One of the recurring themes here is that paying attention to internal controls is good business. Yes, we know that selling work is also good business. We know that billing and collecting cash is also good business. In addition, we understand that doing good work and helping clients is also good business. We get all that and most business people do as well. But not all business people understand that designing good controls and hiring the right people to assess them is also good business. Most business people-especially those in C-Suite positions of medium-sized and larger companies-really don't seem get it.

Assume there is only limited budget to run the business. Assume there is only a limited pot of money available to devote to business development/proposals, finance/accounting, legal, training, and similar expenses of an indirect nature (i.e., expenses that do not directly support revenue-generating work). Such below-the-line expenses are always under scrutiny, because the more you can cut there, the more one's revenue can turn into profit. So let's take as a given that there is a limited amount of money for such expenses, and therefore one of the key responsibilities of the management team is to prioritize the tasks associated with running the business and to ensure that only the necessary tasks are performed, so as to minimize associated expenses. That makes good sense, right?

The general approach to such prioritization is to identify the needs of the business and rank them. There are necessary tasks that must be performed, such as accounting/bookkeeping, billings, and collections. Employees must be recruited, hired, trained and retained. Those tasks and others like them are considered to be mandatory and typically receive budgets accordingly. Fringe benefits such as medical insurance and a retirement plan generally fall into the top tier of "discretionary but important" budget items. And in order to generate new business, budget must be made available for travel, client meetings, and to fund generation of proposals. Finally, there are a host of lesser "nice-to-have" expenses such as dues/subscriptions, attendance at training and technical conferences, and employee morale events. The limited bucket of management funds has to be allotted judiciously, given due consideration and weight to benefit received by the company.

Moreover, there are other indirect tasks that may have no concrete benefit, but which are funded (and staffed) anyway-because the risks associated with not performing them need to be mitigated. Some risks have a low probability of occurrence, but their consequences are catastrophic, so smart business owners fund them. A great example is insurance. Smart business owners identify business risks (such as liability to employees or to third parties, or the risk of property loss, or the risk of business interruption from natural or manmade disasters) and they buy insurance policies and pay premiums so that if those risks ever do occur the company is protected.

Establishing internal controls falls into this "risk-mitigation" category of management funding. Much like an insurance policy, effective internal controls act to militate against certain risks. While insurance may address external risks, internal controls address internal risks: risks associated with employees and potential wrongdoing.

But the key notion here is that the insurance coverage (and associated premiums) is funded only to the extent deemed necessary to protect the business. The probability of occurrence and consequences are weighed in determining how much to pay for the coverage. Smart business owners generally employ a similar approach to determining how much budget to devote to internal controls, and the people who will implement them. Like insurance, internal control efforts are funded only to the minimum amount judged necessary to protect the business, given the identified risks and consequences associated therewith.

The problem with taking that approach to funding internal controls is that it is based on management's assessment of risks and consequences. In order to properly evaluate risk/consequence so as to determine the appropriate amount of limited funds to apportion to that effort, management has to have a good understanding of those risks and consequences, or be guided by somebody who does. With respect to government contracting statutes, regulations and rules, management rarely has a deep understanding of those risks and consequences. Consequently, management may under-fund the company's internal control efforts, to the long-term detriment of all stakeholders.

We've written about this situation before. We wrote-

The other problem is that contractors too frequently screw up the risk analysis. This is especially true when commercial companies dabble in government contracting. When the government contract revenue is a small percentage of total corporate sales, then management has a tendency to treat its Federal customers just like any other sales channel. Sure, they know (vaguely) that there are some special regulations involved in that government contracting stuff, and maybe they've hired a couple of people to 'scrub the books' to make sure that those arcane regulations are complied with. But there is a definite tendency-especially at the most successful commercial companies-to think that those additional hires plus some good ol' common sense will be sufficient to militate against the risk of noncompliance.

They screw up the risk analysis because they do not understand the risks.

They screw up the risk analysis because they do not understand the true cost of merely being accused of submitting a false claim to the Federal government. The cost of hiring attorneys and other outside experts. The cost of diverting personnel to litigation support instead of what they were hired to do. The cost of litigation-related reserves. The cost of filing SEC disclosures and of preparing special litigation notes to the financial statements. The cost of answering probing questions-not just by the Assistant U.S. District Attorney, but also by investment analysts during investor conference calls. The cost of seeing the stock price fall because of DOJ press releases. The reputational 'brand' impact in the marketplace.

This website blog is rife with articles about blown risk analyses and inadequately implemented internal controls. There are any number of articles that discuss how even the biggest defense contractors have paid huge dollars because they were accused of wrongdoing. How much more catastrophic, then, are the impacts of similar accusations on smaller contractors, the mid-tier companies that are (generally) subject to the exact same risks as the Top 5 aerospace/defense contractors? The big dogs have the deep pockets, the available cash and/or lines of credit. What about the smaller dogs? How deep are their pockets? Not as deep, is our assertion.

Thus, while the risks may be similar across the spectrum of government contractors, the consequences associated with those risks may well vary by individual company circumstances. And while the smaller dogs may not have as much management budget to allot to their internal controls, we believe it is absolutely critical that they do so, given their relative vulnerability.

It is critical for the mid-tier and smaller companies to focus on this area, even though the task is harder for them. Because if the big dogs, such as UTC and CH2M Hill, misevaluate the risks and consequences within the complex world of government contracting, how much more likely will it be for the smaller dogs to blow it? We fervently believe that all companies-but especially the mid-tiers-need to work harder on this evaluation.

