Considering Contractor Fraud
You know when you have your DCAA entrance conference, and the auditor gets all serious and asks about fraud? The auditor asks “Are you aware of any allegations of fraud related to this audit?” or something very much like that. And most times that happens, you wonder who would ask such a silly question and why they would think it would be appropriate to ask it of you.
You think it’s silly because, really, how would you know? Fraud allegations are handled by Legal and discussed with Senior Management, and you would honestly have no idea if there were any allegations of fraud or if those allegations had been confirmed or if those confirmed allegations had been reported as required by contract clause 52.203-13. You honestly have no clue (unless you yourself made or investigated such allegations) and you wonder how to answer the question.
Because you have to answer it. The question (or questions) about known or alleged or suspected fraud must be answered. The auditor must ask and the contractor must answer, honestly.
The question(s) must be asked and answered.
Typically, the question is punted over to Legal for an official answer. And that takes time, because Legal is concerned about risks and what words mean, and the lawyers want to ponder the meaning of words like “fraud” and “allegation” and “suspicion,” and they want to review all open investigations and all recent Hotline reports to see if, maybe, there is an allegation of fraud related to the audit.
While Legal is reviewing the files and preparing the official answer, the auditors are waiting. And they are getting suspicious while they wait, because they are thinking “why would this take so long?” The only answer they can come up with is “because there’s something there—something the contractor wants to hide.” While you are waiting for Legal to get you the answer to the question(s), the auditors are thinking they are going to learn something important. (This rarely happens.)
Less typically, the audit liaison answers the question, and answers it in the negative. The negative response is also honest. “No, I am not [personally] aware of any allegations of fraud related to this audit.” The personally part is never said out loud, but it’s certainly implied. “I am not aware, and I am not aware that management is aware…” Because you are not aware, because they haven’t told you anything.
The auditor notes the response and the date and the fact that it was you who said it … and if it ever turns out that there were, in fact, allegations or suspicions or actual disclosures of fraud that were relevant to the audit, then you will certainly have some explaining to do.
You cross your fingers and hope it never comes to that.
Regardless of which scenario you are participating in, the auditors have asked their fraud-related questions, and received and recorded the answers—thus, one more step in the audit program has been completed.
It’s a required step in most DCAA audit programs. The auditors are required to consider contractor fraud as part of their audits. You know that asking about fraud is probably not the best way to consider fraud, but it’s certainly one way. To be clear, it’s not the only way.
Another resource used by DCAA auditors to consider contractor fraud are the Fraud Detection Resources for Auditors, maintained by the DoD Office of Inspector General. You don’t have to be an auditor to use these resources; anybody can visit the DoD OIG website and peruse “General Fraud Scenarios and Indicators,” “Fraud Red Flags and Indicators,” and “Contract Audit Fraud Detection Resources.” You can also review “Fraud Detection Guidance,” or “Auditor Responsibilities,” or even “Best Practices” for identifying and assessing potential fraud risk factors during audit planning and performance. It’s free!
If you click on (say) “Contract Audit Fraud Detection Resources,” you will see a bunch of interesting stuff, including Fraud Scenarios linked to:
If you are a diligent audit liaison, you will actually review the fraud indicators and scenarios that are relevant to the audit you are supporting, because you know that the DCAA auditors are reviewing them and you’d like to have an inkling about what things they are going to be sensitive to in the audit they are performing at your company.
But if you are the average person, no. You’re not going to take the time to review all that stuff, because you’re convinced the whole thing is a “check the box” exercise, without any substance and therefore without any consequences.
And you’d be wrong.
The fact of the matter is that there is a non-zero probability that any DCAA audit is going to unearth some type of fraud. There is a non-zero probability that any contractor a DCAA auditor audits is actually committing some type of fraud right at that moment.
Yes, your company.
In 2017, contractors made 388 “disclosures” to the DoD OIG. And that’s just one Inspector General out of many across the Federal government. According to DoD OIG reports, the number of contractor disclosures is trending up over time, not down. Contractor fraud is a growing problem and DCAA auditors would be silly if they didn’t consider that every single time they performed an audit, there was a chance they would encounter some type of fraudulent activity. You might not like the way they handle it, but it’s something they absolutely have to handle.
Examples of contractor fraud abound on this website, even though (a) we don’t report fraud in the health-care industry, and (b) we don’t report anymore about “routine” contractor fraud—it’s got to be something interesting to merit a blog article. A keyword search using “fraud” as the single term returns more than 40 individual articles dealing with contractor fraud.
