[et_pb_section fb_built=”1″ _builder_version=”4.0.4″ background_color=”#f8f8f8″ custom_padding=”0px||0px||false|false”][et_pb_row _builder_version=”4.0.4″ background_color=”#f8f8f8″ custom_padding=”0px||||false|false”][et_pb_column type=”4_4″ _builder_version=”4.0.4″][et_pb_text admin_label=”Text” _builder_version=”4.0.4″ custom_margin=”||||false|false” custom_padding=”||1px|||”]<\/p>\n
Over the years in working with varying clients and meeting Government Contract Compliance (\u201cCompliance\u201d) and Internal Audit (\u201cIA\u201d) leadership, we continue to find that in many cases these functions\/organizations rarely communicate and seem to be fairly siloed with minimal coordination in achieving their missions. This can happen for any number of reasons; including for example, the additional time required for Compliance to coordinate and support IA assessments, the potential view that IA\u2019s role and experience focus on financial statement reporting controls and wouldn\u2019t be particularly helpful to Compliance, or fear of increased scrutiny resulting in unnecessary and unwanted attention from executive management. Although it is understandable that certain Compliance leaders are hesitant to work with IA, there is good reason for Compliance to consider increasing their coordination with them.<\/p>\n
Internal Audit Activities and Focus Benefit Compliance<\/strong><\/span><\/p>\n While IA teams in certain organizations, such as those that are publicly traded, spend substantial time on financial statement related audits, many IA teams also allot significant time in their audit plans to evaluating other key risk areas, such as compliance and operations, and are increasing the amount of time allotted for certain areas such as cybersecurity and sustainability. So, in addition to the commonly shared risks\/controls supporting both government contract compliance and financial statement reporting, there are shared risks\/controls in other areas important to Compliance, on which IA focuses and can add value.<\/p>\n These risk\/control areas of shared importance provide an opportunity for Compliance to leverage current testing and evaluation performed by IA, as well as to coordinate with IA to modify planned testing to address risks that support Compliance objectives. Not to mention that IA will likely be aware of new risk areas, such as GAAP\/ASC (\u201cAccounting Standards Codification\u201d) changes that could impact Compliance. For example, the relatively new revenue recognition standard, ASC 606 and lease standard ASC 842. Of course, IA also stands to benefit from coordinating with Compliance, as they will be in a better position to evaluate compliance risk\/controls and communicate them to management. Ultimately, this coordination will not only allow for greater efficiencies but will increase the effectiveness of risk management.<\/p>\n Additionally, this collaboration between functions is also critical as current auditing standards continue to be evaluated and updated. These updates will need to be assessed by multiple teams at your organization, including both IA and Compliance, among others. As an example, in June of this year, the Public Company Accounting Oversight Board (PCAOB) issued a proposal (No. 2023-003) aimed at amending and strengthening auditor requirements to identify, evaluate, and communicate noncompliance with laws and regulations, including fraud. This proposal creates requirements for auditors to identify regulations that have a material effect on financial statements and evaluate whether noncompliance has occurred and, if adopted, \u201cwould encourage companies to take more timely remedial actions and thereby reduce investor harm caused by legal and regulatory penalties\u201d. Presumably, this would expand audit procedures over government contracting compliance as well. Internal Audit organizations would need to evaluate compliance risk in a number of areas, such as accounting practices to ensure the actual accounting is in accordance with CAS disclosure statements, enhanced testing on contract billings, and other contract representations to help ensure False Claims Act risk is mitigated along with other compliance matters that may lead to material financial risk.<\/p>\n Current Risk Areas \u2013 Opportunities for Coordination<\/strong><\/span><\/p>\n With the ever-evolving and changing landscape of government contracting, there are a number of opportunities for IA and Compliance to coordinate. Some examples of risk areas (both commonly shared and newly evolving) contractors are facing, and that IA and Compliance would likely benefit from assessing, include:<\/p>\n Labor Charging Practices and Unallowable Cost<\/span> \u2013 In January of this year, the Federal Circuit Court reversed the ASBCA\u2019s decision regarding Raytheon\u2019s time charging practices for lobbying efforts and \u201cbright line\u201d policy for determining the point at which planning costs become M&A\/organizational costs and are deemed unallowable. Other contractors have similar policies, which will need to be evaluated and possibly revised.<\/p>\n Green House Gas (\u201cGHG\u201d)\/Environment, Social, and Governance (\u201cESG\u201d)<\/span> \u2013 The SEC and Federal Acquisition Regulatory Council have published proposed rules to enhance climate-related disclosures. The FAR Council proposed the \u201cDisclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk\u201d rule in November 2022, and the SEC proposed rules in March2022. The FAR and SEC proposed rules share many of the same reporting requirements, and it will be important for contractors to implement controls to ensure compliance and consistent reporting in financial statements and to the government.