Or has taken steps to make certain that the code of conduct remains current and effective and whether a company has hapter 5 periodically reviewed and updated its code. Guiding Principles Whether a company has policies and procedures that of Enforcement outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and doc- umentation policies, and set forth disciplinary procedures adequate autonomy from management, and sufficient will also be considered by DOJ and SEC. These types of resources to ensure that the company’s compliance program policies and procedures will depend on the size and nature is implemented effectively?'* Adequate autonomy gener- of the business and the risks associated with the business. ally includes direct access to an organization’s governing Effective policies and procedures require an in-depth authority, such as the board of directors and committees understanding of the company’s business model, includ- of the board of directors (e.g., the audit committee)?” ing its products and services, third-party agents, custom- Depending on the size and structure of an organization, ers, government interactions, and industry and geographic it may be appropriate for day-to-day operational responsi- risks. Among the risks that a company may need to address bility to be delegated to other specific individuals within include the nature and extent of transactions with foreign a company. DOJ and SEC recognize that the reporting governments, including payments to foreign officials; use structure will depend on the size and complexity of an of third parties; gifts, travel, and entertainment expenses; organization. Moreover, the amount of resources devoted charitable and political donations; and facilitating and to compliance will depend on the company’s size, complex- expediting payments. For example, some companies with ity, industry, geographical reach, and risks associated with global operations have cre