So get over it. Auditors are going to continue to ask questions about fraud and they are going to continue to expect answers to those questions.
In unrelated news, on January 19, 2018, Lockheed Martin “agreed to a settlement valued at $4.4 million to resolve allegations that it violated the civil False Claims Act by providing defective communications systems for the United States Coast Guard’s National Security Cutters,” according to this Dept. of Justice press release. The settlement resolved allegations brought by a qui tam relator (a former employee, naturally) who “will receive $990,000 as his share of the government’s recovery from Lockheed.” Importantly, apparently this matter was not disclosed by Lockheed Martin pursuant to the requirements of contract clause 52.203-13.
In more unrelated news, the DoD OIG confirmed allegations that government contractor Leidos had retaliated against an internal whistleblower. Report DODIG-18-044, issued January 3, 2018, stated—
We determined that Complainant made two protected disclosures, one to a company official, and one to a Government official. We also determined that after Complainant’s protected disclosures, Leidos took actions against Complainant by non-selecting her for contract continuation. We further determined Leidos had knowledge of Complainant’s protected disclosures.
Leidos officially disagreed with the IG’s findings. Nonetheless, the matter was referred to the Secretary of Defense for further action.
Moving forward, let’s agree that contractor fraud exists and that government auditors are not being oversensitive or overzealous when they consider that it might be existing right in front of their eyes. Let’s agree to make sure that, when we answer auditors’ fraud-related questions, we do so quickly and forthrightly. As a further step, let’s agree to try very hard to make sure the answers to those questions are “no”—because we’ve already been checking for fraud at our companies, as the government expects us to.
Statute versus Regulation
Recently we have noted a spate of Class Deviations issued by the Defense Procurement and Acquisition Policy (DPAP) Directorate. Generally speaking, the various Class Deviations relax certain requirements.
For example, DARS 2017-O0006 (July 13, 2017) increased the Micro-Purchase Threshold (MPT) to $5,000. (The MPT was increased to $10,000 for “acquisitions … for (i) basic research programs; and (ii) activities of the DoD Science and Technology Reinvention Laboratories (STRLs)” as listed in the Memo.) (The Class Deviation notes that the MPTs for other acquisitions remain unchanged.)
For another example, we discussed here Class Deviation DARS 2018-O0001 (November 8, 2017) that delegated to the Heads of Contracting Activity (HCAs) the ability to waive certain requirements for certain acquisitions. (It’s complicated; see the article for more details.)
DCMA has issued its own Class Deviations relaxing certain requirements. For an example, see this article where we reviewed the August 15, 2017 DCMA Class Deviation that modified Instruction 135 by—
… streamline[] the prior quick-closeout process for DCMA’s Administrative Contracting Officers (ACOs) by removing requirements to obtain an audit report or Low-Risk AdequacyMemorandum from the Defense Contract Audit Agency (DCAA) prior to settling quick-closeout rates.” The Class Deviation “authorizes ACOs to settle final overhead rates and close any and all physically complete contracts regardless of dollar value or the percent of unsettled direct and indirect costs allocable to the contracts. It applies to Cost-Reimbursement, Fixed-Price Incentive, Fixed-Price Redeterminable and Time-and-Materials Contracts.
(Emphasis added.)
We’ve asserted that the spate of Class Deviations stems from the lack of action by the DAR Council, the regulatory rule-making body charging with overseeing revisions to the DFARS (and for cooperating with the Civilian Agency Acquisition Council in making revisions to the FAR). (See FAR Part 1.201.) The lack of regulatory action is noticeable. That’s not to say that there is no action; however, the quantity of DFARS revisions has fallen markedly in the past year. Let’s just say that DAR Council members may be working hard; but the output of those efforts is disappointing.
Meanwhile, Congress keeps on passing laws that should—in theory—compel the FAR Councils to act with a sense of urgency. Looking at the recently enacted 2018 NDAA, we counted three (3) separate changes to acquisition thresholds, as follows:
-
Micro-Purchase Threshold raised to $10,000 (for all DoD acquisitions)
-
Simplified Acquisition Threshold raised to $250,000
-
TINA Threshold raised to $2 million
Those are significant changes. But unless otherwise directed they impact only DoD and NASA acquisitions; they don’t impact acquisitions by civilian agencies. Obviously, if you were on the CAA Council you would want to adopt requirement relaxations for your own agencies; but nothing compels you to do so.
In the meantime, how do DoD Contracting Officers implement requirement relaxations? Do they implement the new statutory thresholds, or do they wait for the DAR Council to implement the new public law via revisions to the acquisition regulations? Or does DPAP and/or DCMA issue appropriate Class Deviations while everybody waits for the DAR Council to work its bureaucratic processes?
