In April 2011 we posted an article about Verizon’s $93.5 million settlement with the Department of Justice that resolved False Claims allegations for invoices submitted by an entity it had acquired in 2006. Allegedly, those invoices contained taxes and surcharges prohibited by its contracts with the General Services Administration (GSA). That situation led us to write something that we’ve repeated many times on this site, namely: “government contractor compliance failures tend to be on the very expensive side, such that investments in compliance mechanisms and internal controls tend to pay for themselves.”

The cost/benefit analysis seems frighteningly clear to those who work in this industry. It’s essentially a no-brainer. The probability of being accused of submitting false claims (or making false statements) to the Federal government may be low, but the consequences tend to be huge. The risk analysis always shows that it’s cheaper to invest in an effective compliance program than it is to defend against allegations of wrongdoing.

The problem is that contractors too infrequently perform such a risk analysis. So in times of budgetary pressure—such as that in which we are currently working—it seems like picking low-hanging fruit to cut back on internal controls and compliance programs. Such a decision ameliorates today’s budget problems at the expense of creating potential problems for tomorrow’s leadership—as in when Verizon paid nearly $100 million for the decisions made by MCI/WorldCom nearly five years earlier.

The other problem is that contractors too frequently screw up the risk analysis. This is especially true when commercial companies dabble in government contracting. When the government contract revenue is a small percentage of total corporate sales, then management has a tendency to treat its Federal customers just like any other sales channel. Sure, they know (vaguely) that there are some special regulations involved in that government contracting stuff, and maybe they’ve hired a couple of people to “scrub the books” to make sure that those arcane regulations are complied with. But there is a definite tendency—especially at the most successful commercial companies—to think that those additional hires plus some good ol’ common sense will be sufficient to militate against the risk of noncompliance.

They screw up the risk analysis because they do not understand the risks.

They screw up the risk analysis because they do not understand the true cost of merely being accused of submitting a false claim to the Federal government. The cost of hiring attorneys and other outside experts. The cost of diverting personnel to litigation support instead of what they were hired to do. The cost of litigation-related reserves. The cost of filing SEC disclosures and of preparing special litigation notes to the financial statements. The cost of answering probing questions—not just by the Assistant U.S. District Attorney, but also by investment analysts during investor conference calls. The cost of seeing the stock price fall because of DOJ press releases. The reputational “brand” impact in the marketplace.

The leadership at defense contractors largely (but not universally) understands the cost/benefit analysis. They’ve been in the cross-hairs since the seventies, and they’ve largely adapted to the environment in which they work. But commercial companies who are new to government contracting, and whose government sales are a very low percentage of total sales, don’t get it. They haven’t been burned yet, so they don’t understand the risks of playing with matches. And so they skimp on internal controls and multiple reviews, and on the hiring of subject matter experts in areas such as contract administration, cost accounting, pricing, and billing.

The W.W. Grainger Corporation of Lake Forest, Illinois, presents us with a sterling example of the blown risk analysis.

Now, before we dig into this illustrative example of a commercial company who dabbled in government contracting, to the eventual chagrin of its leadership and shareholders, we have to let you know that we don’t have any inside information about the situation. All we have is what the Internet provides. Accordingly, we may be getting some of the details wrong. But we don’t think so. We think we understand W.W. Grainger, Inc. all too well.

W.W. Grainger, Inc. is a distributor of maintenance, repair, and operating (MRO) supplies, as well as other related products and services used by businesses. Although the majority of its sales take place in North America, it also has a global presence. The company serves about two million customers through its network of branches, distribution centers, websites, and export services. Grainger has centralized business support functions that provide coordination and guidance in the areas of accounting and finance, business development, communications and investor relations, compensation and benefits, information systems, health and safety, global supply chain functions, human resources, risk management, internal audit, legal, real estate, security, tax and treasury. These services are provided in varying degrees to all business units.

(We hope Grainger invested in providing some extra “centralized business support functions” to its business units selling goods and services to the Federal government. But our experience with such centralized service functions leads us to suspect that they skimped in that area. See our comments above about perceptions of low-hanging fruit ripe for cutting in times of budgetary pressure.)

