One of the most common questions I hear regarding doing business with the federal government goes something like this: “there are so many rules and requirements…how can I be sure my company is complying with everything?” As the government budget shrinks there is increased emphasis on oversight, compliance and following the rules. This increased emphasis results in heightened enforcement activities and larger fines and other penalties for non-‐compliance. Every contractor must ensure they have an effective system in place to avoid problems where possible, and to identify issues and take action when issues do occur. There is no one-‐size-‐fits-‐all solution—investment in every system must reflect the size and type of risk in the business. However, there is a common structured analysis that every contractor should take to make sure they are meeting their compliance requirements. This structured analysis should be conducted at least every year to ensure all systems meet the current regulations, and systems are tailored to your business type and risks.
- Conduct a Risk Analysis to determine your company’s risk areas. The first thing you need to know is where your risk is, and how high it is. The risk analysis should begin by examining relevant background factors. Risk will vary depending upon background factors as the type of business you are in, what type of contracts you have, the size of the contracts, whether you are a prime or a subcontractor, and what agency the contracts are with. Once the general risk situation is framed, the second part of the evaluation considers specific risk areas. While every type of business has unique risks that must be considered, here are some common risk areas faced by many contractors: procurement integrity; gratuities; bribery; defective pricing; cost mischarging; CAS compliance; timecard abuse; organizational conflicts of interest; Foreign Corrupt Practices Act; export control; false claims; required content or sources; revolving door; small business issues.
- Ensure a compliance system is in place for each identified risk. A compliance system does not need to be complicated. It is just a repeatable structure to ensure company employees know what to do, often a procedure or checklist to follow. Many of the common risk areas have automated systems available, such as integrated accounting, timekeeping, job-‐costing, property, and procurement systems. The nature of the risk and the exposure involved should guide on how much of an investment to make in automated systems. Fancy and expensive systems are not necessary in every situation. Just make certain there is a system in place for each identified risk, and there is a company policy that requires employees to follow the system.
- Develop or review a corporate Code of Business Ethics and Compliance Program. Every contractor is required to have a written corporate code of business ethics that is available to all employees. The code should be tailored to your business, and must clearly state company standards and policies and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The code must demonstrate an exercise of due diligence to prevent and detect criminal misconduct, and include provisions to report specific violations to the agency Office of Inspector General and the Contracting Officer. The code should include provisions for disciplinary action for violations. The code is part of your overall compliance program. It is important that the compliance system be much more than a “paper program.” The program must include all the required provisions of the FAR and other regulations, and have a high-‐level employee to oversee it. Depending upon the size of your contracts you may also need to have an anonymous hot-‐line, and posters put up. Most important of all is to actually use the system and take it seriously.
- Have an active internal controls and audit system. Use an active and ongoing monitoring system and plan for periodic reviews and audits. The level of audits must be tailored depending upon the complexity, risk analysis, type of business, and other factors. The highest risk areas generally should be monitored on a more frequent basis. The internal controls and audit system should be fully supported by upper management, and appropriate action taken depending upon audit results.
- Provide periodic training to all employees. Every company should develop and implement an ethics and compliance awareness and training program that is tailored to the specific business and contracts and all applicable legal requirements. The training must include all employees, from the CEO on down, and include appropriate training for the Board, if there is one. Training should be targeted based on job function. Principle level personnel must be trained on the mandatory disclosure requirements.
- Revise form subcontracts as necessary. Many compliance requirements must be flowed down to subcontractors. All form subcontracts should be periodically reviewed to ensure they contain the proper and updated flow-‐down requirements. Each of the above steps should be reviewed at least every year to make sure your compliance system is up-‐to-‐date and compliant with current regulations. When new requirements are imposed during the year it may be necessary to use the structured analysis more frequently. Having a solid and updated compliance system that is trained to every employee, audited and monitored, and actively supported and enforced by upper management is not a guarantee that no problem will ever arise. However, the government typically considers the existence of such a system to be strong evidence the contractor is trying to follow the rules, and takes the existence of the system into account for enforcement actions and potential penalties.
If you need assistance conducting the structured analysis for your company, or want to review existing procedures and standards, please contact Williamson Law Group P.C. at 301 788-8198, or contact Scott Williamson at SRW@WilliamsonLawGroup.com.