(Now of course we could discuss internal controls within the Federal government. And we have done so, many times, on this site. But that's not the focus of today's article.)

We would like to offer evidence in support of our fundamental assertion that too many companies fail to appreciate the risks and consequences associated with regulatory noncompliance within the government contracting marketplace.

• An IT manager at two (2!) government contractors funneled some $700,000 to his own shell company. "Over the course of the scheme, Spangler created fraudulent documentation for 19 purported purchases of IT supplies from the shell company that he owned. In reality, however, Spangler did not provide the supplies at the agreed-upon prices and instead used the funds for personal expenses."

• Employee timecard fraud led to allegations of submission of False Claims for one former NGA contractor employee. More importantly, his falsification of intelligence reports put U.S. military personnel at risk.

• The Glenn Defense Marine Asia scandal claimed another victim, as a "general manager of government contracts" pleaded guilty to one count of conspiracy to defraud the United States. "… Wisidagama and other GDMA employees generated bills charging the U.S. Navy for port tariffs that were far greater than the tariffs that GDMA actually paid … created fictitious port authorities for ports visited by U.S. Navy ships … created fake invoices from legitimate port authorities purporting to bill the U.S. Navy at inflated tariff rates. Wisidagama and GDMA also overbilled the U.S. Navy for fuel by creating fraudulent invoices which represented that GDMA acquired fuel at the same cost that it charged the U.S. Navy when in fact GDMA sold the fuel to the U.S. Navy for far more than it actually paid … also defrauded the U.S. Navy on the provision of incidental items by creating fake price quotes purportedly from other vendors to make it appear that the other vendors' offering prices were greater than GDMA's prices."

• A Utah construction company agreed to pay $928,000 to settle allegations that it "made false statements and submitted false claims" in connection with its Mentor-Protégé Agreement with a qualified 8(a) business. Among other allegations, "The government also alleged that Okland Construction's relationship with Saiz Construction violated the terms of an SBA set-aside contract awarded to Saiz Construction that required Saiz Construction to perform at least 15 percent of the labor on the contract minus the cost of materials."

• An owner of a Maryland contractor pleaded guilty to defrauding both the Small Business Administration and the Internal Revenue Service.

• A medical-device maker in Orange County, CA, paid $500,000 to resolve allegations that it violated the Buy America Act by selling foreign-made devices to the U.S. Army. To its credit, the company discovered the violations on its own and voluntarily disclosed them. "In conjunction with Ossur's voluntary disclosure, the company instituted a series of compliance measures, including distribution of instruction sheets to sales representatives and training for management officials, to ensure future compliance with the Buy American Act."

• A university professor was convicted of "wire fraud, mail fraud, falsification of records, and theft of government property in connection with a scheme to fraudulently obtain research grants from the National Science Foundation (NSF) and kickbacks from students' stipends." The fraud was uncovered during a routine audit by the NSF Office of Inspector General.

• A co-owner of a New Jersey industrial supply company pleaded guilty to one count of "making a materially false and fictitious statement to the U.S. Environmental Protection Agency (EPA) at a debarment proceeding." Yes, the individual fibbed at his own debarment hearing. How did the individual find himself in a debarment proceeding? "Previously, Boski and his company … had pleaded guilty … to participating in a kickback and fraud conspiracy … from approximately December 2000 to approximately September 2004. As outlined in the 2009 plea agreement, Boski provided $55,000 in kickbacks to two employees of the prime contractor responsible for awarding contracts at the two Superfund sites in exchange for the award of sub-contracts to NIS. These kickbacks included luxury vacations and payments to shell companies held by the two employees."

• A former vice president of a government contracting company pleaded guilty to "conspiracy to pay bribes to public officials in exchange for favorable treatment in connection with U.S. government contract work."

• A construction company agreed to "pay $2.4 million and implement internal reforms subject to independent monitoring to resolve a multi-agency joint criminal and civil investigation into alleged fraud committed by the company in connection with a public works project that commenced in 2007."

• Five California-based masonry contractors and two individuals agreed to pay nearly $1.9 million "to resolve allegations that they violated the False Claims Act by misrepresenting their disadvantaged small business status in connection with military construction contracts." According to the announcement, "The government alleged that the defendant masonry subcontractors and their principals misrepresented to the prime contractors that they were small businesses, and that these misrepresentations caused the prime contractors to falsely certify that they had complied with the small business provisions of the contracts in claiming payment."

Readers, every single one of the foregoing press releases was published within a single 30-day period. Every single one. And we didn't even report them all!

When evaluating risks and consequences, please feel free to refer to this article.

Now in fairness, the instances of wrongdoing listed above might not have been prevented, even through the best internal controls regime. The fact of the matter is that fraud committed by a company CEO or President, or other officer, is almost impossible to prevent. Which is why outside auditors so often focus on "tone at the top" as an element of assessing fraud risk.

Regardless, we maintain that the probability of wrongdoing taking place is higher than almost all management thinks it is, and we maintain that the consequences of that wrongdoing (even if detected and voluntarily disclosed) is much worse than management thinks it is. Thus we believe management is (generally) failing to invest sufficient amounts of its limited indirect funds to implement effective internal controls.

Investing in internal controls is good business. Investing in good controls and good compliance people may seem like a lower-priority than some other management tasks, but we believe it's an investment that will have a good return, in terms of employee or vendor wrongdoing detected or (better yet) deterred.