As the 2017 fiscal year comes to a close, many nonprofit federal awardees take the time to inventory and update their compliance programs. These programs are meant to be designed individually for the organization. However, in making these assessments, it is good to review the characteristics that are required by law and that represent best practices.

Requirements under the FAR

Federal contracts, including those awarded to nonprofits, often include Federal Acquisition Regulation (FAR) clause 52.203-13, Contractor Code of Business Ethics and Conduct, which requires all contractors to

  • Establish, maintain, and make available to employees a code of business ethics and conduct;
  • Exercise due diligence to prevent and detect criminal conduct;
  • Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law;
  • Disclose to the agency Office of the Inspector General in a timely manner whenever the contractor has credible evidence that the contractor (or its subcontractor) has committed a violation of criminal law involving fraud, conflict of interest, bribery, or gratuity or a violation of the civil False Claims Act;
  • Establish an ongoing business ethics awareness and compliance program; and
  • Implement an internal control system that will establish standards and procedures to facilitate timely discovery of improper conduct in connection with government contracts and ensure corrective measures are promptly instituted and carried out.

Notably, while small businesses are exempt from the final two requirements (creation of a compliance program and internal control system), because nonprofits cannot be "small" by definition, no matter how few resources they may have, a nonprofit is required to implement each of the above items.

Requirements under the Uniform Guidance

With respect to grants and cooperative agreements, the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) do not impose the same explicit obligations on nonprofits. The Uniform Guidance addresses and requires nonprofits to comply with several individual topics, such as

  • Conflicts of interest (2 C.F.R. § 200.112);
  • Organizational conflicts of interest (2 C.F.R. § 200.318); and
  • Reporting of criminal violation (2 C.F.R. § 200.113).

This list is not meant to be exhaustive, or even a minimum threshold of compliance. However, federal grant and cooperative agreement funds often cover a broader spectrum of funding situations that in turn require an array of compliance programs to meet the needs. For example, recipients of disaster relief funding under the federal Stafford Act will necessarily require different compliance programs to distribute federal funding from an established healthcare provider. All nonprofit recipients of federal funds must "establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award." 2 C.F.R. § 200.113(a). Nonprofit federal awardees should align themselves either with the

  • Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States; or
  • Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Practical Approach

While a compliance program must be tailored to meet each entity's specific circumstances, taking into account the type of funding, requirements for those funds, and the business functions of the organization, there are certain characteristics that have evolved into best practices.

First, organizations must establish appropriate documented policies that address conflicts of interest (including organizational conflicts of interest) and the organization's approach to ethics and business conduct. A code of conduct, for example, is recommended for all organizations, whether they are working under federal contracts or receiving federal grant funds. In choosing which policies to implement, organizations must consider what the particular vulnerabilities are for their industry and specific organization (for example, tracking funds abroad, or conflicts of interest in very specialized or academic fields). Not all organizations have the same vulnerabilities, so focus should be on those areas that represent the greatest exposure for an organization.

Implementation of these policies also must be tailored to meet the workforce with which you are trying to communicate. Informal discussion and training may be acceptable if such discussions and training are documented and each personnel member acknowledges receipt and review of written policies and training. Moreover, the organization would be well advised to continue with routine top-down reminders, emphasis, discussion, and training on compliance and ethics issues, generally, as well as particular issues of interest or current events. Again, this should be documented and maintained, even if it is through a simple memorialization in corporate-wide emails or postings.

Second, nonprofit employees should be given multiple avenues to communicate concerns, including a method that allows for anonymous reporting. These pathways should be communicated to the nonprofit's employees with a reminder that good faith reports are protected by an anti-retaliation policy. Anonymous reporting need not require a third-party hotline or website; a simple drop-box may suitable for smaller organizations (depending on the circumstances). Often overlooked, however, is the need to provide employees with feedback on reported concerns. Again, emails, newsletters, or announcements about reviews or investigations performed by the organization and actions taken to address concerns raised by employees will give the workforce the satisfaction of knowing their concerns are taken seriously and that management is taking action when issues arise.

Finally, it is critical, when misconduct or noncompliance is identified, that the organization address such an occurrence in an effective and meaningful way, and avoid a simple "check the box" measure. The organization may also be required to notify its federal customer. The tone set by taking meaningful action to address and resolve identified issues will typically resonate with employees and reinforce management's ongoing commitment to compliance, furthering employees' buy-in, and thereby begetting greater compliance efforts on their part going forward.