By now, everyone who has even a passing familiarity with the new “Contractor Code of Business Ethics and Conduct” clause that went into effect on December 12, 2008 knows that “internal controls” are important. In fact, with the stakes under the new clause so high, many government contractor personnel can tell you that, under the clause FAR 52.203-13, they are required to:
- Assign responsibility for internal controls to someone “at a sufficiently high level” possessing “adequate resources” to implement the system;
- Implement periodic reviews to detect wrongdoing;
- Establish an internal reporting mechanism, e.g., a hotline;
- Discipline both offenders and those who fail to take “reasonable steps to prevent or detect improper conduct.”
Lost in the public discourse with respect to the new rules is one fundamental definitional question, i.e., “What are internal controls and just what are they designed to control?” The new rule does not define the term or answer that question in any other way.
One can be easily tempted to focus one’s concerns with respect to the efficacy of internal controls on financial transactions and financial controls. After all, that is where the Government has traditionally aimed its guns, beginning in 1977 with the way in which businesses accounted for their finances overseas. Quickly on the heels of the Foreign Corrupt Practices Act came the Security and Exchange Commission’s attempt to require private-sector management to subject statements on internal accounting to the scrutiny of independent auditors, followed by the Federal Managers Financial Integrity Act of 1982, the Chief Financial Officers Act of 1990, the Federal Financial Management Improvement Act of 1996, and of course, everyone’s favorite of late — Sarbanes-Oxley.
It is important to understand that “internal controls” transcend the regulation and oversight of financial accounting. The GAO, OMB, and the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) – a private-sector consortium of accounting professionals – all have long defined “internal control” as a system for providing “reasonable assurance” that the following objectives are achieved:
- Effectiveness and efficiency of operations,
- Reliability of financial reporting, and
- Compliance with applicable laws and regulations.
And the Defense Contract Audit Agency (“DCAA”) has addressed, albeit in limited fashion, the question of comprehensive compliance, noting that contractors participating in “self-governance” programs may be candidates of audits of their internal controls not only for financial records but for ethics and integrity as well. DCAA Contract Audit Manual §§ 5-301, 5-306.4.
Perhaps, because of the attention lavished on financial irregularities in the wake of various scandals, government contractors can be lulled into the belief that internal controls matter only in relation to accounting. Importantly, however, neither GAO, OMB, nor COSO have limited their guidelines to the accounting profession.
One should expect those charged with implementing FAR 52.203-13 to follow suit in this regard. There is no reason why the government should restrict its field of fire to financial and/or cost accounting irregularities in assessing a contractor’s system of internal control. President Reagan began his Presidency with the sacking of all the incumbent Inspectors General and a declaration of war against “fraud, waste and abuse.” Fraud has long been actionable under the law, both under and independent of government contracts. “Waste” and “abuse,” however, have always been far more questionable targets of the legal process. But it is precisely those concepts that internal controls are, in part, designed to obviate. And FAR 52.203-13 now makes it a contractual obligation to have internal controls that will adequately do so.
It seems to be predestined that the government will seize on inadequate internal control in its clashes with contractors to impose its worldview with respect not only to financial rectitude, but also in relation to the efficiency of operations and general ethics and compliance. However, the best defense is a good offense – contractors should establish robust internal control systems that address not only the reliability of their financial records but also the efficiency of their operations and their compliance with regulations, laws, and adherence to high ethical standards. Like it or not, that’s the bargain you struck when you accepted that post-December 12, 2008 contract.