This is the second part of a three-part article examining contractor compliance programs. Part I of this article discussed why compliance programs are necessary and identified the three basic elements of a contract compliance program: (1) a code of business ethics and conduct, (2) internal controls, and (3) mandatory disclosure requirements. Part I then went on to address codes of business ethics and conduct. This second part looks at internal controls. Mandatory disclosure requirements will be discussed in Part III.
Internal Controls Requirement
Like the requirement that contractors adopt a code of business ethics and conduct, the mandate that contractors incorporate an internal control system in their operations is imposed by FAR 52.203-13. As noted in Part I, this clause must be inserted in solicitations and contracts if the value of the contract is expected to exceed $5 million and the performance period is 120 days or more. FAR 3.1004(a).
Internal controls are addressed in paragraph (c) of 52.203- 12. Paragraph (c) does not apply if the contractor has represented itself as a small business concern or if the contract is for acquisition of a commercial item. Assuming paragraph (c) applies, the contractor is required to establish within 90 days after contract award (subject to extension by the contracting officer) an ongoing business ethics awareness and compliance program. In addition to internal controls, this program must include reasonable steps to communicate periodically and in a practical manner, the contractor’s standards and procedures and other aspects of the contractor’s business ethics awareness and compliance program and internal control system. This is to be accomplished by conducting effective training programs and otherwise disseminating information appropriate to an individual’s respective roles and responsibilities. The training to be conducted under this program shall be provided not only to the contractor’s principals and employees, but as appropriate to the contractor’s agents and subcontractors.
The Defense Contract Audit Agency audits internal control systems to verify that they comply with FAR 52.203-13(c). DCAA issued an internal memorandum dated July 23, 2009 which sets forth the guidelines for these audits.
Elements of Internal Control System
FAR 52.203-13(c) recites that an internal control system must establish standards and procedures to facilitate timely discovery of improper conduct in connection with government contracts and ensure corrective measures are promptly instituted and carried out. This clause lists the minimum requirements of contractor internal control systems. The DCAA memorandum elaborates on what the DCAA is looking for when it audits internal control systems. The elements of an internal control system must include the following:
Assignment of responsibility: Contractors must assign responsibility for internal controls at a sufficiently high level and with adequate resources to ensure the effectiveness of the business ethics awareness and compliance program and internal control system. The DCAA guidelines anticipate that the manager responsible for the compliance program should report to a high level official such as the vice president or CFO.
Excluding principals with past problems: Contractors must undertake reasonable efforts not to include an individual as a principal whom due diligence would have exposed as having engaged in conduct that is in conflict with the contractor’s code of business ethics and conduct. DCAA will review the contractor’s policies and procedures and test the procedures to verify that they include steps for exercising due diligence in identifying such conduct (e.g. requiring background checks before appointing principals of the company) and that the steps have been taken when applicable.
Periodic reviews: Contractors must periodically review company business practices, procedures, policies, and internal controls for compliance with the contractor’s code of business ethics and conduct and the special requirements of government contracting, including:
- Monitoring and auditing to detect criminal conduct;
- Periodic evaluation of the effectiveness of the business ethics awareness and compliance program and internal control system, especially if criminal conduct has been detected; and
- Periodic assessment of the risk of criminal conduct, with appropriate steps to design, implement, or modify the business ethics awareness and compliance program and internal control system as necessary to reduce the risk of criminal conduct identified through this process.
DCAA takes the position that these periodic evaluations must be undertaken at least annually. Its audits will review the results of the evaluations to ensure that the contractor has taken the necessary corrective actions to address any weaknesses identified in the internal control system.
Internal reporting: Contractors must establish an internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality and by which employees may report suspected instances of improper conduct. Contractors must also encourage employees to make such reports.
Disciplinary action: Contractors must take disciplinary action in response to improper conduct or for failing to take reasonable steps to prevent or detect improper conduct. DCAA instructs its auditors to request the contractor provide evidence of the assessment performed to determine if the disciplinary action taken was needed and evidence of the disciplinary action taken, if applicable. If a contractor states that no disciplinary action was needed, the auditor must verify that there were no reports of improper conduct by the contractor. Should the auditor find that there is a report of improper conduct and the contractor failed to take disciplinary action when it should have been taken, the auditor will cite the contractor for an internal control deficiency.
Timely disclosure: Contractors must provide timely disclosure, in writing, to the agency Inspector General with a copy to the contracting officer, whenever in connection with the award, performance, or closeout of any government contract performed by the contractor or its subcontractor, the contractor has credible evidence that a principal, employee, agent, or subcontractor has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery or gratuity violations or a violation of the civil False Claims Act. This mandatory disclosure requirement is discussed further in Part III of this article.
Full cooperation: Contractors are expected to extend full cooperation to any government agencies responsible for audits, investigations, or corrective actions. “Full cooperation” is defined in 52.203-13(a) as disclosure to the government of information sufficient for law enforcement to identify the nature and extent of the offense and the individuals responsible for the conduct. This includes providing timely and complete responses to government requests for documents and access to employees. Full cooperation does not prevent the contractor from exercising any rights arising in law, the FAR, or the terms of the contract. It also does not require the contractor or a principal or employee of the contractor to waive the attorney client privilege or Fifth Amendment rights. In addition, full cooperation does not prohibit a contractor from conducting an internal investigation or defending a proceeding or dispute arising under the contract or related to a potential or disclosed violation. If the DCAA determines that the contractor has not cooperated with audits or investigations, the contractor will be cited for a deficiency relating to its control environment. DCAA will confirm that there are no outstanding access to records issues or subpoenas that would indicate a lack of cooperation on the part of the contractor.
Although FAR 52.203-13(c) together with the DCAA audit guidelines describe at some length the requirements of a contractor internal control system, they sketch only the broad contours of such a system. The specific policies and procedures constituting an internal control system will vary considerably from contractor to contractor depending on the size of the company, type of industry, and nature of contracts performed. Contractors not in compliance with FAR 52.203-13(c) need to assess their current controls and then commit to changing and or supplementing them, perhaps substantially, to establish a legally acceptable internal control system. In embarking upon this process, contractors should enlist the assistance of outside consultants, including legal counsel.