Over the years in working with varying clients and meeting Government Contract Compliance (“Compliance”) and Internal Audit (“IA”) leadership, we continue to find that in many cases these functions/organizations rarely communicate and seem to be fairly siloed with minimal coordination in achieving their missions. This can happen for any number of reasons; including for example, the additional time required for Compliance to coordinate and support IA assessments, the potential view that IA’s role and experience focus on financial statement reporting controls and wouldn’t be particularly helpful to Compliance, or fear of increased scrutiny resulting in unnecessary and unwanted attention from executive management. Although it is understandable that certain Compliance leaders are hesitant to work with IA, there is good reason for Compliance to consider increasing their coordination with them.
Internal Audit Activities and Focus Benefit Compliance
While IA teams in certain organizations, such as those that are publicly traded, spend substantial time on financial statement related audits, many IA teams also allot significant time in their audit plans to evaluating other key risk areas, such as compliance and operations, and are increasing the amount of time allotted for certain areas such as cybersecurity and sustainability. So, in addition to the commonly shared risks/controls supporting both government contract compliance and financial statement reporting, there are shared risks/controls in other areas important to Compliance, on which IA focuses and can add value.
These risk/control areas of shared importance provide an opportunity for Compliance to leverage current testing and evaluation performed by IA, as well as to coordinate with IA to modify planned testing to address risks that support Compliance objectives. Not to mention that IA will likely be aware of new risk areas, such as GAAP/ASC (“Accounting Standards Codification”) changes that could impact Compliance. For example, the relatively new revenue recognition standard, ASC 606 and lease standard ASC 842. Of course, IA also stands to benefit from coordinating with Compliance, as they will be in a better position to evaluate compliance risk/controls and communicate them to management. Ultimately, this coordination will not only allow for greater efficiencies but will increase the effectiveness of risk management.
Additionally, this collaboration between functions is also critical as current auditing standards continue to be evaluated and updated. These updates will need to be assessed by multiple teams at your organization, including both IA and Compliance, among others. As an example, in June of this year, the Public Company Accounting Oversight Board (PCAOB) issued a proposal (No. 2023-003) aimed at amending and strengthening auditor requirements to identify, evaluate, and communicate noncompliance with laws and regulations, including fraud. This proposal creates requirements for auditors to identify regulations that have a material effect on financial statements and evaluate whether noncompliance has occurred and, if adopted, “would encourage companies to take more timely remedial actions and thereby reduce investor harm caused by legal and regulatory penalties”. Presumably, this would expand audit procedures over government contracting compliance as well. Internal Audit organizations would need to evaluate compliance risk in a number of areas, such as accounting practices to ensure the actual accounting is in accordance with CAS disclosure statements, enhanced testing on contract billings, and other contract representations to help ensure False Claims Act risk is mitigated along with other compliance matters that may lead to material financial risk.
Current Risk Areas – Opportunities for Coordination
With the ever-evolving and changing landscape of government contracting, there are a number of opportunities for IA and Compliance to coordinate. Some examples of risk areas (both commonly shared and newly evolving) contractors are facing, and that IA and Compliance would likely benefit from assessing, include:
Labor Charging Practices and Unallowable Cost – In January of this year, the Federal Circuit Court reversed the ASBCA’s decision regarding Raytheon’s time charging practices for lobbying efforts and “bright line” policy for determining the point at which planning costs become M&A/organizational costs and are deemed unallowable. Other contractors have similar policies, which will need to be evaluated and possibly revised.
Green House Gas (“GHG”)/Environment, Social, and Governance (“ESG”) – The SEC and Federal Acquisition Regulatory Council have published proposed rules to enhance climate-related disclosures. The FAR Council proposed the “Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk” rule in November 2022, and the SEC proposed rules in March2022. The FAR and SEC proposed rules share many of the same reporting requirements, and it will be important for contractors to implement controls to ensure compliance and consistent reporting in financial statements and to the government.
Cybersecurity/CMMC – Government agencies, including the SEC have developed and/or are developing proposed rules for cybersecurity, and the framework underlying CMMC continues to be revised. The SEC’s proposed rule would require certain companies to disclose information on their cybersecurity risk management programs, material cybersecurity incidents, and other cyber-related disclosures, while the Department of Defense (“DOD”) continues to develop its requirements with communication on issuance expected this winter. Large changes to potential requirements previously communicated are not anticipated; however, the DOD may require a pass/fail certification from the Defense Industrial Base, which will have a significant impact, especially for small businesses.
Program Management – Program management risk and controls are a common area of concern for management, both for financial statement reporting as well as compliance (in addition to other reasons/risk areas). The number of risk and key controls that are shared are numerous. Some of the areas include, for example, proposal and contract review and approvals, revenue recognition, work authorizations and labor charging, project profitability and performance/status review, invoicing, and indirect rates.
IR&D – The DOD issued its final rule regarding IR&D on January 31, 2023, implementing section 824 of the National Defense Authorization Act (“NDAA”) for fiscal year 2017. Significant to the new rule is the added requirement for CEOs to determine that the Independent Research and Development (“IR&D”) “will advance the needs of DoD for future technology and advanced capability as DoD describes such needs in communications referenced at 242.771-3(c)(1)(i).” With the CEO now making this determination, controls will need to be implemented and documentation of the determination will be important to supporting compliance and cost allowability.
Working with Internal Audit
With the consequences of non-compliance being significant and continuing to increase, working with IA provides Compliance with an opportunity to better evaluate and mitigate its risk without the increased cost of obtaining additional resources. While Compliance benefits from this arrangement, IA and the organization as a whole benefits as well. The organization is in a better position to manage its risk and IA has the opportunity to provide greater value. This is important because IA management is typically looking for ways to increase the value they add to the organization, which not only include risk assessments and audits, but also consulting support that is advisory in nature. So, if you are in Compliance, and haven’t talked with IA in some time, it might be a good time to do so. As discussed above, there are a number of common and new/evolving areas of shared risk/controls that you can work together to mitigate and manage, and you might find that working with IA is easier than you previously thought.