Those questions matter, because the threshold changes impact solicitation requirements and contractor proposals submitted in response to those solicitations. If the requirements have been relaxed, then it behooves all parties to implement those changes quickly, because if contractors are subject to fewer burdensome requirements, then they can respond more quickly (and more cheaply).
The problem is more challenging for contractors subject to the requirements of the FAR contract clause 52.244-2 (“Subcontracts”) or the DFARS contract clause 252.244-7001 (“Contractor Purchasing System Administration”). Those contractors have purchasing systems that are subject to government review—primarily by DCMA—using this CPSR Guidebook. Those contractors are expected to comply with applicable rules and regulations and statutes. The CPSR Guidebook states that the government review should encompass 30 individual areas, and too many deficiencies in any of those areas can lead to a disapproved contractor purchasing system.
Those contractors have a problem right now. Do they use the statutorily revised thresholds, or do they wait for the Council(s) to update the regulations? For example, when considering compliance with “Truthful Cost or Pricing Data. Truth in Negotiations Act (TINA)” (Item 4.2.1.2 in the October 2017 Guidebook), do Contractors stick with the old (regulatory) threshold of $750,000, or to they immediately implement the new (statutory) threshold of $2 million? If they implement the $2 million threshold before the regulations catch up to the statute—which, based on recent history, could take a couple of years—will CPSR reviewers find them deficient and recommend system disapproval?
It’s a challenge.
Different companies respond differently to that challenge.
Some companies take a more conservative line and tell their buyers “nothing changes until the FAR is updated” to reflect that change. They don’t seem to trust that CPSR reviewers will accept statutory changes, and thus they are unwilling to risk the adequacy of their purchasing system until they have a regulation at which to point as the basis for their internal purchasing policy.
Other companies lean forward to take advantage of any relaxation of requirements, even if the requirement relaxation hasn’t yet made it through the regulatory rule-making process. They see opportunities for accelerated schedules and less effort, and less procurement file documentation. They see opportunities for cost reduction and schedule reduction, and they are willing to trade a little risk for those opportunities.
Who’s right?
It’s not for us to say, since each company establishes its own policies, procedures, and practices.
We will offer this:
Essentially, the CPSR is an evaluation of the company’s purchasing system documentation and compliance with those policies, procedures, and practices. If buyers comply with their internal requirements then perhaps the risk isn’t as great as some would think. We’ve also heard of contractors getting gigged for not updating their procedures and instructions as the requirements change (in the regulations), so it might even be a good thing to be seen as leaning forward as requirements change (in the statutes).
Finally, Mark Hijar, an attorney focused on contractor purchasing system adequacy, offered this advice a few months ago on LinkedIn. He wrote “… assuming the contractor manages the [CPSR review] team effectively, raising the micro purchase threshold might upset the team and result in an easily-negotiated deficiency during the report phase. Best case, DCMA accepts the increase without question. … [Also] you really don’t need to wait for the regs to be edited if you don’t want to. The regs specify compliance with the law they articulate - order of precedence places the law above the reg, so differences between the two defer to the law itself.”
As a contractor, you need to be aware of upcoming regulatory changes, be they changes to statute or to implementing regulation or made via Class Deviation. You can watch the Open FAR Case report or the Open DFARS Case report to see how the rule-makers are progressing. You can wait for them to complete the revision process, if you’d like. Or you can lean forward and adopt statutory changes as they are enacted into law.
It’s your call.
|
Subcontractor Management
Here we go again: another blog article about managing subcontractors.
It’s not like we haven’t beaten this drum already, many times. We’ve asserted, over and over, that effective subcontractor management is the key to effective prime contractor performance. We’ve asserted, over and over, that the prime will be held responsible for contract execution, even if the cause of nonperformance is buried deep in the program supply chain. (For example: here.)
We’ve reviewed FAR 42.202(e)(2) and “plainly invalid” DCAA audit findings regarding its views on what a prime contractor’s duties are with respect to its subcontractors. We’ve reviewed subcontractor risk management and T&M misbilling allegations and contract types. We’ve talked about this issue to death, and readers might justifiably be wondering what the heck is there left to talk about?
Well, let’s try this one.
Let’s say you are performing due diligence activities on a contractor, and you want to assess its management of its subcontractors. How would you go about making that assessment? What would you do? What areas would you examine?
