DCAA's New Emphasis on Government Contractors' Compliance Programs and Related Control Environment
In 2007 and 2008, the Federal Acquisition Regulation (FAR) Councils promulgated requirements that most government contractors develop comprehensive business ethics and compliance programs. Included among these requirements are:
- the development of codes of business ethics and conduct
- compliance training programs
- internal control systems designed to facilitate the discovery and disclosure of improper conduct and to ensure that corrective measures are implemented
For some contractors, these internal control systems must include, among other things:
- auditing and monitoring procedures
- internal reporting mechanisms, such as hotlines
- disciplinary action against violators
- periodic evaluations of the effectiveness of the compliance program
- regular compliance risk assessments
- periodic evaluations and modifications of the internal control procedures1
In addition, the 2008 final rule requires mandatory disclosure of certain types of wrongdoing and “full cooperation” with government investigations and audits.
New Audit Guidance
Related to these new requirements, DCAA has implemented new audit guidance reflecting an emphasis on thorough implementation of these programs. For example, DCAA auditors are now required to evaluate the “adequacy” of compliance with a company’s accounting system internal controls. This must include an understanding and assessment of the “control environment,” the company’s compliance policies and procedures; its code of business ethics and conduct, compliance training program, and its internal control system under the new compliance and ethics program requirements. (Memorandum for Regional Directors (MRD) 08-PAS-043(R), Audit Guidance on Significant Deficiencies/Material Weaknesses and Audit Options on Internal Control Systems, December 19, 2008)
In addition, DCAA audit reports will now be effectively “pass/fail.” “Inadequate in part” is no longer an acceptable option, so any significant deficiency or material weakness will result in a finding of “inadequate.” (Id.). Also, DCAA will no longer offer suggestions on how to improve the system in their internal control audit reports. (Id.).
DCAA has made it clear that understanding the management control environment at every major contractor is an essential part of its annual audit plan. Moreover, DCAA has concluded that a contractor’s failure to accomplish a control objective related to ethics and integrity represents a reportable significant deficiency/material weakness because it “creates an environment that could ultimately result in mischarging to Government contracts.” Significant deficiencies are defined as:
[A]n internal control deficiency, or combination of deficiencies, that:
1) adversely affects the contractor’s ability to initiate, authorize, record, process or report government contract costs in accordance with applicable government contract laws and regulations
2) results in at least a reasonable possibility that unallowable costs will be charged to the government
3) the potential unallowable cost is not clearly immaterial
(MRD 08-PAS-011(R), Audit Guidance on Reporting Internal Control Deficiencies, March 3, 2008).
A material weakness is a significant deficiency (or combination of significant deficiencies) that results in or could result in material unallowable costs being charged to the government.
(MRD 08-PAS-011(R), Audit Guidance on Reporting Internal Control Deficiencies, March 3, 2008 (emphasis in original)).
Accordingly, a contractor’s compliance program will receive substantial attention from DCAA. Notably, a contractor does not need to have any actual questioned costs for there to be a reportable significant deficiency/material weakness. Failure to properly implement elements of the required compliance program and related controls may be enough.
DCAA has prepared a formal request for information regarding a contractor’s internal compliance program controls, with particular emphasis on integrity and ethical values. Based on such information, DCAA will evaluate:
1) a contractor’s policies, procedures, training, and compliance with policies and procedures related to conveying integrity and ethical values – this evaluation will include verifying and selectively testing the written codes of conduct and ethics, and ensuring compliance with policies and procedures
2) the contractor’s self-governance and the making of adequate disclosures to the government
3) the intervention of contractor’s management and any overrides, including assessing compliance with the contractor’s policies and procedures in this regard
4) internal and external audit functions and efforts related to the contractor’s accounting system – DCAA may seek management reviews and external CPA reports
5) the most recent annual report and its internal control report, as this should include an assessment of the internal control structure and procedures for financial reporting
DCAA’s formal request for information is not only document intensive, but DCAA expects these documents to be readily available and that the contractor will provide access to personnel, including the person responsible for the information. (MRD, Audit Guidance on Denial of Access to Records Due to Contractor Delays, December 19, 2008).
Mandatory Disclosure Requires “Credible Evidence”
DCAA’s more aggressive posture may not necessarily fit squarely within the bounds of the law. For example, DCAA does not have a right of access to contractor personnel. In addition, the DCAA formal request for information claims to be based on a contractor’s purported requirement to report any “suspected violation of law” to government officials. However, the FAR does not require disclosure unless a “Principal” of the contractor has “credible evidence” that a violation has been committed. (See e.g., FAR 52.203-13(b)(2), 52.203-13(c)(2)(ii)(F)).
Government guidance on the mandatory disclosure requirement of the FAR clearly anticipates that contractors will have sufficient opportunity to investigate whether or not “credible evidence” of a reportable violation exists. In order to maintain the confidentiality of an investigation into a potential or suspected violation, a contractor may be best served by hiring outside counsel to conduct the investigation. In this way, the investigation is covered by the attorney-client privilege and, if credible evidence is not found, the contractor may not have any obligation to disclose the issue.
To avoid a finding of “inadequate” and the related potential for questioning of costs in a DCAA audit, contractors must proactively take steps to assess and address their compliance risks. This places a premium on regularly performing a risk assessment to identify gaps in the compliance program and related controls. Moreover, contractors must know their rights in order to work with, rather than be overrun by, an aggressive and emboldened DCAA.
1 See, FAR Case 2006-007, published on November 23, 2007, effective December 24, 2007; and FAR Case 2007-006, published on November 12, 2008, effective December 12, 2008; FAR 52.203-13, Contractor Code of Business Ethics and Conduct (December 2008).