Executive summary
As regulatory scrutiny intensifies, construction and real estate firms face heightened compliance risks. Many still rely on outdated, fragmented systems that jeopardize project timelines and reputations. It’s time for firms to modernize their compliance programs by embedding real-time monitoring, centralized documentation and an ethical culture across operations. With proactive governance and scalable controls, leaders can protect their workforce, strengthen partner trust and avoid costly project delays.
How construction & real estate firms are modernizing
When you work in construction and real estate, risk comes with the job — from safety hazards to permit delays that halt projects overnight. But today, that risk extends far beyond the job site. Firms are under increasing pressure to comply with a maze of regulations. And the consequences of non-compliance are higher, too: failed audits, timeline disruptions and even criminal penalties.
Modernized compliance systems can help firms stay ahead, but many companies still rely on fragmented systems to organize requirements, track issues and document responses. Outdated approaches — including spreadsheets, email chains and disparate tools — make it difficult to monitor obligations, catch risks early and respond confidently when regulators come knocking.
It’s time for firms to modernize their compliance strategy to prevent problems before they happen, protect project timelines and build trust with regulators, partners, employees and clients alike.
How compliance risk has shifted
Construction sites already experience strict oversight. Inspectors often show up unannounced, and if documentation isn’t in order or compliance can’t be demonstrated on the spot, work can be shut down immediately, derailing project timelines and budgets.
But now, the stakes are even higher. Firms need to comply with increasingly complex federal, state and local regulations.
At the national level, the Department of Justice (DOJ) announced that trade and customs fraud, including tariff evasion, would be a top-two priority this year. For construction and real estate firms, that means actions such as misclassifying a subcontractor or misreporting materials could now face not just a fine but criminal charges.
“The DOJ is looking at opportunities to hold people accountable for skirting the rules around sanctions, tariffs and trade policies,” said D.J. Rossini, Grant Thornton Risk Advisory Services Managing Director. “If firms aren’t actively monitoring who they can do business with and how, their business isn’t likely to survive.”
At the same time, state and local-level regulations are evolving. Firms have to stay up to date on rules around zoning, environmental requirements and city-specific building codes, all of which can change in the middle of a project.
The need for whistleblower and ethics programs
Regulations that are increasing in scope and consequence also require leaders to foster a company culture where issues are reported before they escalate. Because construction and real estate workforces are so decentralized across job sites, regional offices and layers of subcontractors, it’s difficult to detect and act on misconduct early.
“You need to make sure people have a way to report misconduct — whether they’re union or non-union, or in a field office or back office,” Rossini said. “By giving employees opportunities to report proactively, companies can stop small issues before they become a brand-damaging headline.”
Third-party risks
Many compliance risks also come from third parties that firms collaborate with daily: subcontractors, vendors and suppliers.
“One of the most overlooked areas of compliance risk in the construction and real estate industry is third-party risk,” Rossini said. “With so many disparate workers and geographies, you have to know who you're doing business with and the risks they might be bringing with them.”
Without proper oversight of how vendors are vetted or contracts are awarded, firms may unintentionally violate procurement rules, wage laws and anti-corruption statutes, which can trigger enforcement under the False Claims Act or procurement fraud investigations. Even if no law is broken, patterns of non-compliance can derail partner and investor trust, and consequently, the firm’s brand image.
“If a firm has a history of compliance gaps — permit violations, questionable contractor oversight, ethics issues — partners will move on to someone else,” Rossini said. “Nobody wants the headache of doing business with a firm that cuts corners.”
Due diligence is essential for managing compliance risk across third parties. But doing it manually for every vendor would be incredibly time-consuming and would introduce its own risks.
“Firms need to be able to streamline compliance, including how they document the ways they prevent, monitor and respond to risk,” Rossini said. “Many firms still rely on systems that don’t make that easy to do with confidence.”
Third-party due diligence checklist for construction & real estate firms | |
Category | What to check |
Business legitimacy | Licenses, insurance, litigation history, financial solvency |
Trade compliance | Sanctions screening, material classifications, country-of-origin accuracy |
Labor practices | Worker classification, wage compliance, fair labor adherence |
Corruption risk | Ties to politically exposed persons, past misconduct, procurement integrity |
ESG & environmental | Permits, responsible sourcing, sustainability disclosure |
Policies & training | Vendor agreement to code of conduct, access to ethics training |
How we can help you
SERVICE
INDUSTRY
SERVICE
Ready to talk? We’re ready to listen.
