The control environment at a government contractor is often complex, as these organizations operate under some of the most stringent regulations in business. Government contracting requirements and regulations span functional areas such as accounting/finance, human resources, contracts, estimating, IT/cybersecurity and procurement. When added to other existing regulatory and industry requirements, finding a way to harmonize and integrate the various frameworks provides for a more efficient and effective control environment.
- Integrated control frameworks bring together internal controls of inter-related functions for a comprehensive and centralized set of controls.
- Integrated control frameworks enable compliance and monitoring in a proactive, comprehensive manner.
- Comprehensive planning with a detailed roadmap is critical for developing a successful integrated control framework.
- Executive / leadership buy-in leads to effective change management.
- Validation and re-validation provide confidence in the new environment.
Even the most well-run government contractor can fall victim to siloed approaches where leaders in parts of the organization develop and manage their own controls with little thought to how their processes interact with controls in other areas of the business.
As a result, both redundancies and gaps in controls can emerge that put the compliance status of the entire organization at risk. The good news is these risks can be mitigated by leveraging and integrating existing internal control structures across an organization’s commercial and federal business segments. With proper planning and implementation, organizations can develop integrated control frameworks that bring interrelated areas of the business together.
“When you break down those silos and you develop an overarching framework, you create an environment where everyone is aware of what everyone else is doing or should be doing,” said Karl Fultz, Senior Manager, Government Contractor Solutions for Grant Thornton LLP. “And then by extension, as the organization evolves, the integrated framework allows you to identify overlaps and consolidate redundancies to have one set of controls for all stakeholders. Alternatively, if you have any gaps, they then become much more apparent because everyone's looking at the same map.”
Integrated control frameworks create efficiencies, improve oversight, and make it easier to report to government clients on the status of controls. But implementing such frameworks requires a thorough process and careful planning.
Leadership buy-in is the first step
The first step in implementation is getting the full support of senior management before beginning the process. Enthusiastic support of leadership helps commitment to change trickle down through the organization.
One key to achieving buy-in is to present the operational and financial benefits of integration. As mentioned above, stakeholders throughout the organization often have their own overlapping control challenges. Support can be achieved by detailing how integration can reduce redundancies within the organization, thereby saving time and budget invested in managing and monitoring controls. Additionally, presenting potential repercussions of not prioritizing internal controls can be a useful tool for obtaining leadership buy-in. Failure to have adequate controls in the government contracting space can result in unfavorable audit findings, payment withholdings, and even penalties and interest.
Leadership support ensures that the integration process is appropriately staffed and budgeted. Often, personnel are so busy fulfilling their daily obligations that they do not have appropriate time or energy to devote to an integration effort. Management buy-in smooths the process of reallocating resources and prioritization of efforts.
“With an integrated framework, if you have any control gaps, they become much more apparent.”
“Executive sponsorship to either dedicate people or hire people inside or outside is a critical component of a smooth and efficient integration process,” Fultz said.
A good roadmap provides direction
A significant portion of the integrated framework effort should be devoted to defining a clear roadmap with key milestones, success indicators and accountabilities.
Strategy and goals: One of the most critical steps in building a successful roadmap is to first identify the strategy and goals, i.e., what is the issue at hand and what is the desired outcome. This includes expected impacts to the organization, systems and stakeholders.
Framework planning, impact analysis and project plan: Once the strategy and goals are defined, it’s important to then gain a detailed understanding of the existing internal control frameworks so that gaps can be identified, and a project plan for implementing revised and new controls can be developed. The project plan should include the level of effort, timelines and estimates for designing and implementing an integrated framework.
Control design: With the capabilities and gaps identified, the organization can begin to design an integrated framework. The integrated framework brings together existing and new controls, which often requires revising and designing new policies and procedures. All this will occur with an eye toward the people changes and system upgrades that may be necessary to accommodate a new framework.
Validation and redesign: A pre-implementation validation is one of the most important steps in the mapping project because new internal controls, policies, and procedures all require assessment and validation to ensure buy-in from stakeholders. Validation helps to mitigate any unintended consequences of implementing a new framework. Internal validation is essential, and many organizations also choose to undergo external validation. External validation may include third-party subject matter experts, cognizant auditors, regulatory bodies, etc. Results and findings from validation should be incorporated into the control design, and the more iterations of validations the more successful the framework.
Thorough project planning minimizes problems
Disruptions to the effort and the overall organization are reduced significantly when the implementation is planned upfront in a thorough fashion.
“Extensive planning leads to fewer surprises down the line,” said Matt Danner, Senior Manager, Government Contractor Solutions for Grant Thornton. “And when you’re proactive in planning for possible surprises, you’re better prepared when they do occur.”
The major challenge with any implementation is pulling together all the knowledge that exists throughout the organization. It is critical in the project planning phase to identify the applicable internal controls and assign the appropriate subject matter experts to leverage during control design, redesign and implementation. Identifying internal resources prior to execution also allows for the identification of gaps in the organization’s capabilities. Often, external specialists are leveraged to fill in any gaps in knowledge.
Timeline is important but not to be overstated
Any major project planning effort requires the establishment of milestones and a timeframe to accomplishing those objectives. If possible, the timeline should remain flexible with an emphasis on quality and minimal operational impacts. A flexible timeline can be an effective tool to minimizing significant disruptions, including overloading staff and maintaining essential systems, especially during critical periods such as financial statement issuance, government audits, quarter closes, etc.
Use existing activities if possible
If existing controls are working, it may not be necessary to start over from scratch. Organizations may be able to meet control objectives through existing activities or repurpose existing controls as solutions to a new control objective. The key objective is identifying the overlapping or repurposed controls and integrating them into an overarching framework. This integration process can reduce complexity and eliminate redundancies in controls, people and processes.
If the implementation roadmap is well constructed and planning is well thought out, implementation should proceed at a brisk pace.
“A big challenge for organizations is that they lose momentum when the project begins to draw out in terms of time and expense,” Fultz said. Strong project management and iterative checkpoints ensure implementation progress does not diminish. Checkpoints can also serve to validate that processes are still working as intended.
“Extensive planning leads to fewer surprises down the line.”
As changes are implemented, communication and training are critical for successful stakeholder adoption. Training helps align everyone from the start. Mid-implementation refresher training reminds people of their responsibilities, allows them to ask questions, and reiterates the importance of the task or control.
Re-validation is the final and critical step in the process. Re-validation serves to confirm the implemented framework is working as intended. It is often performed by independent third parties that can provide an objective perspective. As tempting as it may be to take shortcuts during this step, a half-hearted re-validation can leave an organization with unknown and potentially critical gaps.
Keep people at the forefront
For all the focus on planning and change management, one of the most important duties during an integrated framework implementation is to listen.
“The more you can incorporate people throughout the organization that have the intrinsic knowledge, the better,” Danner said. “They're more aware of all the contingent factors that a particular process or control impacts, and it is critical to involve them in the planning and designing processes from the start. This will allow you to identify the true impact of change quicker than when you get further down the line and try to force change.”
Listening to the organization’s stakeholders allows project leaders to have a full understanding of the control population, their process interdependencies and overall impact on the organization.
“As cumbersome as some of the government’s regulatory requirements may seem on the surface, there is reason and value in following the requirements,” Danner said. “Acknowledging the efficiencies and other benefits of controls helps establish the overall need for integration and organizational improvement opportunities.”
Our featured advisory services insights
No Results Found. Please search again using different keywords and/or filters.