-
Source selection and award. Don’t bother looking at “depth of competition”—which is a phrase created by CPSR reviewers that lacks substantive meaning. (Adequate competition and adequate price competition are terms already defined in the FAR. Either you have ‘em or you don’t. It’s a pass/fail thing. Having more competition than you need to have isn’t better, and it’s often counterproductive.) But do look at the solicitations. Do they list clear evaluation criteria? Do bidders get a reasonable amount of time in which to respond? Are the same sources being sought each time, or is the contractor trying to find new sources? (If there are sole source justifications, do they look legitimate?) Also look at the amount of “lead time” the buyers get to evaluate bidders and to make an award. Is it reasonable, or is it so short that the people involved will rush through their procedures and make mistakes?
-
Corruption. Don’t forget to check to see if the same buyer makes an award to the same bidder, over and over. That’s an indication that there may be more to the relationship than there should be.
-
Subcontract type. Remember that the subcontract type has to be appropriate. If every subcontract is FFP, that’s not necessarily a good thing, especially in a development environment. You can usually tell if the contract type was appropriate by looking at post-award change order activity. If you see a lot of activity, chances are it’s because the wrong subcontract type was selected.
-
Subcontractor business systems. Smart prime contractors know that the DFARS Business System Administration contract clause is not a mandatory flowdown clause. However, they also know that their subcontractors must have sufficient sophistication (in terms of business systems) to be able to comply with contract terms. If the Davis-Bacon Act or the Service Contract Act is involved, then subcontractors must be able to comply with those onerous rules. If a T&M subcontract is awarded, then the subcontractor must be able to bill labor hours accurately in the right labor categories. If a cost-type subcontract is awarded, then the subcontractor must be able to comply with FAR 52.216-7 (“Allowable Cost and Payment”). Smart subcontractors check these things before making an award; dumb ones don’t. Check the subcontract file to see whether your due diligence target is smart or dumb.
-
Subcontractor risk management. When things go south, more often than not a subcontractor was involved. Quality escapes that go undetected for too long, counterfeit electronic parts, failure to comply with contract terms. These are a few of our favorite things. (Sorry, couldn’t resist.) The best prime contractors think about the risks ahead of time and then think about risk mitigation, and then they actually deploy their risk mitigation strategies. They budget for subcontractor risk mitigation because they know that its cheaper in the long run to have risk mitigation that you didn’t end up needing rather than experience hugely problematic subcontractor incidents that could have been avoided, had somebody done something proactively. Other prime contractors talk about saving pennies while risking the loss of billions of dollars. Which one are you dealing with?
-
Subcontractor close-out. Many (most?) prime contractors don’t think that subcontract close-out is part of subcontractor management. They think their job is over when the subcontractor makes its final delivery. They are so, so wrong about that. There is a ton of paperwork to execute, from patent/royalty certifications to property certifications to security certifications. For cost-type or incentive type or T&M type subcontracts, there is a final “true-up” of costs and fee to be made, often (but certainly not necessarily) based on a government audit report that is issued years later. Check the files for evidence that the contractor performs subcontract close-out as a routine part of its subcontract management activities. If you don’t see what you’re looking for, then chances are you will inherit a labor-intensive, very difficult, long-overdue task if you decide to acquire the company.
Just some thoughts about subcontractor management on this winter’s morning. If you are performing due diligence, you may want to consider them.
And even if you are not performing due diligence—even if you are just a government contractor going about its business, managing its subcontractors—perhaps you may want to consider them as well.
Risk Aversion
Sometimes the best advice we can give our clients is “get a lawyer.” We can offer suggestions and assistance in many areas of government contract cost accounting, compliance, and administration; but we cannot offer legal advice. In fact, we are prohibited from doing so!
Thus, sometimes we have to tell clients that they need legal advice from a real, honest-to-God attorney. If the matter is a complex government contracting issue, we suggest they find an attorney with strong credentials in that area. If the matter may lead to litigation if not resolved, we suggest they think about a firm with litigation experience in the government contracting area.
Obviously, one engages an attorney only with some reluctance, because we all know that attorneys are expensive—but when there is sufficient money at stake, that is definitely the way to go. Sometimes, however, the matter isn’t about money: it’s about risk. Risk associated with submitting a cost in an invoice, or risk associated with making a certain statement in a proposal. Oftentimes those are legal risks where an attorney’s input can be valuable; but other times the risks are simply business risks. It might be a matter of cash flow or a matter of profit, or a matter of a customer relationship.
And the point of this little article is that attorneys don’t always offer the best advice on business risk matters.
Why? Because in our experience too many attorneys bias towards risk aversion. They want to eliminate risk instead of managing it.