W.W. Grainger had $8 billion in sales in its FY 2011. (FY 2012 numbers have not yet been released.) During its FY 2011, the company made about 105,000 individual transactions each day, selling to “small and medium-sized businesses to large corporations, government entities and other institutions.” No customer—not even the mega-buyer that is the United States Federal government—accounted for more than two percent of corporate sales. Grainger reported two segments, but those segments were differentiated by geography and not by customer. Tellingly, Grainger did not report a separate segment for its Federal sales.

In other words, W.W. Grainger dabbled in government contracting.

Item 1A of its FY 2011 10-K (Annual Report) filing with the Securities and Exchange Commission lists “significant risk factors relevant to Grainger’s business that could adversely affect its financial position or results of operations.” There are thirteen (13) significant risk factors listed. The thirteenth is an admission that the company “is subject to various government regulations.” The paragraph following that statement contains additional details, including:

As a government contractor selling to federal, state and local government entities, Grainger is subject to a variety of laws and regulations, including without limitation import and export requirements, the Foreign Corrupt Practices Act, tax laws (including U.S. taxes on foreign subsidiaries), foreign exchange controls and cash repatriation restrictions, data privacy requirements, labor laws and anti-competition regulations, and is also subject to audits and inquiries in the ordinary course of business. … Grainger has implemented policies and procedures designed to facilitate compliance with these laws and regulations, but there can be no assurance that employees, contractors or agents will not violate such laws and regulations or Grainger's policies. Any such violations could individually or in the aggregate materially adversely affect Grainger's financial condition or operating results.

Note 19 to the company’s 2011 financial statements contained the following statements—

Grainger is a party to a contract with the United States General Services Administration (the GSA) first entered into in 1999 and subsequently extended in 2004. The GSA contract had been the subject of an audit performed by the GSA's Office of the Inspector General. In December 2007, the Company received a letter from the Commercial Litigation Branch of the Civil Division of the Department of Justice (the DOJ) regarding the GSA contract. The letter suggested that the Company had not complied with its disclosure obligations and the contract's pricing provisions, and had potentially overcharged government customers under the contract.

Discussions relating to the Company's compliance with its disclosure obligations and the contract's pricing provisions are ongoing. The timing and outcome of these discussions are uncertain and could include settlement or civil litigation by the DOJ to recover, among other amounts, treble damages and penalties under the False Claims Act. Due to the uncertainties surrounding this matter, an estimate of possible loss cannot be determined. While this matter is not expected to have a material adverse effect on the Company's financial position, an unfavorable resolution could result in significant payments by the Company. The Company continues to believe that it has complied with the GSA contract in all material respects.

Grainger is a party to a contract with the United States Postal Service (the USPS) entered into in 2003 covering the sale of certain Maintenance Repair and Operating Supplies (the MRO Contract). The Company received a subpoena dated August 29, 2008, from the USPS Office of Inspector General seeking information about the Company's pricing compliance under the MRO Contract. The Company has provided responsive information to the USPS and to the DOJ.

Grainger is also a party to a contract with the USPS entered into in 2001 covering the sale of certain janitorial and custodial items (the Custodial Contract). The Company received a subpoena dated June 30, 2009, from the USPS Office of Inspector General seeking information about the Company's pricing practices and compliance under the Custodial Contract. The Company has provided responsive information to the USPS and to the DOJ.

Discussions with the USPS and DOJ relating to the Company's pricing practices and compliance with the pricing provisions of the MRO Contract and the Custodial Contract are ongoing. The timing and outcome of the USPS and DOJ investigations of the MRO Contract and the Custodial Contract are uncertain and could include settlement or civil litigation by the USPS and DOJ to recover, among other amounts, treble damages and penalties under the False Claims Act. Due to the uncertainties surrounding these matters, an estimate of possible loss cannot be determined. While these matters are not expected to have a material adverse effect on the Company's financial position, an unfavorable resolution could result in significant payments by the Company. The Company continues to believe that it has complied with each of the MRO Contract and the Custodial Contract in all material respects.

