This post first appeared in the Government Contracts Blog.

Recently, contractors have begun receiving formal requests for information from the Defense Contract Audit Agency (“DCAA”). The purported purpose of these requests is to “[o]btain an understanding of the management control environment” of major government contractors. In pursuit of this goal, DCAA has crafted a letter that demands, among other things, the following:

  • A list of all ethics training, copies of agendas, and attendee lists
  • Copies of the company’s written Codes of Conduct, copies of the policies dealing with communications of the Code, and a list of employees who have acknowledged receiving the Code over the past 12 months
  • A list of all violations of the Code over the past 12 months
  • All “noncompliances” reported through the contractor’s internal control system (such as a hotline) within the past 12 months
  • A “company-wide list of any current open investigations”

DCAA once again has ventured beyond its borders. While DCAA’s document request likely was calculated to help it assess a contractor’s compliance with the new FAR Mandatory Disclosure Rule (“MDR” or “FAR Rule”) (previously discussed here and here) its reach extends well beyond what is necessary to assess compliance with the FAR MDR.

While the FAR Rule contemplates the production of information to the Government in the context of a disclosure, it limits such productions to situations where there is “credible evidence” of conduct covered by the Rule (e.g., crimes, fraud, etc.). The FAR Rule most certainly does not contemplate the disclosure of mere internal investigations. Indeed, the FAR Councils explicitly rejected an effort to require a disclosure where a contractor has “reasonable grounds to believe” that the conduct occurred. While the term “credible evidence” is not defined in the FAR Rule, we know it is something greater than “reasonable grounds to believe,” and that it is something that comes about only after the contractor has had an opportunity to investigate. See 73 Fed. Reg. 67073 (Nov. 12, 2008; final FAR Rule).

DCAA’s blunderbuss attempt to force contractors to produce all internal investigations turns the entire FAR Mandatory Disclosure Rule scheme on its head. A “company-wide list of . . . open investigations” does not constitute “credible evidence” of anything. Moreover, for most companies at least, such a list likely constitutes privileged Attorney Work Product information to which the Government is not entitled access. Likewise, for companies that permit employees to report potential wrongdoing to the Law Department, a list of “all noncompliances” also may encompass privileged information, which need not be disclosed to the DCAA.

In short, while DCAA may have the right to collect some of the information it seeks, it does not have a right to all of the information it seeks. Accordingly, companies are well advised to contact their legal counsel before acceding to such broad and all-encompassing DCAA demands.

But our concern over DCAA’s letter goes beyond the scope of its document request.

For one, DCAA’s letter seemingly attempts to redefine what the FAR Councils previously have said constitutes a “timely disclosure.” Whereas the FAR Councils acknowledged that the meaning of the term “timely” will depend upon the totality of the circumstances in any given case, DCAA apparently has decided that “timely” means “within 5-10 days.” The FAR Councils, however, explicitly rejected an effort to establish a precise definition of “timely.” According to the Councils, doing so “would be arbitrary and would cause more problems than it would resolve.” See 73 Fed. Reg. 67074. Apparently, DCAA thinks differently.

Another element that concerns us is the fact that DCAA apparently wants mandatory disclosures to be made to it. The FAR Rule, of course, requires no such thing. The FAR Rule requires reporting to “the Government” to avoid suspension/debarment and “to the OIG” to comply with FAR 52.203-13 (although the Government has publicly demanded that all disclosures go directly to the OIG). The FAR Councils did not identify DCAA as a designated destination for mandatory disclosures. This makes sense. DCAA was not created to serve an investigative function, whereas the OIG was.

Time will tell whether DCAA backs away from the positions it has taken in its recent audit letter, or stands firm. Given recent developments over the last several months, particularly those on September 23, 2009 where DCAA Director, April Stephenson, was excoriated by a Senate committee based on criticisms included in a new GAO report, we doubt that DCAA will be too inclined to “lighten up” on contractors. Right now, DCAA does not want to be perceived as weak or ineffective (which appears to be the opinion of many policymakers in Congress, not to mention the GAO), so we doubt that DCAA will let a little thing like whether it actually has “authority” stand in the way of its attempts to validate its own existence. No doubt, DCAA feels completely justified in overreaching its statutory and regulatory authority.

We have no doubt that at least some contractors will not accede to DCAA’s demands without a fight. Where necessary to protect the integrity of the Attorney Client Privilege or the Attorney Work Product doctrine, we think that the fight is worth fighting. We will keep you apprised of the score as the rounds drag on.