We have thought about this for some time. We have pondered why that might be the case. (And of course we are not talking about all attorneys; there are obviously exceptions to any generalization.) Our speculation is that this general bias against risk is a product of law school. Attorneys are trained to think about risks and possible consequences and what-ifs and what-abouts—and that kind of thinking leads to good attorneys and good advice. We speculate, though, that drafting contract language to militate against risk and thinking about how to avoid consequences naturally leads to an inherent risk aversion. It’s all just guesswork, but that’s where our thoughts have led us.
Not to make too much of a joke of this topic, but you might be a risk-averse attorney if—
Et cetera.
As business people, we learn to manage risk, not to avoid it. We understand that risk cannot be eliminated. We learn to identify risks, to monitor risks, and to implement mitigation plans when risks start to transform into events.
Every government contract is, in essence, a series of risks to be managed. (In fact, I co-instructed a NCMA National Education Seminar on Risk Management of Complex U.S. Government Contracts and Projects a few years ago. The seminar tag line, which you can still find on Google today, was “Risk management, the ability to efficiently and cost effectively mitigate potential problems, is fundamental to good business in both the public and private sectors.”) Obviously, each contract carries with it the risk associated with performance. As we’ve often opined, that risk includes the risk associated with subcontractor performance. But there are far more risks associated with a government contract and, as we’ve noted before, contractors are not very good at assessing their risks. Each clause referenced in Section I of your contract carries with it a specific non-compliance risk; some of those risks are relatively small but others are quite large. Section H clauses have their own risks. There are cost accounting risks (e.g., non-compliance with the FAR Part 31 cost principles or with applicable Cost Accounting Standards) and there are Business System risks (e.g., failure to properly manage government property, including contractor-acquired government property, or failure to have an adequate purchasing system). The point is: when you accept a government contract you accept a whole package of risks that all need to be managed.
If you were risk averse you would never be in government contracting in the first place.
That doesn’t mean you should ignore the advice of your attorney. After all, you’re paying for that advice and we don’t want you to waste your money. No, what we are saying is that your attorney’s advice is but one piece of information in your risk management regime. On legal matters, that advice ought to weigh very heavily but, on business matters, perhaps that advice shouldn’t carry the same weight.
In fact, our (limited) understanding of the situation is that jurisprudence makes a distinction between an attorney giving legal advice and an attorney giving business advice. In the former case, that communication is protected by privilege; but in the latter case, privilege may not apply.
For example, see this article we found at the San Diego County Bar Association website. We like it because not only does is discuss distinctions between legal advice and business advice, it does so in the context of risk.
It states—
Anytime you give advice, you are naturally exposing yourself to some level of risk. There is always the chance that things could go sour, the client blames you, and you find yourself defending your decision. However, that’s a risk in every business and every law firm, and one that you will need to assess based on your own comfort level.
The other (less obvious) risk is that giving business advice could potentially blur the lines between advice that is subject to the attorney-client privilege and advice that isn’t. For the most part, if you are acting as external (as opposed to in-house) counsel, your communications with your client will be privileged. However, as a general rule, the attorney-client privilege only applies where the relevant communications between a lawyer and a client are for the purpose of giving or receiving legal advice and are expressed in confidence. Application of this rule can become a bit slippery when an in-house counsel is acting in a commercial capacity (for instance, as Company Secretary) and providing business or strategic advice. While the lawyer will still be subject to professional rules of conduct that prohibit him or her from disclosing these discussions to a third party, the communications themselves may not be privileged.
(Emphasis in original.)
This is a complex, nuanced, area and we have probably pushed the envelope about as far as we should on this topic. Government contractors can—and have—fought protracted battles about which documents are privileged and which are not. Courts and Congress have admonished contractors’ counsels for going too far in making documents confidential. There are a number of attorneys who are perhaps over-zealous in trying to shield their clients from risk; and those efforts have created additional risks of their own.
As business people, we have to learn to make decisions given the information we have at hand. Some of that information is from our attorney(s) and other bits of information can come from other areas, such as program management, accounting, or finance. All the input must be considered and weighed, and used to inform our decision-making.
We cannot be risk-averse because avoiding risk is not an option, not if we want to have a thriving business. We also need to understand when our attorney is giving us legal advice, which should weigh heavily, and to understand when our attorney is giving us business advice. We think that’s the approach that will help optimize decisions.
Importantly, we also have to learn to find attorneys whose appetite for risk is more in line with our own. Risk aversion is great in some contexts, but we don’t think it works very well in a business context.
|