Similar statements were provided in Grainger’s Q1 and Q2 10-Q reports to the SEC. The Q3 10-Q report added the following details—

Following this mediation with representatives of the DOJ, the Company reached a settlement in principle with the DOJ relating to the Company's disclosure obligations and pricing provisions of the GSA and USPS contracts. Under the terms of the proposed settlement, the Company agreed to pay $70.0 million to resolve the parties' dispute (other than with respect to certain alleged claims regarding tax, freight and billing errors that the Company does not believe will require it to make any material additional payments and for which the Company estimates its liability to be approximately $6.0 million). Accordingly, the Company recorded a $76.0 million liability which is included in Accrued expenses at September 30, 2012. The proposed settlement, which does not contain any admission of wrongdoing by the Company, remains subject to approval by authorized officials of the DOJ and the negotiation of a definitive settlement agreement.

We were struck by the statements in the 2011 annual report and the 2012 Q1 and Q2 quarterly reports that the possible litigation liability could not be estimated and thus no provision had been recorded. Despite the fact that the liability could not be estimated, the company told investors that it did not expect the resolution to have a “material adverse effect on the Company’s financial position.”

Yeah, right. The liability could not be estimated, because the company’s executive management team didn’t want to estimate it. They didn’t want to estimate it, because the potential liability was so freaking large. That farce continued for nine months, until the company finally got around to recording the liability in its Q3 (unaudited) financial statements. And the company auditors, Ernst & Young, LLC, accepted that delay, thus leading to earnings that were significantly overstated for a period of nine months—since the $76 million accrual represented roughly ten percent of annual earnings.

One wonders whether the auditors of Ernst & Young, LLC, had the experience and knowledge of Federal contracting matters to properly evaluate whether Grainger should have recorded its litigation liability in 2011, rather than waiting for nine months to do so. Since the Apogee Consulting, Inc. Principal Consultant used to work for EY, we think we know the answer. The answer is that EY very likely treated Grainger like a commercial business instead of as a Government contractor, and they very likely assigned an audit team to Grainger who had little (if any) expertise in Government contracting matters. Thus, we strongly suspect the auditors had no ability to evaluate the potential liability that Grainger was facing.

Like Grainger’s executive management team, the company’s auditors very likely had no clue about the special risks associated with selling to the Federal government. And no clue about whether or not the company was deploying sufficient internal controls and compliance procedures to mitigate those risks.

In fairness, there is nothing that absolutely requires the auditors to be able to assess government contracting risks. Their Sarbanes-Oxley (SOX) work focuses on financial reporting and disclosure risks, and not on the more esoteric risks associated with regulatory compliance. On the other hand, the big audit firms have experts to evaluate income tax provisions; one wonders why they don’t have similar experts to evaluate legal and litigation provisions. One wonders why they don’t use their government contract cost accounting experts to assist their audit clients in performing robust risk analyses.

Had Grainger and/or its auditors performed a robust risk analysis, we think it would have been readily apparent that the company’s contracts with the GSA and USPS were extremely risky.

What do we mean? Let’s look at this statement from Grainger’s FY 2011 10-K filing:

The business has a sales force of almost 2,700 professionals who help businesses and institutions select the right products to find immediate solutions to maintenance problems and to reduce operating expenses and improve cash flows. The sales force increased over the prior year with the majority of the new sales representatives focused on acquiring additional business from existing medium-sized customers as well as acquiring new business across the United States.

We already told you that Grainger processed roughly 105,000 transactions each day for nearly 2 million customers each year. It had a sales force of 2,700 individuals, processing transactions through multiple channels. How in the world was it going to ever accurately disclose its commercial pricing practices, as required by its Federal contracts? How in the world was Grainger ever going to provide assurance that it was complying with the contracts’ price reductions clauses?

The fact of the matter is that Grainger should never, ever, have entered into those contracts. It was virtually impossible for it to comply with contractual requirements. We don’t have to know much about the company—and its centralized business support functions—to reach that conclusion.

