In response to the killing of Major General Qassim Suleimani, the government of Iran and its supreme leader, Ayatollah Ali Khamenei, have declared the country’s intention to strike back at
Continue Reading Iran’s Imminent Cybersecurity Threat
Internal Controls
A Few Thoughts on DOJ’s Procurement Collusion Strike Force
This month, and with great fanfare, the U.S. Department of Justice (DOJ) announced its creation of a Procurement Collusion Strike Force. We know what you’re thinking, and no – this…
Continue Reading A Few Thoughts on DOJ’s Procurement Collusion Strike Force
Spoofing Enforcement Intensifies
U.S. regulators, in particular the Commodity Futures Trading Commission (“CFTC”), are intently pursuing market manipulation enforcement. The September 30 end of the 2019 fiscal year brought with it a flurry of press releases from four different agencies announcing settlements of spoofing-related enforcement actions against trading firms, banks, interdealer brokers, and traders.
Continue Reading Spoofing Enforcement Intensifies
SEC Enforcement’s Annual Report Prioritizes Retail Investors, Cryptocurrency, Cybercrime, and Individual Accountability
The Enforcement Division of the United States Securities and Exchange Commission (“SEC”) recently released its annual enforcement report (“Report”) for fiscal year 2018. The Report reflects an increased focus on retail investors, cryptocurrency, cybercrime, and individual accountability. Further, it showcases that SEC enforcement continues to be robust under the Trump administration, despite industry and media expectations to the contrary.
In fiscal year 2018, the SEC brought 821 enforcement actions, an approximately 8.8% increase from last year. The SEC collected approximately $3.9 billion in monetary penalties, a 4% increase from last year. Notably, however, a significant portion of this amount came from a single case, in which $1.8 billion in disgorgement and penalties were awarded for a large-scale corruption scheme. Moreover, while total monetary penalties rose, there was a decrease in the total amount of disgorgement imposed. This is likely due in part to the Supreme Court’s 2017 Kokesh decision, which held that SEC claims for disgorgement are subject to a five-year statute of limitations.
Continue Reading SEC Enforcement’s Annual Report Prioritizes Retail Investors, Cryptocurrency, Cybercrime, and Individual Accountability
Fool Me Twice…SEC’s latest Cyber-Fraud ROI Indicates Future Enforcement Against Hacker Victims
In the aftermath of the Securities and Exchange Commission’s (“SEC”) latest Report of Investigation (“Report”) regarding cyberattacks via “spoofed or manipulated electronic communications,” companies should prepare to adjust and update their internal controls or face possible enforcement actions for violation of federal securities law. Released as a warning to public companies about recent cyberattacks, the Report’s emphasis that companies maintain proper internal controls to combat cybersecurity issues indicates SEC enforcement actions for lack of proper cybersecurity procedures and supervision are on the horizon.
Continue Reading Fool Me Twice…SEC’s latest Cyber-Fraud ROI Indicates Future Enforcement Against Hacker Victims
Smash & Grab Redux – Congress Seems to Give DCAA Permission But Forgets to Give It Authority
Last month we wrote about a provision in the proposed 2013 National Defense Authorization Act (“NDAA”) that would have given the Defense Contract Audit Agency (“DCAA”) statutory authority to demand a company’s internal audit reports in order to audit the efficacy of a company’s internal business systems. Surprisingly, the authorization, as originally proposed, was modified in the final legislation. While Congress directed DCAA to issue new guidance regarding auditor access to internal audit reports, Congress stopped short of giving DCAA actual authority to demand such reports. As such, contractors will remain at loggerheads with DCAA auditors who try to exceed their statutory authority.Continue Reading Smash & Grab Redux – Congress Seems to Give DCAA Permission But Forgets to Give It Authority
Smash & Grab – DCAA Poised to Gain Access to Contractor Internal Audit Reports
The Defense Contract Audit Agency (“DCAA”) has long sought access to contractors’ internal audit reports in connection with the routine audit of contractors’ business systems. Contractors have, in most cases, successfully resisted requests for such access on the grounds that DCAA has no statutory authority to request such documents. But that may soon change. Section 843 of the Senate version of the 2013 National Defense Authorization Act (S. 3254) would grant DCAA broad access to contractor internal audit information.Continue Reading Smash & Grab – DCAA Poised to Gain Access to Contractor Internal Audit Reports
D.C. Circuit Rejects “Collective Knowledge” But Shines Spotlight on Processes
A good internal investigation gives equal scrutiny to people and processes. It may be easier to replace or reprimand the “bad apple” employee than to overhaul a system with which employees are familiar and has become ingrained in the operational culture. Nevertheless, it is increasingly vital that companies take a hard look at systems, structures, and processes. A recent opinion from the D.C. Circuit indicates that these organizational elements will be the next battleground in False Claims Act (“FCA”) litigation.
Continue Reading D.C. Circuit Rejects “Collective Knowledge” But Shines Spotlight on Processes
What Exactly Is DCAA Thinking?
Recently, contractors have begun receiving formal requests for information from the Defense Contract Audit Agency (“DCAA”). The purported purpose of these requests is to “[o]btain an understanding of the management control environment” of major government contractors. In pursuit of this goal, DCAA has crafted a letter that demands, among other things, the following:
- A list of all ethics training, copies of agendas, and attendee lists
- Copies of the company’s written Codes of Conduct, copies of the policies dealing with communications of the Code, and a list of employees who have acknowledged receiving the Code over the past 12 months
- A list of all violations of the Code over the past 12 months
- All “noncompliances” reported through the contractor’s internal control system (such as a hotline) within the past 12 months
- A “company-wide list of any current open investigations”
New Recovery Act Rules Implement Provisions Relating To Government Audit Access, Whistleblower Protections, And Buy American Requirements; Much Confusion Remains
On March 31, 2009, the FAR Councils issued several new interim rules (effective March 31, 2009) implementing the American Recovery and Reinvestment Act of 2009 (P.L. 111-5) (also known as ARRA, The Recovery Act, or the Stimulus Act). See Federal Acquisition Circular (FAC) 2005-32, published at 74 Federal Register 14621-14652. The FAC issued new interim rules on a number of areas required under the Stimulus Act, including:
- Reporting Requirements for Recipients of Recovery Funds (see 74 Federal Register 14639)
- Publicizing Contract Actions (see 74 Federal Register 14636)
- GAO and IG Access to Company Employees (see 74 Federal Register 14646)
- Whistleblower Protections (see 74 Federal Register 14633)
- Buy American Requirements for Construction Materials (see 74 Federal Register 14623)
This blog focuses on the final three sets of rules – those relating to Auditor access; Whistleblower protections; and Buy American requirements. The first set of rules is discussed separately here.
Continue Reading New Recovery Act Rules Implement Provisions Relating To Government Audit Access, Whistleblower Protections, And Buy American Requirements; Much Confusion Remains
Internal Control Compliance: It’s More Than You Think
By now, everyone who has even a passing familiarity with the new “Contractor Code of Business Ethics and Conduct” clause that went into effect on December 12, 2008 knows that “internal controls” are important. In fact, with the stakes under the new clause so high, many government contractor personnel can tell you that, under the clause FAR 52.203-13, they are required to:Continue Reading Internal Control Compliance: It’s More Than You Think