Most readers know that in late 2008 the FAR was revised to require “mandatory disclosure” of suspected employee violations of certain laws connected with the award or performance of a Federal contract to agency Inspector Generals.  We wrote about the mandatory “contractor disclosure” program here, and you can visit the Defense Department IG website for such disclosures at this link.  Less well known, but just as important, was that the same FAR revisions implemented requirements for “an effective internal control system” that will—“(A) Establish standards and procedures to facilitate timely discovery of improper conduct in connection with Government contracts; and (B) Ensure corrective measures are promptly instituted and carried out.”  (See the contract clause at FAR 52.203-13 (Dec. 2008).)

The FAR provides details regarding what constitutes an effective ethics program internal control system, saying that “at a minimum, the Contractor’s internal control system shall provide for the following:”

• Assignment of responsibility at a sufficiently high level and adequate resources to ensure effectiveness of the business ethics awareness and compliance program and internal control system.
• Reasonable efforts not to include an individual as a principal, whom due diligence would have exposed as having engaged in conduct that is in conflict with the Contractor’s code of business ethics and conduct.
• Periodic reviews of company business practices, procedures, policies, and internal controls for compliance with the Contractor’s code of business ethics and conduct and the special requirements of Government contracting, including—

o Monitoring and auditing to detect criminal conduct;

o Periodic evaluation of the effectiveness of the business ethics awareness and compliance program and internal control system, especially if criminal conduct has been detected; and

o Periodic assessment of the risk of criminal conduct, with appropriate steps to design, implement, or modify the business ethics awareness and compliance program and the internal control system as necessary to reduce the risk of criminal conduct identified through this process.

• An internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality, by which employees may report suspected instances of improper conduct, and instructions that encourage employees to make such reports.

• Disciplinary action for improper conduct or for failing to take reasonable steps to prevent or detect improper conduct.

• Timely disclosure, in writing, to the agency OIG, with a copy to the Contracting Officer, whenever, in connection with the award, performance, or closeout of any Government contract performed by the Contractor or a subcontractor thereunder, the Contractor has credible evidence that a principal, employee, agent, or subcontractor of the Contractor has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations found in Title 18 U.S.C. or a violation of the civil False Claims Act (31 U.S.C. 3729–3733).

• Full cooperation with any Government agencies responsible for audits, investigations, or corrective actions.

Much of the language regarding the elements of an effective ethics program internal control system come from the United States Sentencing Guidelines (USSG) of the United States Sentencing Commission (USSC), as the FAR Councils openly admitted when they promulgated the rules.  So when the USSC proposes revisions to the USSG, it’s worth noting—as such changes may have downstream impacts to contractors’ internal control systems.

On January 21, 2010, the USSC published proposed amendments to the USSG.  The entire set of proposed changes (a lengthy read primarily of interest to attorneys) can be found here.  The area of most relevance to this topic is §B2.1. (“Effective Compliance and Ethics Program”).  The 2010 proposed amendments in this area include the following sentencing notes—

Both high-level personnel and substantial authority personnel should be aware of the organization’s document retention policies and conform any such policy to meet the goals of an effective compliance program under the guidelines and to reduce the risk of liability under the law (e.g. 18 U.S.C. § 1519; 18 U.S.C. § 1512(c)).

The seventh minimal requirement for an effective compliance and ethics program provides guidance on the reasonable steps that an organization should take after detection of criminal conduct. First, the organization should respond appropriately to the criminal conduct. In the event the criminal conduct has an identifiable victim or victims the organization should take reasonable steps to provide restitution and otherwise remedy the harm resulting from the criminal conduct. Other appropriate responses may include self-reporting, cooperation with authorities, and other forms of remediation. Second, to prevent further similar criminal conduct, the organization should assess the compliance and ethics program and make modifications necessary to ensure the program is more effective. The organization may take the additional step of retaining an independent monitor to ensure adequate assessment and implementation of the modifications.

The nature and operations of the organization with regard to particular ethics and compliance functions. For example, all employees should be aware of the organization’s document retention policies and conform any such policy to meet the goals of an effective compliance program under the guidelines and to reduce the risk of liability under the law (e.g. 18 U.S.C. § 1519; 18 U.S.C. § 1512(c)).

At §BD1.4. (“Recommended Conditions of Probation – Organizations”), the USSC makes several policy statements regarding conditions to be imposed on organizations that are on probation.  Among those statements is a discussion of court-ordered third-party monitors.  When a court orders such a compliance monitor, “The independent corporate monitor must have appropriate qualifications and no conflict of interest in the case. The scope of the independent corporate monitor’s role shall be approved by the court. Compensation to and costs of any independent corporate monitor shall be paid by the organization.”

For organizations on probation, periodic reports must be made to the court.  Among other things, those reports “shall disclose any criminal prosecution, civil litigation, or administrative proceeding commenced against the organization, or any investigation or formal inquiry by governmental authorities of which the organization learned since its last report.”  In addition, the organization must immediately notify the court (or its probation officer) “upon learning of (A) any material adverse change in its business or financial condition or prospects, or (B) the commencement of any bankruptcy proceeding, major civil litigation, criminal prosecution, or administrative proceeding against the organization, or any investigation or formal inquiry by governmental authorities regarding the organization.”  These organizations must also submit to a “reasonable number of regular or unannounced examinations of facilities.”

The foregoing may seem a bit onerous, but somebody on TV once said, “Don’t do the crime if you can’t do the time.”  In any case, the foregoing proposed changes help inform compliance practitioners of the expectations of the Federal government.