Request a meeting -->
Building a modern compliance process
For many construction and real estate companies, their biggest compliance challenge is not only the volume of regulations they need to track, but how fragmented their systems are.
When contractor approvals, procurement workflows and certification tracking operate on different platforms (or none at all), it’s nearly impossible to verify that every vendor is vetted, every permit is active and every site issue is resolved.
“When firms conduct reporting or compliance in a decentralized way, communication becomes unclear,” Rossini said. “If an issue arises, leaders don’t know about it or don’t know what’s been done to address it.”
A modernized system improves communication by providing a real-time view of where a permit stands or whether an issue has been resolved, including who is responsible for taking next steps to resolve a dispute, file a permit or address a safety concern.
Modernization, however, is not a plug-and-play solution. It’s a complex, ongoing process that requires time, expertise and training across departments.
“Many firms underestimate the time and effort required to not just maintain a modern compliance system, but also to prepare for it,” said Leslie Watson-Stracener, Grant Thornton Risk Advisory Services Partner. Limited budgets force companies to prioritize materials, labor and regulatory obligations over technology upgrades that could streamline compliance. Some firms invest in new tools but skip professional implementation, assuming existing staff can manage it along with their existing workloads — an approach that typically adds more complexity and causes delays.
Many also believe such implementations would take away from revenue-generating project work. Our Digital Transformation Survey found that “disrupted operations” was the top reason past technology initiatives have failed at construction and real estate firms.
That’s why the implementation decisions are just as important as deciding which products to invest in, beginning with leadership embedding compliance into their team culture.
“At the executive level, compliance has to be championed as a business enabler,” Rossini says. “People want to work with, and for, companies that do the right thing. Celebrating compliance wins, and how they impact a company’s bottom line, emphasizes the importance of investing in this work, implementing it correctly and following through on it.”
Four pillars to build a scalable compliance system | |
Monitor risk in real time
| Clarify ownership and accountability Assign clear responsibilities for each compliance task to ensure nothing falls through the cracks. |
Centralize documentation and workflows Digitize and integrate permit files, training records, approvals and vendor certifications into a unified system to improve audit readiness. | Embed ethics, training and reporting into your culture. |
Modern dashboards and automation tools provide real‑time status across projects, helping monitor permits, inspection reports, safety certifications, lease obligations and tenant compliance.
“When compliance technology is embedded into daily workflows, it transforms the back-office compliance program into a more visible, manageable function and provides front-office teams with timely, actionable insights,” said Watson-Stracener. “Customizable dashboards also enhance project management by aligning compliance to-dos with how your teams operate on the ground.”
Centralized dashboards that are color-coded, role-specific and tied to each project deadline can help teams flag missing documents, expired certifications or delays that hold up work. For example, if a permit agency typically takes three weeks to respond, a modernized compliance system can flag that deadline early to stay on schedule.
Adapting to new tech risks
It’s also important to recognize that introducing new technology brings new risks, which require their own oversight.
“Any time you implement a new technology — whether it's workflow software, a monitoring platform or an AI-driven tool — it brings a new set of compliance risks,” Watson-Stracener said. One potential risk is overreliance on untested automation systems, which may generate false positives or miss red flags without validation. Third-party tech exposure is another point for exposure because as subcontractors and vendors use their own systems, their data quality, configuration and risk posture can be inherited.
“If a third party is using an automated compliance tracker or AI screening tool, how do you know it’s working correctly?” Watson-Stracener asked. “You need to assess not just what the tool is doing, but how well it’s doing it, and whether it’s creating blind spots in your compliance program.”
That’s why establishing strong governance is critical. This includes implementing regular testing and validation protocols to ensure tools perform as intended. Companies also need clear audit trails to document decision-making, threshold settings to flag anomalies or exceptions and manual review processes to catch what automated systems might overlook.
"If your tech isn’t giving you the insights you expected — or worse, hiding issues — it’s not helping your compliance program. Governance has to be built in from day one," said Watson-Stracener.
