What CCOs Can Learn from the Government Contracts Compliance Landscape
Government contractors have long faced a host of compliance obligations and risks. Today, these obligations and risks both parallel and at times exceed what has evolved under Sarbanes Oxley. In fact, SOX adopted a number of federal contracting requirements, including compliance self-certifications. Subsequent to the issuance of SOX, federal contract compliance requirements have expanded to adopt a number of SOX requirements, including significant focus on business system integrity and internal controls. Thus, it is useful to Compliance Officers to understand that federal contract compliance requirements mandate that contractors invest in and maintain effective and reliable business systems, effective internal controls, and adequately skilled and trained personnel. The absence of the contractor’s upper management’s support, including the Chief Information Officer, makes achieving and maintaining compliance extremely difficult.
The United States government incentivizes contractors to achieve and maintain compliance through a host of laws, regulations, and contract clauses. Beginning in December 2008, however, there was a watershed change in how the federal government interacts with its contractors. The change occurred when the federal government, reacting to the events that led to and the requirements found in SOX, began contractually obligating many contractors to adopt a code of business ethics and to implement a business ethics and compliance program and internal control system. Commonly referred to as the Mandatory Disclosure Rule, the 2008 change to the Federal Acquisition Regulation obligates all government contractors to affirmatively self-disclose all facts regarding covered violations of certain federal criminal laws, the Civil False Claims Act, or significant overpayments.
Building on these changes, the Department of Defense (DOD), in 2011, issued what is commonly referred to as the DOD Business Systems Rule. Implemented through a series of contract clauses incorporated into covered contracts, the DOD Business Systems Rule mandates that defense contractors must establish and maintain six adequate business systems: (1) Accounting; (2) Estimating; (3) Material Management and Accounting; (4) Property; (5) Purchasing; and (6) Earned Value Management. If there are any significant deficiencies in the contractor’s business systems, the government will disapprove the system and will immediately begin withholds of up to 10 percent on the contractor’s eligible payments until the system is brought into compliance.
Central to the ability of a contractor to achieve compliance with the mandatory disclosure rule or the business systems rule is robust support from the contractor’s Information Technology Department. Indeed, the business systems rule, in particular, focuses on the degree to which a contractor’s various business systems—in reality, different information systems or components of an ERP system—are integrated with each other so that reliable data needed for management purposes can be accurately fed from one system to another. Accordingly, company CIOs and their staff must possess increasingly robust compliance knowledge, experience, and training so that they can effectively team with the CCO to achieve the company’s compliance responsibilities.
The federal government assesses compliance through audits performed by the Defense Contract Audit Agency or an agency Office of Inspector General. These audits are to be performed in accordance with Generally Accepted Government Auditing Standards.
If a federal contractor or its employees fail to maintain compliance with the vast array of laws, regulations, and contract clauses, the contractor can face serious potential liability, ranging from withholds on pending payments and contract breach claims to the more severe risks of civil fraud actions and potential suspension and debarment. These compliance requirements parallel current requirements in the commercial arena that must be met in order to avoid ethical issues and qualified audit reports that, among other things, impact stock price, trigger Securities and Exchange Commission reviews and penalties and result in fraud charges.
In the federal government contracts environment of today, there are five important ways that CCOs can enhance their company’s compliance posture.
• Make Significant Investments in Training and Retaining Capable Employees — Perhaps the most important driver of a contractor’s ability to maintain compliance is the ability of its employees to understand and identify potential compliance issues before there is a problem. Accordingly, recruiting and retaining employees with experience and training in the relevant compliance environment are critical. Compliance Officers are well-served by working closely with company Human Resources personnel to ensure that the correct talent is being located and recruited.
• Find Ways to Secure Support from Top Company Management for Compliance — Crucial to securing the support of employees for the successful implementation and maintenance of a compliance program is ensuring that each employee understands that company management, from the top down. Frequently referred to as the “Tone from the Top,” non-compliances often can be traced back to a failure of management to appropriately ensure lower level employees understand the critical importance of compliance. Compliance Officers that do not have the support of high-level company management are unlikely to have the authority or the resources to effective positive change. Thus, achieving an effective compliance program must begin with a strong statement of support from high level company management.
• Ensure that CIOs Understand Compliance Requirements— Many of the ways in which companies achieve and maintain compliance is through information technology systems. Accordingly, CIOs need to understand compliance requirements and to work continuously with CCOs to ensure that information technology systems keep up with changing compliance demands. For example, federal government contracts are now requiring that information systems contain adequate cyber security protocols and be able to track purchased materials to ensure adequate proof that the materials are not counterfeit. Thus, close coordination and understanding between the CCO and the CIO is the key.
"Company CIOs and their staff must possess increasingly robust compliance knowledge,experience, and training"
• Create and Maintain a Compliance Handbook — Having an appropriately tailored compliance manual or handbook that employees can access and readily use is critical. Of course, the size of the company, the complexity of its business, and the needs of the employees will drive the substance and level of detail. Once the Handbook has been created, it must be continuously reviewed and updated. This is particularly true in those industries facing significant and ever-changing compliance requirements.
• Have a Strategy for Dealing with Compliance Audits — Whether the govern ment or an independent outside firm is performing the audit, Compliance Officers will significantly increase the likelihood of a successful audit outcome if they have a plan in place that is triggered the moment the company is notified of an upcoming audit. The goal of the audit strategy is to (a) rapidly establish a core team who is most knowledgeable regarding the subject matter under audit; (b) properly prepare the team and agree on a process for handling all audit communications; and (c) ensure accurate, complete, and timely responses to audit questions.
In the past, these types of compliance requirements were often viewed as unique to federal contracting and, therefore, not readily applicable to commercial practices. This changed with the passage of SOX. Now compliance requirements when performing federal government contracts and those applicable to any business, particularly publicly traded companies, clearly parallel each other. Thus, CCOs will help achieve best compliance practices by understanding federal government contract compliance requirements and the means used to meet these requirements.