Anyone who has been involved in U.S. government contracting knows that applicable rules and regulations have increased consistently over the years. Congress has used federal contracts to implement a wide range of policies, regulations, and laws, from labor laws to environmental concerns to subcontracting requirements to cybersecurity matters. This accumulation of federal regulations, along with state and local laws and regulations, creates a nest of complicated and often interdependent compliance-related obligations that the federal contractor must perform in connection with federal contracts. To complicate matters further, these obligations can vary both in terms of the timing of their application and the internal team members who may be impacted by or otherwise responsible for managing and proving compliance.
Certification of Compliance Can Be a Weighty Undertaking
When a company submits a bid for federal work, it certifies that it will comply with all federal, state, and local laws and regulations. For example, a company must certify within its proposal that it complies with all federal regulations regarding transactions and activity with prohibited entities, disclosure of lobbying efforts, independent price determination, business size and classification, responsibility matters, ownership and control of the company, and various other employment-related certifications. Prior to award of a negotiated contract, a company must certify that its cost and pricing data is current, accurate, and complete as of the date of negotiation, including the data of subcontractors. That said, for a large proposal, it takes a tremendous amount of effort to make such certification. In order to certify to these requirements, the company must have reliable systems with monitoring in place to confidently make those assertions in the proposal.
Failure to Comply Can Be Costly
When a company wins a contract, the performance of required compliance begins. By way of example, federal contractors are required to have a “combatting trafficking in persons” compliance plan for contracts that meet certain criteria (e.g., has an estimated value of more than $500,000). It is key to that the contractor sets out on a path to effective compliance and monitoring from the beginning of performance (contract kick-off). If efficient processes and safeguards are enacted before performance begins, inadvertent missteps or issues can be avoided. Also of paramount importance is ensuring client relationship executives understand agency specific needs and are ready and able to assure the government that the company is well-positioned to comply with the requirements. This will alleviate concerns on the part of the agency.
As the government increases oversight of contractors, ongoing compliance becomes even more important. Failure to comply with all the applicable laws, regulations, and requirements in the contract itself can have a significant impact on performance and a company’s bottom line. To illustrate this point, the government has increased auditing of hiring practices by reviewing the required Form I-9 paperwork collected by the company. Companies can face corrective action, monitoring, and heavy fines if found non-compliant, so it is in the best interests of the company to develop, implement, and monitor compliance plans for such requirements.
Thoughts on Ensuring Compliance
So, how does a company ensure effective compliance? First, awareness is key – identify all the compliance requirements. Next, determine what is required in order to comply, and what is needed to demonstrate (or prove) compliance. It is important to assign the right people to be responsible for compliance. For contractors with multiple contracts and long-term performance periods, this is critical as is incorporating well-defined internal processes and thoughtful technological solutions. Developing a corporate culture of shared responsibility for compliance also helps guide daily operations.
With respect to internal controls, it is especially important for companies to think about monitoring the efficacy of those controls. It is helpful to think along the lines of the following case study. Let’s assume that Company X incorporates Section 4.703 of the FAR’s record retention timeframe of “3 years after final payment” into the Company’s records retention policy and schedule. How—and when—will Company X know that the appropriate documents are being retained for the appropriate time period? The answer to that question may be severalfold: (1) when the government requests certain records and Company X is unable to locate those records because they were destroyed; (2) when Company X’s internal audit function performs an internal audit around certain contracts; or (3) when Company X’s compliance function performs a monitoring activity designed to test whether its retention schedule is being followed in practice. The advantage with discovering a control weakness during (3) rather than during (1) or (2) is that Company X will likely have an earlier opportunity to institute and document internal responsive steps, such as targeted training, enhancements to internal systems, clarifications within applicable policies, and perhaps the creation of additional procedures.
The company has done all that, and “feels” compliant, but is that enough? Perhaps it has identified a potential failure in FAR compliance as one of the top risks and wants to perform a formal risk assessment. Perhaps the company has begun thinking about monitoring activities but wants to benchmark against other companies. Outside professionals can help ensure compliance plans are up to par at the outset of a new contract and monitor compliance throughout the contract lifecycle so that the company can move ahead with confidence.