Government contractor controls: Strategy for now and beyond

Responding to change enables continued compliance

Government contractors face a laundry list of regulatory requirements, constant scrutiny and audit pressures. As a result, maintaining and monitoring controls is critical to ensuring that established control frameworks are operating correctly and reflect the requirements of the organization’s current contracting environment. Maintaining internal controls is a process that evolves constantly throughout the organization’s lifetime. A government contractor’s work on controls doesn’t end with the implementation of a high-quality, integrated control framework. Continued compliance and operational effectiveness depend on the organization’s ability to monitor established controls and adapt and update those controls with its changing environment.

Key takeaways

Maintaining controls is an evolutionary process for government contractors, and an effective monitoring plan is key to staying current and compliant.
It’s important to involve the right people and establish accountabilities backed by executive sponsorship.
Monitoring mechanisms should be specific to organizational culture, design, capabilities and goals.
Automation is the ideal state but if it is too costly, create data-driven controls that can be automated later and monitored through dashboards and system alerts.

“It's really critical that you don't just spend all that time and money establishing and implementing an elaborate control framework and walk away thinking you’re covered, because the organization changes over time and so do its control requirements,” said Matt Danner, Senior Manager, Government Contractor Solutions for Grant Thornton LLP. “Your customer and government requirements may change. The types of services and products you're delivering in the marketplace may change. Your workforce may change. An effective monitoring plan allows you to respond to these changes by identifying effective and outdated controls and adjusting your framework accordingly.”

Approaches to effective monitoring

The challenge for organizations as they develop their monitoring activities is that there is no one-size-fits-all approach, and there are many different options to consider for various controls throughout the framework:

Centralized or decentralized monitoring: Many organizations use a hybrid strategy, incorporating elements of each approach. With centralized monitoring, one group in the organization has core oversight responsibility along with broad access and authority. This approach works best for organizations whose frameworks are simpler or more easily identifiable.

With decentralized monitoring, various stakeholders throughout an organization are responsible for monitoring controls in their own area. It’s more common in complex organizations with multiple segments, and it may require centralized verification by internal audit or corporate compliance. Putting control in the hands of multiple owners may lead to inconsistencies, so it’s important to design accountability at the control owner level into the monitoring program.

Automated or manual monitoring: It is also possible in many areas to set up automated control monitoring, such as dashboards with key performance indicators (KPIs) and alerts when anomalies occur. But to enable this, an organization needs the right digital data and automation capabilities, which can often be costly to design and implement.

Manual monitoring requires continuous time investments from stakeholders and their teams. However, manual monitoring can be more flexible as organizational needs change.

“It’s critical to understand how your organization is evolving and the risks associated with the changes. An update to your monitoring plan may be necessary."

Matt Danner

Grant Thornton Senior Manager, Government Contractor Solutions

Precise or proxy indicators for monitoring: Precise indicators are control metrics directly linked to designed control criteria. These indicators can be useful in providing immediate information for high-impact controls. For example, late timecard reports indicate the effectiveness of daily timekeeping controls.

Proxy indicators use precise indicators for other related controls to determine the status of a different control criteria. For example, unusually high timesheet corrections or labor transfers could indicate that estimate-at-completion forecasts are incorrect. As indicated by this example, proxy indicators can require detailed manual follow-up to verify and are not always indicative of significant control issues. However, proxy controls can be a cost-effective solution when strategically implemented.

“The selection of which approaches work best is a combination of management’s risk tolerance, growth trajectory, existing and future state technology tools, and organizational culture,” said Karl Fultz, Senior Manager, Government Contractor Solutions for Grant Thornton. “The key is for the selection process to be thoughtful and deliberate while incorporating key stakeholder input.”

Choosing the right path

It’s important to choose monitoring mechanisms and activities that are the best fit for a given organization’s culture, design and capabilities.

