Difference between revisions of "Preparing for an Audit of Your Business Ethics & Compliance Program"

Latest revision as of 21:07, 9 February 2021

FAR 52.203-13 Overview

The “Mandatory Disclosure Rule” requires contractors to: • Establish code of conduct & internal control system • Timely disclose to agency Offices of Inspector General (OIGs) “credible evidence” of certain criminal violations and civil False Claims Act violations ƒ The rule also amended the grounds for suspension and debarment to include a failure to timely disclose these same violations as well as “significant overpayments” on contracts

Code of Business Ethics & Conduct FAR 52.203-13(b)(1), (2)

Must be established within 30 days after contract award, in writing ƒ Copy must be available to each employee engaged in performance of the contract ƒ Exercise due diligence to prevent and detect criminal conduct ƒ Otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Mandatory Disclosures FAR 52.203-13(b)(3)

Timely disclosure, in writing, to the agency IG (with a copy to the CO) of • “Credible evidence” of a violation of Federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations in 18 USC; or • Violation of civil False Claims Act • In connection with the award, performance, or closeout of the covered contract (not other Gov’t contracts) or a subcontract to a covered contract; • Committed by a principal, employee, agent, or subcontractor of the Contractor ƒ Requires disclosure of subcontractor violations on the covered contract of which prime contractor is aware ƒ No obligation to report violations by subcontractors on contracts other than covered contract.

Internal Control System FAR 52.203-13(c)

Must be established within 90 days after contract award ƒ Commercial item and small business contractors exempt from requirements, but some minimum standards required for purposes of complying with disclosure obligations ƒ Requires • Ongoing business ethics and awareness program • Reasonable steps to communicate standards, procedures and internal control system through training appropriate to employees’ roles and responsibilities ƒ Training “shall be” provided to principals and employees and, “as appropriate,” to agents and subcontractors

Internal control system shall: • Establish standards/procedures to timely discover improper conduct in performance of Gov’t contracts • Ensure corrective action carried out • Assign resources and responsibility at high enough level to ensure effectiveness of program • Include reasonable efforts not to employ individuals as principals who engaged in conduct that conflicts with code of conduct Require periodic review of policies and practices for compliance with code of conduct, including periodic • Monitoring and auditing to detect unlawful conduct • Evaluation of effectiveness of internal control system, especially if criminal conduct has been detected • Assessment of risk of criminal conduct with appropriate risk avoidance steps • Include internal reporting mechanism (e.g., ethics hot line) that is confidential • Provide for disciplinary action for violations or failure to take reasonable steps to prevent/detect improper conduct • Ensure timely disclosure to agency IGs • Provide for “full cooperation” with Gov’t agencies responsible for audits, investigations, corrective actions

How Compliance Is Assessed DCAM 5-306, Integrity & Ethical Values

Auditors will consider whether the code:

• Addresses conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading

• Covers compliance with Government contracting requirements for procurement integrity, classified information, and recruiting and employing current or former Government personnel

• Is periodically acknowledged by all employees • Clearly establishes what behavior is acceptable or unacceptable, and what to do if employees encounter improper behavior

• Cites consequences for violations Auditors will evaluate the contractor’s ethics awareness and compliance training materials to ensure they cover the code and should test the implementation of the program by obtaining completed training documents to determine that the training was periodically provided to the appropriate individuals

• Observes that ethics/compliance training would be “appropriate” when the agent/subcontractor is a “consultant providing a support service to the prime

contractor,” vice “a true subcontractor (i.e., one that performs a part of the contract)”

Considers a strong internal control system to include:

• Assignment of responsibility at a sufficiently high level; the “manager responsible for the ethics program should report to a high level official such as the vice president or CFO”

• Procedures to ensure individuals that previously engaged in conduct that conflicts with the code of conduct are not appointed as a principal of the company (e.g., officer, director, partner)

• Auditors should review & test policies and procedures to verify that they include steps for exercising due diligence in identifying such conduct (e.g., require background checks before appointing principals of the company) and that the steps have been taken when applicable • Periodic evaluations to ensure the effectiveness of the business ethics and awareness compliance program and internal control system

• Instructs auditors to test by reviewing evaluations and follow-up/corrective actions

Disciplinary action for improper conduct

• Tested by reviewing evidence of the assessment performed to determine if disciplinary action taken was needed, and evidence of the disciplinary action taken, if applicable

• If the contractor states that no disciplinary action was needed, the auditor should take steps to ensure that there were no reports of improper conduct by the contractor

• If the auditor finds that there is a report of improper conduct and the contractor failed to take disciplinary action when it should have been taken, the auditor should cite the contractor for an internal control deficiency

• A hotline or other mechanism for anonymous reports

Policies and procedures that include a reasonable definition of credible evidence, and a reasonable timeframe for disclosure once credible evidence is obtained

• Auditors should verify that the contractor did not delay disclosing the violation once it was determined that credible evidence exists

• If the auditor finds that the contractor failed to disclose the violation in a timely manner, an internal control deficiency should

be reported

• Auditors instructed to review any disclosures reported to the IG and CO to ascertain if the necessary corrective actions have been

taken to protect the Government’s interests

• If the contractor has not taken the appropriate corrective action, the auditor should report this as an internal control deficiency with

a copy of the report to the DCAA Justice Liaison Auditor

Considers a strong internal control system to include (cont.):

• Full cooperation with any Government agencies responsible for audits, investigations, or corrective actions

• If there are known cases where the contractor has not cooperated with audits or investigations, the contractor should be cited for deficiency relating to

its control environment

• Auditors should confirm that there are no outstanding access to records issues or subpoenas that would indicate the contractor’s lack of cooperation

• See also DCAA Audit Guidance Memo, 09-PAS014(R), Business Ethics & Conduct

Practical & Legal Considerations

Imposes additional requirements/standards not expressed in the FAR? ƒ How will DCAA define “credible evidence” or determine whether disclosures have been “timely”? ƒ Broader demands for access to records? ƒ Extends DCAA into business operations? ƒ How to protect attorney-client/work product privileged records? ƒ How to protect anonymity?