Design controls that can scale
Controls help manage compliance activities and reduce risk. “Proof of proactive controls are part of the evidence that a firm has a functioning compliance system,” Rossini said. “Business partners want to see that the firm can be trusted to operate without introducing unnecessary risk.”
To design controls that scale across multiple projects and jurisdictions, construction and real estate leaders need consistent, modular processes supported by the right technology.
A core framework for scalable compliance controls includes:
- Governance and leadership commitment: Senior leadership must define and endorse the firm’s risk and compliance standards.
- Risk identification and assessment: Systematically catalog risks relevant to your operations: e.g., regulatory (trade, zoning, ESG), vendor/subcontractor, project schedule, supplier/material costs, safety and contract non‑performance.
- Risk treatment and control design: Based on assessments, design controls for third‐party vendor screening, permit‐status dashboards, contract‑approval workflows and mandatory training. Digital tools such as dashboards, automated alerts, and centralized documentation can automate and simplify the process.
- Monitoring and reporting: Define key risk indicators (KRIs) such as number of vendors without up‑to‑date certifications; permits in “pending” status over a certain amount of time; incident rate per job site; and supplier compliance exceptions.
- Continuous improvement and adaptation: Compliance requirements evolve, so a framework must be designed to evolve and adapt. Companies should review and update controls, process maps, tech tools and training programs at least annually or when major changes occur.
“It's important to conduct periodic global risk reviews and assessments to recalibrate controls as regulations evolve and change,” Rossini said.
Proactive compliance pays off
“Anyone who doesn’t think that misconduct and illegal activity are going to happen is just mistaken. No matter how great your company is, it’s going to happen,” Rossini said.
Getting ahead of compliance is essential — regulatory bodies value firms that are proactive. Recently, the DOJ emphasized in its Evaluation of Corporate Compliance Programs (PDF - 604 KB) that companies with effective compliance programs — and those that self‑disclose and remediate misconduct — are more likely to receive favorable outcomes. Ongoing enforcement actions show that firms demonstrating robust compliance systems have received deferred or non-prosecution agreements instead of facing full penalties.
Beyond avoiding criminal penalties, modernized compliance systems are beneficial to meet local regulations and even internal project timelines. With the right systems, governance and training, construction and real estate firms can reduce delays and costly disruptions, while building lasting relationships with stakeholders.
Contacts:
Head of Construction & Real Estate Industry
Grant Thornton Advisors LLC
Partner, Audit Services, Grant Thornton LLP
Greg Ross is the Head of the Construction & Real Estate industry and an Audit Partner based in the Charlotte office.
Charlotte, North Carolina
Industries
- Construction & Real Estate
- Hospitality & Restaurants
Service Experience
- Audit & Assurance Services
Managing Director, Risk Advisory Services
Grant Thornton Advisors LLC
D.J. Rossini has more than 25 years of experience leading investigations and directing complex compliance projects.
Chicago, Illinois
Industries
- Financial Services
- Healthcare
- Life Sciences
- Construction & Real Estate
- Insurance
- Manufacturing, Transportation & Distribution
- Services
Service Experience
- Risk Advisory
- Regulatory compliance
- Forensics, investigations and disputes
- Anti-money Laundering & Economic Sanctions
- Cybersecurity & Privacy
Content disclaimer
This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
For additional information on topics covered in this content, contact a Grant Thornton professional.
Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
Tax professional standards statement
This content supports Grant Thornton Advisors LLC’s marketing of professional services and is not written tax advice directed at the particular facts and circumstances of any person. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. If you are interested in the topics presented herein, we encourage you to contact a Grant Thornton Advisors LLC tax professional. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein.
The information contained herein is general in nature and is based on authorities that are subject to change. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. This material may not be applicable to, or suitable for, the reader’s specific circumstances or needs and may require consideration of tax and nontax factors not described herein. Contact a Grant Thornton Advisors LLC tax professional prior to taking any action based upon this information.
Changes in tax laws or other factors could affect, on a prospective or retroactive basis, the information contained herein; Grant Thornton Advisors LLC assumes no obligation to inform the reader of any such changes. All references to “Section,” “Sec.,” or “§” refer to the Internal Revenue Code of 1986, as amended.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share