<\/p>\n Cybersecurity\/CMMC<\/span> \u2013 Government agencies, including the SEC have developed and\/or are developing proposed rules for cybersecurity, and the framework underlying CMMC continues to be revised. The SEC\u2019s proposed rule would require certain companies to disclose information on their cybersecurity risk management programs, material cybersecurity incidents, and other cyber-related disclosures, while the Department of Defense (\u201cDOD\u201d) continues to develop its requirements with communication on issuance expected this winter. Large changes to potential requirements previously communicated are not anticipated; however, the DOD may require a pass\/fail certification from the Defense Industrial Base, which will have a significant impact, especially for small businesses.<\/p>\n Program Management<\/span> \u2013 Program management risk and controls are a common area of concern for management, both for financial statement reporting as well as compliance (in addition to other reasons\/risk areas). The number of risk and key controls that are shared are numerous. Some of the areas include, for example, proposal and contract review and approvals, revenue recognition, work authorizations and labor charging, project profitability and performance\/status review, invoicing, and indirect rates.<\/p>\n IR&D<\/span> \u2013 The DOD issued its final rule regarding IR&D on January 31, 2023, implementing section 824 of the National Defense Authorization Act (\u201cNDAA\u201d) for fiscal year 2017. Significant to the new rule is the added requirement for CEOs to determine that the Independent Research and Development (\u201cIR&D\u201d) \u201cwill advance the needs of DoD for future technology and advanced capability as DoD describes such needs in communications referenced at 242.771-3(c)(1)(i).\u201d With the CEO now making this determination, controls will need to be implemented and documentation of the determination will be important to supporting compliance and cost allowability.<\/p>\n Working with Internal Audit<\/strong><\/span><\/p>\n With the consequences of non-compliance being significant and continuing to increase, working with IA provides Compliance with an opportunity to better evaluate and mitigate its risk without the increased cost of obtaining additional resources. While Compliance benefits from this arrangement, IA and the organization as a whole benefits as well. The organization is in a better position to manage its risk and IA has the opportunity to provide greater value. This is important because IA management is typically looking for ways to increase the value they add to the organization, which not only include risk assessments and audits, but also consulting support that is advisory in nature. So, if you are in Compliance, and haven\u2019t talked with IA in some time, it might be a good time to do so. As discussed above, there are a number of common and new\/evolving areas of shared risk\/controls that you can work together to mitigate and manage, and you might find that working with IA is easier than you previously thought.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.0.4″ min_height=”124px”][et_pb_column type=”4_4″ _builder_version=”4.0.4″][et_pb_button button_url=”https:\/\/chessconsultingllc.com\/contact\/” button_text=”contact us” button_alignment=”center” _builder_version=”4.0.4″][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Over the years in working with varying clients and meeting Government Contract Compliance (\u201cCompliance\u201d) and Internal Audit (\u201cIA\u201d) leadership, we continue to find that in many cases these functions\/organizations rarely communicate and seem to be fairly siloed with minimal coordination in achieving their missions. This can happen for any number of reasons; including for example, the additional time required for Compliance to coordinate and support IA assessments, the potential view that IA\u2019s role and experience focus on financial statement reporting controls and wouldn\u2019t be particularly helpful to Compliance, or fear of increased scrutiny resulting in unnecessary and unwanted attention from executive management. Although it is understandable that certain Compliance leaders are hesitant to work with IA, there is good reason for Compliance to consider increasing their coordination with them.<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"on","_et_pb_old_content":"","footnotes":""},"categories":[20,21],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/posts\/2872"}],"collection":[{"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/comments?post=2872"}],"version-history":[{"count":6,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/posts\/2872\/revisions"}],"predecessor-version":[{"id":2880,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/posts\/2872\/revisions\/2880"}],"wp:attachment":[{"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/media?parent=2872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/categories?post=2872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chessconsultingllc.com\/wp-json\/wp\/v2\/tags?post=2872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}