version control, distribution log, employee acknowledgment, and review cycle (≤ 3 years):

Policy	Key Requirements
Code of Conduct	Values, escalation paths, annual certification
Anti-Corruption / Anti-Bribery	FCPA compliance, foreign official interactions
Gift & Entertainment	Monetary thresholds, pre-approval for government officials
Conflict of Interest	Disclosure form, recusal process, committee review
Insider Trading	Trading windows, pre-clearance, MNPI handling
Related Party Transactions	Arm's-length standard, board approval thresholds
Whistleblower / Non-Retaliation	SOX §301, Dodd-Frank §922 requirements

2. Compliance Risk Assessment

• Annual enterprise-wide assessment (refresh on: M&A, new markets, new regulations, significant incidents)
• Inherent vs. residual risk scoring (likelihood × impact)
• Risk inventory by business unit, product line, geography, function
• Third-party risk tiering with enhanced due diligence for high-risk vendors/agents
• Methodology documented and board-reported

Frameworks: COSO ERM (2017), ISO 31000, DOJ ECCP §II.

3. Training & Culture

Audience	Content	Frequency
Board	Oversight duties, regulatory trends, red flags	Annual
Executives	Tone-from-top, accountability, culture indicators	Annual
All employees	Code of conduct, reporting channels, key policies	Annual + onboarding
High-risk roles	Role-specific scenarios (FCPA, SOX, antitrust, FLSA)	Annual + role-change

Track: completion records with timestamps, assessment scores (defined passing threshold), records retained ≥ 7 years.

Culture indicators: helpline utilization, anonymous vs. identified report ratio, assessment pass rates, policy acknowledgment rate (target: 100%).

4. Monitoring, Testing & Audit

Continuous — automated transaction monitoring, expense analytics, vendor screening (sanctions/adverse media), quarterly access reviews, policy exception tracking.

Periodic — annual compliance audit, targeted high-risk audits, transaction sampling, control effectiveness testing, remediation follow-up within agreed timelines.

Independence — internal audit reports to audit committee (not management), testing independent from business units under review, work papers per IIA Standards.

5. Reporting & Investigations

Channels (SOX §301 / Dodd-Frank §922): third-party anonymous hotline (24/7, multilingual), web reporting portal, compliance officer intake, direct audit committee channel.

Investigation protocol:

1. Intake → triage within 5 business days
2. Assign investigator (expertise + independence)
3. Issue litigation hold if legal exposure identified
4. Document: interview notes, evidence log, timeline, findings memo
5. Remediation plan with owner and deadline
6. Closed-loop reporter notification (where permissible)

Escalation triggers (immediate CCO/GC/Board): potential criminal conduct, self-disclosure considerations, C-suite/board involvement, material financial impact.

Anti-retaliation — track employment actions on reporters (12-month lookback), follow-up at 60/120 days, zero-tolerance with disciplinary matrix.

6. Domain-Specific Compliance

Include only domains relevant to the company's regulatory profile.

Employment — FLSA classification/overtime, Title VII/ADA/ADEA policies and training, OSHA hazard programs (Form 300), FMLA/state leave, FCRA background checks, contractor classification (IRS 20-factor; state ABC tests).

Data Privacy & Cybersecurity — CCPA/CPRA, VCDPA, CPA + applicable state laws; privacy notice and consumer rights workflows; data minimization and retention; vendor DPAs; breach notification (state matrix, 30–72 hours); HIPAA/GLBA/GDPR where applicable; NIST CSF or equivalent.

Financial Controls — SOX §302/§404 (disclosure controls, ICFR); segregation of duties; revenue recognition (ASC 606); financial close procedures; anti-fraud program (ACFE framework).

Contracts & Procurement — review thresholds/approval matrix, standard templates, vendor due diligence, government contract compliance (FAR/DFARS), obligation tracking.

Environmental — permit inventory/calendar, CAA/CWA/RCRA/TSCA, SPCC/emergency response, state overlay, annual audit.

Antitrust — HSR filing thresholds [VERIFY current amount], competitor interaction policy (no price-fixing/market allocation/bid-rigging), resale price maintenance guardrails, trade association pre-clearance, annual sales/marketing training.

7. Documentation & Recordkeeping

Record Type	Retention
Compliance policies (all versions)	Perpetual
Training completion records	7 years
Audit work papers	7 years (SOX)
Investigation files	Statute of limitations + 3 years
Risk assessments	7 years
Board/committee compliance minutes	Perpetual
Employment records	3–7 years (varies by law)
Environmental permits/monitoring	Permit duration + 5 years

Litigation hold procedures tested annually. Privileged materials clearly marked; sensitive investigations under counsel direction. Centralized system with access controls and audit trail.

8. Implementation Roadmap

Phase 1 — Assessment (0–60 days): Gap analysis, risk assessment, executive/board commitment and budget.

Phase 2 — Foundation (60–180 days): Appoint CCO, draft Code of Conduct and priority policies, launch hotline and investigation procedures, deploy initial training.

Phase 3 — Expansion (180–365 days): Full training rollout, monitoring system configuration, first annual audit, metrics dashboard operational.

Phase 4 — Optimization (ongoing): Annual DOJ ECCP self-assessment (well-designed? earnestly applied? works in practice?), peer benchmarking, regulatory monitoring (DOJ, SEC, FTC, DOL, EPA, state AGs).

KPIs

Leading	Lagging
Training completion (target: 100%)	Violations/incidents count
Policy acknowledgment rate	Regulatory findings/citations
Hotline utilization	Audit deficiencies
Risk assessment coverage (% of BUs)	Investigation cycle time
Third-party due diligence completion	Repeat findings rate

Guidelines

• Reference DOJ ECCP and FSG Chapter 8 explicitly as the primary evaluative frameworks
• Privilege: recommend sensitive investigation work under attorney direction
• Self-disclosure requires separate legal analysis — flag but do not resolve
• Verify HSR thresholds and state privacy law applicability at time of use [VERIFY]
• SOX §302/§404 is non-negotiable for public companies; note private analogues where useful
• GDPR applies only if company processes EU resident data — confirm before including

Troubleshooting

Unclear regulatory profile: Start with governance, risk assessment, and reporting sections. Add domain-specific sections as regulatory exposure is confirmed.

Company spans multiple jurisdictions: Build a jurisdiction matrix first. Layer state/local requirements onto the federal baseline per domain.

Existing program assessment vs. new build: For assessments, use the checklist as a gap analysis tool — score each item as implemented/partial/missing. For new builds, follow the phased roadmap in Section 8.

Privilege concerns with investigation documentation: Flag that all investigation work product should be created at counsel's direction and clearly marked as privileged. Do not draft investigation protocols that waive privilege.