Government contractors can effectively monitor activities by:

Using internal control matrices from the implementation roadmap and control design documentation to identify and develop required monitoring activities.
Developing a deep technical understanding of control requirements in order to take a risk-based approach to establishing monitoring activities, tackling monitoring processes for riskier controls first and phasing in monitoring for less risky controls.
Identifying internal control KPIs and creating KPI data capture methodologies. Assigning responsibilities for monitoring KPIs and datapoints is critical when decentralized approaches to monitoring are used.
Making early and repeated efforts to engage and leverage internal knowledge and resources, including the control owners, participants and departments that are affected by the internal control.
Engaging subject matter experts where necessary for verification, follow-up and interpretation of information.
Treating monitoring as a long-term commitment that will improve over time.

For all controls, early detection of failures or anomalies is critical to managing risk. Early detection can ensure that a control failure does not spiral into a larger issue for the organization. As an example, if a bill is generated by mistake that would cost a customer (or the government) money, it will not cause much damage if it’s caught early and corrected. If it is discovered much later, investigations for false statements or false claims may require teams of lawyers and consultants to fix an unintentional failure.

“Something will go wrong,” Fultz said. “But ideally, you know about it real-time, and you deal with it from an operational standpoint and not through the regulatory investigative process.”

Promote scalability and sustainability

As organizations pursue excellence in control compliance, the best monitoring activities are scalable and sustainable, with a culture of accountability and stakeholder involvement delivering measurable results. A cadence for monitoring is developed with clearly defined processes, and results are retained over time.

In an ideal monitoring system, the owner is accountable to management or another authority, and stakeholders feel comfortable providing feedback — both positive and negative — about the process. It is important that organizations pursue cultures where employees feel unafraid of openly identifying errors and risks. A culture of trust and openness allows for real-time communication and course corrections.

An organization can scale its monitoring processes over time by taking a risk-based approach tailored to its circumstances and tolerance for risk. A scalable plan starts with a small, targeted approach to addressing riskier controls and then expands to cover less critical or lower-risky controls. This approach helps maintain compliance while limiting disruption to the broader organization. Resources allocated to monitoring activities should be continuously assessed and adjusted as monitoring processes scale and change.

To make monitoring activities sustainable, an organization should define roles, responsibilities, scopes and objectives, working with a predetermined cadence to make sure that monitoring is periodic and prioritized. A structure of accountability should be established, with ultimate responsibility resting with senior leadership.

"Automation of controls will be even more important as organizations grow.”

Karl Fultz

Grant Thornton Senior Manager, Government Contractor Solutions

As monitoring processes scale, involving the right people in the right ways is critical. Processes should be established for containing critical information, evaluating results for disclosure requirements, and disseminating results externally only when fully vetted. The ultimate goal of monitoring is measurable results that demonstrate a responsible organization with effective controls. Measurable results are demonstrated by:

Establishing baseline KPIs for success.
Monitoring KPIs to identify trends and assess system performance.
Revising monitoring plans accordingly, when necessary.
Documenting corrective action plans, remediation steps and outcomes.

“In some organizations,” Fultz said, “surprises are the standard in the control environment, but if everything is done right and controls are effective, surprises should be rare. Control owners should be readily identifiable to everyone and able to articulate their responsibilities clearly and in the context of the overall process.”

Meanwhile, compliance professionals should be able to quickly report on current-state control results. Accurate descriptions and documentation of all applicable controls and processes should be readily available for internal and external stakeholders, such as the U.S. government or financial auditors.

Keep the future in mind

The overarching key to successful monitoring is to start simple with the goal of more comprehensive future monitoring in mind. The long-term objectives are to implement data-driven controls that can easily be monitored, and add automation to monitoring through dashboards and system alerts.

Automation is not always the right choice in the short term because it often requires costly IT expertise and system reconfiguration. When automation is strategically established as a long-term goal, it can be planned into future IT projects to minimize disruption and costs. The ideal controls to automate in the near term are those that are unlikely to change and where data is readily available from current system outputs.

“Many organizations are having to adapt to more remote work where in-person meetings are limited and communication can be challenging at times,” Fultz said. “This means that automation of controls will be even more important as organizations grow and disperse across the country or the globe.”