The increasingly complex federal procurement environment may bring fond reflections on what now seem to be simpler times. Contractors and their legal counsel are experiencing intensified government scrutiny over regulatory compliance, persistent budget uncertainties, increased cost pressures and lower margins, and the list of challenges goes on. This is fertile ground for compliance warfare where the cost of compliance is high, and the cost of noncompliance is even higher. Often overlooked or underappreciated, however, is the importance of Internal Audit in the company’s arsenal of defense against regulatory noncompliance. Internal Audit, with its company-wide purview, has the potential to serve as a strategic partner that counsel and the management team can use to identify and remedy potential landmines in your compliance infrastructure.
Though the Internal Audit and Compliance functions share similar risk management objectives, the two serve very distinct purposes. The Compliance function primarily makes sure the company is following applicable government contract-related regulations. It also serves as a liaison between government auditors and company personnel, assists with responses to audit inquiries and data requests, addresses audit findings, and prepares required reports and disclosures. Said another way, the Compliance function handles most of the company’s tactical execution of compliance requirements.
On the other hand, Internal Audit provides objective, top-down evaluations to the Board of Directors and management on whether or not the company’s policies, procedures, and internal controls are designed and operating effectively. Many Internal Audit departments traditionally focus on internal controls related to financial reporting and operational efficiency, leaving regulatory matters to the Compliance function. When used most effectively, Internal Audit extends its focus beyond basic financial and operational controls and lends its strategic mission to addressing regulatory compliance risks, fraud risks, and other matters of corporate compliance and business conduct.
The following Exhibit shows how Internal Audit’s holistic view of the company intersects with the specific regulatory matters addressed by Compliance. Ask yourself what part of your company, if any, is proactively addressing the risks listed in the intersection of Internal Audit and Government Contracts Compliance. By defining and organizing your approach to both Internal Audit and Compliance, you can greatly reduce your overall risk.
Establishing and leveraging these two functions in a coordinated way is a proven strategy to maximize risk management and achieve a competitive advantage through improved risk surveillance (strategy) and compliance discipline (tactics) at a reasonable cost. When Internal Audit is tasked with regulatory compliance oversight, management can better integrate and understand its full system of internal controls. If Internal Audit doesn’t have the requisite technical knowledge to address key government contract compliance risks, consider temporary assignments within the Compliance function, adding a Compliance resource to Internal Audit teams on assignments involving regulatory compliance, or co-sourcing certain internal audits to outside subject matter experts.
The following two scenarios illustrate what we often see when Internal Audit doesn’t – and does – coordinate with Compliance. Company A is an $800 million government contractor, which has to comply with many regulations. Its Internal Audit and Compliance functions operated independently, resulting in a lack of communication, planning, and collaboration. Further, both functions reported to different executives, which exacerbated the disconnect. Historically, the Board of Directors perceived Internal Audit as highly effective, knocking out over 20 audits annually, primarily around general accounting functions and operational policy adherence; no audits addressed government contract compliance. No one was quite sure what the Compliance function was working on, although everyone knew they were always very busy. But when government auditors recently arrived, armed with many new rules and an emboldened intolerance for noncompliance, they identified several significant deficiencies within the Company’s estimating and accounting systems. Soon thereafter, once reported to government customers, Company A’s competitive position began to deteriorate quickly, losing several key contract awards where it was a long-time incumbent.
Changing only a few of the operative facts from Company A, the second scenario includes coordinated efforts of Internal Audit and Compliance by Company B’s Chief Financial Officer. Internal Audit’s annual audit plan included surveillance of several key government contract compliance considerations, including new rules requiring adequate business system internal controls. Internal Audit’s plan also included reviewing time charging practices, evaluating invoices for accuracy and consistency with contract terms, assessing compliance with disclosed accounting practices, inventorying and documenting key internal controls relative to regulatory requirements, and reviewing ethics committee activity. When the government arrived to audit, they were provided business system documentation and evidence of Internal Audit’s oversight on behalf of management and the Board. The auditors found no significant deficiencies, leaving Company B’s reputation unharmed.
So what did we learn from the two scenarios? In the first scenario, Company A’s disjointed communication and a lack of collaboration between Internal Audit and Compliance resulted in a wounded reputation and deteriorating business results. However in the second scenario, Company B’s coordinated approach to Internal Audit and Compliance improved its readiness for heavy government scrutiny. Company B was able to successfully preserve its competitive position and avoid unfavorable audit results.
Managing government contract compliance risk is more important than ever as the consequences of noncompliance become more severe and costly. Integrating Internal Audit and Compliance can not only mitigate risk, but also preserve the company’s reputation (which is difficult to regain at any cost). Forward-thinking, coordinated planning, and frequent communication are the keys to Internal Audit and Compliance becoming true partners in risk management. Start the discussions on how your company can combine the talents of Internal Audit and Compliance into a coordinated force to drive improved compliance.