U.S. Department of Justice, Evaluation of Corporate Compliance Program

Corporations can leverage the Department of Justice (DOJ) guidance to evaluate and assess their compliance programs’ adequacy and effectiveness.

OneTrust provides an integrated suite of GRC products to operationalize best practices identified throughout the DOJ guidance for policy management, risk assessments, third-party risk management, audit, and more.

What does the DOJ updated guidance mean for your business?

U.S. Department of Justice, Criminal Division Evaluation of Corporate

The U.S. Department of Justice (DOJ) Criminal Division updated its Evaluation of Corporate Compliance Programs guidelines in June 2020. While these guidelines are intended for use by DOJ prosecutors, many corporations can and should leverage the insights to evaluate and assess their compliance programs’ adequacy and effectiveness. The latest updates expand on previous guidance to focus on third-party risk, compliance enablement, and stakeholder buy-in.

There are three fundamental issues businesses should consider across compliance functions that OneTrust helps businesses put into action.


Design an Inclusive Program

Integrate your compliance practices into a unified risk management platform with a standardized methodology distributed across the business


Resource, Enable, and Enforce Compliance

Connect systems, and link to audit-ready control records to track activity across different business functions and enable stakeholders


Evaluate Program Effectiveness

Measure and build on lessons learned with integrated audit and compliance benchmarking capabilities

Integrated Solutions to Support Continuous Improvement for Corporate Compliance

20201208 - Policy Details, Version, WF

Develop, Distribute and Measure Corporate Compliance Policies


  • Collaboratively develop corporate guidelines using contributor roles and phased review workflows
  • Centralize the publication, distribution, and measurement of guidelines across the business and third-party stakeholders through a policy portal
  • Trigger policy review based on integrated risk and control insights, program gaps, and attestation metrics
Policy Management

Identify, Mitigate And Monitor Risk With Integrated Assessments


  • Standardize risk assessments, scoring, and methodology across domains to report both aggregated and normalized risk insights
  • Collect data to identify and analyze misconduct, track the investigation, and benchmark risk scores with a detailed audit trail of activity
  • Trigger review based on risk updates or perform periodic reviews to update policies, procedures, and controls based on lessons learned
IT & Security Risk Management
20200612 - Vendor Assessment - Risk Flagged

Track Third-Party Risk Exposure and Changes


  • Align third-parties to a vendor lifecycle workflow to evaluate risk insights across engagements from onboarding to offboarding
  • Monitor ongoing performance and risk exposure across your third-party relationships
  • Seamlessly integrate controls from M&A while tracking due diligence findings and remediation progress
Third-Party Risk Management

Access Pre-Completed Vendor Risk Assessments Through the Vendorpedia Third-Party Risk Exchange


A Community of Shared Vendor Risk Assessments and Aggregated Due Diligence Information

The Vendorpedia third-party risk exchange helps organizations streamline their assessment process by providing pre-completed assessments for thousands of participating organizations.

20201208 - WhistleBlower

Empower and Enable Stakeholders to Report Misconduct


  • Promote and support various intake methods across confidential and anonymous whistleblowing channels with intelligent routing
  • Test resilience and availability of hotline channels as part of your continuity plan or audit schedule
  • Document investigations of alleged misconduct, or reasons for not investigating, and track results through case management

Promote A Culture of Compliance With Dynamic Training


  • Create tailored Codes of Conduct, periodic training, and certification-based courses
  • Review content and frequency of training distribution based on organizational needs such as high-risk scenarios or historical areas of misconduct
  • Communicate the company’s policies and procedures, as well as the incentives for compliance and measures for misconduct

Test and Audit Programs in Practice to Evaluate Effectiveness


  • Dynamically review control tests by audit projects, workpapers, or associated inventory items, including assets, processes, vendors, or entities
  • Follow up on corrective action plans and track the progress of remediation with audit findings linked to treatment plans
  • Initiate audit investigations based on fluctuations in high-risk areas or use as criteria for a batched based audit
Audit Management
Onetrust All Rights Reserved