And nobody had to be a subject matter expert to predict that the combination of commercial mind-set with the multiple sales channels and gigantic sales workforce was going to lead to a problem in contract compliance. Thus: the inevitable DOJ press release. It said (in part)—

Today’s settlement resolves issues discovered during a GSA post-award audit of Grainger’s MAS contract. The GSA Office of Inspector General learned that Grainger failed to meet its contractual obligations to provide the GSA with current, accurate and complete information about its commercial sales practices, including discounts afforded to other customers. As a result, government customers purchasing items under the Grainger MAS contract paid higher prices than they should have.

In addition, today’s settlement resolves allegations that Grainger failed to meet its contractual obligations to provide “most-favored customer” pricing under two USPS contracts for sanitation and maintenance supplies. The USPS contracts required Grainger to treat USPS as Grainger’s ‘most-favored customer’ by ensuring that USPS received the best overall discount that Grainger offered to any of its commercial customers. Agents and auditors from the USPS Office of Inspector General (OIG) investigated Grainger’s pricing practices and discovered that Grainger did not consistently adhere to this requirement, causing USPS to pay more than it should have for purchases made under the two contracts.

Yeah, big surprise, that.

Where was the corporate risk analysis? Where were the mitigation controls and procedures? And where were the auditors? Indeed, this is a great example of a blown risk analysis by a commercial dabbler in government contracting.

In the still relatively new compliance environment established by the DFARS Business Systems Administration clause, it has become clear that the Corrective Action Plan (CAP) is the key to minimizing—or avoiding—payment withholds. According to what was stated at a joint DCAA/DCMA industry briefing, if the contractor submits an adequate CAP at the time of the Contracting Officer Initial Determination of an inadequate business system, then it can immediately reduce the prospective payment withhold from five to two percent—mitigating what would otherwise be a significant cash flow impact! Moreover, even if the CAP is submitted after payment withholds have already been implemented, then the contracting officer “will—not may” immediately reduce the withhold percentage.

So the question naturally arises, what does an “adequate” CAP look like?

Well, according to that same industry briefing—

An adequate CAP must include discrete and measurable actions with realistic due dates and an explanation of how the corrective action plan will be monitored. The Contractor should notify CO [Contracting Officer] when the entity believes that the identified deficiencies have been corrected.  The CO, with input from auditor/functional specialist, will determine whether all corrective actions have been completed, or whether there is a reasonable expectation (based on the evidence presented) to believe that the deficiencies have been corrected.  If so, then the CO will approve the system and release the payment withholds

But woe to the contractor that submits a “smoke and mirrors” CAP, and then fails to achieve its planned milestones on time. That same briefing stated—

The DCMA CO, in consultation with auditor or functional specialist, will monitor the contractor’s progress on the CAP.  If the CO determines that the contractor is not making adequate progress, then the payment withhold will be increased.

It’s not good news when a Contracting Officer tells you that you have an inadequate business system and your cash flow is going to be reduced until you show that you’ve corrected your “significant deficiencies”. But it’s even worse news when you’ve convinced the Contracting Officer that you’ve got a decent CAP, and there’s light at the end of the tunnel—only to then blow it by failing to make progress in achieving the promised milestones. Your cash flow will take another hit. And your credibility (and, we imagine, any sympathy) has just gone right out the window. Good luck convincing the CO that you’ve completed your corrective actions.

So we wonder what the penalty might be for a Government agency that identifies corrective actions in response to an agency Inspector General report … and then fails to execute those corrective actions within the promised schedule. There’s no cash flow to reduce. There’s no way to hold the leaders responsible for their lack of action. It seems as if everybody agrees to forget about the agreed-upon actions and just continue with “business as usual.” The auditors pretend they never issued their report with its findings, and the Government agency pretends it never agreed to implement corrective actions to address those findings. And nobody seems to care a whit.

But what if the Government agency in question is the Defense Contract Audit Agency?

What if the DOD Inspector General conducted an audit, had some findings, and submitted some recommended corrective actions? What if DCAA agreed with those findings and those recommended corrective actions? What if DCAA established due dates for implementing those corrective actions, and then missed them … by more than a year? What then?

Well, then nothing. Apparently, there are no repercussions whatsoever when DCAA misses its agreed-upon corrective action milestones to address DOD IG findings. The DOD Inspector General says nothing. The DCAA Director says nothing. And nobody seems to care a whit.

