We’ve recently noticed a spate of DOJ press releases dealing with timekeeping fraud. To some extent, such stories have always been there; timekeeping misadventures are the background noise of government contracting. It’s always puzzled us why so many people think they will be the ones to get away with their little lies despite annual training and supervisory timecard reviews, and DCAA floorcheck audits, and ethics/business conduct policies and more required ethics training, and mandatory contractor disclosure requirements, and internal audits, and all the other stuff good contractors do to try to detect or prevent such shenanigans. No matter what we do, we seem to have a small group, about ~ 0.1 percent of the workforce, who seem to be determined to lie about their labor hours.

In a recent article on the topic, we suggested that one causal factor may be that the supervisory review/approval of an employee timesheet isn’t the robust control it’s been portrayed as being. Maybe it was a stronger control 50 or more years ago, when we had paper timecards and supervisors were co-located with their employees. But that’s not the case anymore; nor has it been the case for many years. Times have changed and we wonder whether the average company’s internal controls have adapted to the changed times.

Today most companies use electronic timesheets. Supervisors have the option (if they choose) to click their approval without actually looking at the timesheet being submitted. And even if they look, what does the timesheet tell them? In the average ERP system, a project number is just a group of numbers with little (if any) information. Ditto for the WBS number. The project number/WBS number combination typically doesn’t tell the supervisor much of anything regarding the project or the task being worked on. Consequently, even the best supervisory review is weakened to the point at which its value is questionable.

Today most employees are not co-located with their supervisors. Instead, they work in different buildings, perhaps in different geographic locations that may be hundreds of miles away from the supervisor’s location. How can a “supervisor” be expected to intelligently review and approve a timecard when that supervisor doesn’t know when the employee showed up to work, when the employee departed, and how long the employee took for a lunch break? If the employee takes a sick day or goes on jury duty, how does the supervisor actually know that happened—other than the employee’s recording of hours against a paid time-off account? Conversely, how does the supervisor actually know the employee was present in the workplace—other than the employee’s recording of hours against a project/WBS number?

As we asserted in that prior article, we think one problem is HR. HR is telling companies who the supervisors are, based on organizational structures and who performs annual performance reviews. But that logic doesn’t follow when you’re trying to establish sound internal controls and provide assurance that the supervisor is performing a knowing review of an employee’s timesheet when deciding whether or not to approve it. In our view, companies are far better off if they decouple the organizational hierarchy from the internal control hierarchy, and identify a timecard reviewer/approver who actually knows what the employee is doing on a day-to-day basis, even if that reviewer/approver is outside the employee’s organizational structure. In our view, companies need to identify timesheet supervisors who may well be independent from the employee’s “HR supervisor” because that’s what makes for a knowing review/approval and a solid internal control.

With that in mind, let’s discuss a recent timecard fraud matter over at Charles River Laboratories. Charles River Laboratories (CRL) is a publicly traded company that reported $1.4 billion in sales in its FY 2015. It employs about 11,000 at more than 50 locations scattered throughout the world, including roughly 40 locations within the United States. CRL “provides essential products and services to help pharmaceutical and biotechnology companies, government agencies and leading academic institutions around the globe accelerate their research and drug development efforts.” If you think about it, that’s a fairly risky profile from a timecard review/approval point of view.

Among its many customers, CRL supports the National Institutes of Health (NIH) “for services relating to the development, maintenance, and distribution of colonies of animals as well as the provision of laboratory animals.” As a government contractor, CRL is subject to all the requirements of accurate timecharging and proper labor accounting and billing accuracy, the same as Lockheed Martin or Northrop Grumman, or (probably) your company.

Anyway, according to this DOJ press release, CRL employees from two geographically disparate locations (Raleigh, North Carolina and Kingston, New York) engaged in some kind of timecard fraud. The improper labor hours led to invoices that were inaccurate, because they contained hours that had not been worked. CRL apparently discovered the problem and reported it (as they were very likely required to do under the requirements of the contract clause 52.203-13).

For some reason, the government decided to pursue restitution via the False Claims Act, rather than through an administrative mechanism (such as a billing credit). We don’t know the rationale for doing so. (Sorry to be sketchy on the details; the DOJ never gives many details in its press releases.) It is possible that the rationale was the “reckless disregard” or “deliberate ignorance” standard. Perhaps CRL’s timekeeping and labor accounting controls were viewed as being susceptible to fraud. If management knew its controls were weak and did nothing to enhance them, that might be viewed as meeting the “reckless disregard” standard. If management did nothing to evaluate its controls, that might be viewed as meeting the “deliberate ignorance” standard. Obviously we don’t know what the rationale was; we’re just speculating here.

In our experience—and we have a lot of experience in this area—the government does not normally pursue a False Claims Act case where the contractor made a disclosure of its own volition. This case is a bit different from the norm, and nobody is really talking about why. We did Google an article from the Boston Business Journal (authored by Max Stendahl) and learned—

A spokeswoman for Charles River said that the company and its outside lawyers began an investigation in May 2013 into the inaccurate billing after an employee reported the issue to senior management. The probe confirmed that the company’s research models and services unit had overbilled the government for work related to ‘a small subset of our government contracts,’ the spokeswoman said.

That doesn’t necessarily tell us why the DOJ pursued an FCA suit. However, it does tell us that CRL’s internal controls failed. It took an employee report—via “hotline” or similar means—for CRL management to learn about the timecard fraud. We can speculate that the employee wrongdoing was ongoing for several years. At least, we can speculate that it could have been going on for several years, and would still be going on today without that report to management. Management was in the dark. When management learned about the problem it hired “outside lawyers” to investigate and scope the problem out. That effort led, nearly four years later, to a $1.8 million settlement with the DOJ.

We say it over and over. The business case is obvious. It’s a no-brainer. Internal controls are investments that pay for themselves many times over. In this case, CRL spent untold millions on attorney fees in order to reach a FCA settlement valued at nearly $2 million. What kind of internal audit/compliance function would that kind of money buy you?