Oh, wait. We know somebody who cares: the auditors who are awaiting the agreed-upon policy changes care. They care because they are trying to comply with Generally Accepted Government Auditing Standards (GAGAS), and they’re worried that the lack of policy guidance out of Fort Belvoir is going to take them into a GAGAS noncompliance.

We know this is true, because at least one self-identified DCAA auditor brought the matter to our attention. (Note: we have no means to verify that people who send us emails are who they claim to be.) In truth, this issue had been in the back of our mind for a while. It’s not like we weren’t aware of the agreed-upon corrective actions … but we had forgotten how much time had passed without the agreed-upon policy changes.

So now we get to write about it.

You remember the issue right? We discussed it right here.

In that article (link above) we discussed the DOD IG findings contained in audit report D-2011-6-011. The audit report identified inconsistencies in DCAA’s policy regarding “currency” of audit testing. In fact, the audit report identified that DCAA had no such policy—which is why the Inspector General concluded that DCAA’s auditors were “uncertain” when evidentiary data supporting audits of contractor business systems was too old to rely upon. Consequently, DCAA audit reports regarding the adequacy of contractor business systems could "be delayed because of retesting.”

The DOD IG wrote “GAGAS 6.04b requires the auditor to obtain sufficient and appropriate evidence to provide a reasonable basis for the conclusion that is expressed in the report. The evidence provided in the report is more helpful if it is current.” Accordingly, the audit report recommended that DCAA implement policy guidance to ensure DCAA auditors were compliant with GAGAS.

The DOD IG wrote—

We recommend that DCAA Headquarters develop written agency-wide policy and guidance on the need to test current data to support opinions on the contractor’s internal controls and business systems. The policy and guidance should include criteria when the auditor should expand testing and perform additional work.

DCAA concurred with the findings and the recommended corrective action. In fact, it was Director Patrick Fitzgerald who concurred, on behalf of his agency.

The DOD IG audit report stated—

By November 2011, DCAA will issue guidance, which will include the requirement for auditors to (i) perform sufficient testing of data that is relevant to the audit objectives, including the period or point in time covered by the report, (ii) perform testing of data generated by the system throughout the period under audit, and (iii) issue timely audit reports. For audits of contractor business systems, DCAA will perform compliance attestation engagements and report on the contractor’s compliance during a period of time or as of a point in time, consistent with the applicable attestation reporting standards (AT 601.55b) in AICPA’s Statements on Standards for Attestation Engagements. Circumstances where auditors would need to expand testing to obtain sufficient evidence for the conclusions expressed in the report should be limited since the transactions being evaluated in the audit will coincide with the defined period covered by the audit. DCAA agrees with the guidance in GAGAS A8.02g, that the evidence provided in the report is more helpful if it is current and, therefore, timely issuance of the report is an important reporting goal for auditors.

Note that the corrective action was due to have been completed by not later than November, 2011. That was more than one year ago as this article is being written. And so far DCAA has not generated the agreed-upon policy guidance to its auditors.

Why is DCAA blowing its CAP? Well, one self-identified DCAA auditor had this to say about the situation—

One reason and I think it is the [paramount] reason for no MRD is the number of DCAA audit assignments that would either have to be cancelled or have to be reworked. In my office there are over 40 assignments that are from the 2008-2010 time frame that are open and no one has worked on [them] for years. So most of them would have to be cancelled as their relevance has now dissipated. So [multiply] our 40 by another 100 DCAA [FAOs] and you would see [four] thousand audits [that] would need to be cancelled and a couple million taxpayer dollars down the drain.

So there you go. How many audit assignments would get cancelled if DCAA HQ issued the agreed-upon audit guidance? How many audit assignments would be delayed past the applicable statute of limitations? How many audit findings and how many questioned dollars would be thrown out of court when the auditor testified that his or her testing failed to comply with GAGAS, as interpreted by DCAA?

So perhaps that’s why DCAA has chosen to forget about its Corrective Action Plan. And there have been no repercussions. The DOD Inspector General has said nothing. The Director of DCAA has said nothing. And nobody seems to care a whit.

But the auditors remember. And they care.