12 Steps for Reducing CARES Act Enforcement Risks


The Coronavirus Aid, Relief and Economic Security, or CARES, Act provides more than a trillion dollars in relief to both small and large businesses in the form of loans, grants and tax credits, designed to quickly stabilize the economy during the ongoing crisis.

But this is not free money: The CARES Act also includes a robust oversight and enforcement regime to enable the government to combat fraud, waste and abuse. Experience shows that when this much government money is being spent, there will be investigations and enforcement actions.

The CARES Act is complex with evolving regulatory guidelines, and this increases the potential for missteps by companies trying to take advantage of the program's benefits while navigating program requirements. How can companies manage this uncertainty and reduce the risk of becoming an enforcement target?

We offer 12 suggested steps below.

1. Monitor changes regarding relief efforts, program administration and enforcement

Trying to keep on top of the whirlwind of recent legislation and multiple guidance documents regarding relief programs has been overwhelming. Even after this initial wave of activity recedes, there surely will be further legal and political developments, and it will be important to remain attuned to future changes in how programs are administered and enforced.

Program changes may require changes in what you are doing and/or additional communications with the government in order to protect your business.

2. Stay on top of your supplier, subcontractor, and vendor relationships, and agreements.

Potential future claims may implicate suppliers, subcontractors and vendors. Careful attention should be paid to coronavirus-related claims submitted by suppliers and subcontractors — ensuring they comply with all applicable contractual and regulatory requirements, and that you have appropriate indemnities and protection for such claims.

3. Keep evaluating your risk management and compliance practices.

Rapid changes in areas as diverse as employment, health care, worker safety and fraud prevention have introduced new policies and practices throughout organizations. Once procedures are in place, they must be reviewed to make sure that they remain relevant and current.

With financial pressures facing many businesses, it may be easy or tempting to let nonrevenue producing compliance projects slip, but companies that do not make the investment to ensure their practices are up to date and really working put themselves at tremendous risk.

4. Document guidance received from the government.

During the formulation of bids, proposals or applications, and especially following the receipt of contract awards or the disbursement of funds from a government agency, it is common for an organization to communicate with the government agency to seek clarification, guidance or interpretations concerning program requirements.

Develop a system to fully capture and document these communications. For example, if information is provided by a government representative during telephone conversations, it is important to document that information with a contemporaneous email or letter.

5. Create a file of potentially helpful documents.

Have government personnel praised your organization's above-and-beyond efforts? Save that e-mail, or, if this was communicated orally, put the substance of what the government said into a thank-you e-mail back to the government.

Did the government temporarily excuse your organization from having to provide personnel who meet a particular labor category qualification? Get that in writing from the contracting officer.

Did the government release award fees or confer other special distinctions or awards? Keep the records.

Has the government extended deadlines for deliverables or agreed to accept something less than what your contract requires? Pursue a formal modification and keep it in your contract file.

6. Ensure that dealings with the federal government comply with your own governance requirements.

Make sure that you document your compliance with your own internal processes, such as board decisions and votes and management recommendations related to dealing with federal agencies. Urgency may make it tempting to skip steps, but having all relevant people involved in decisions will help demonstrate that a company has acted thoughtfully and in accordance with its established procedures.

7. Designate a primary point of contact. 

Consider designating a specific managerial-level individual as a primary point of contact with government officials on coronavirus-related issues such as performance impacts and waivers from contract requirements. This person can be copied on correspondence with the government or contractors and should make sure to collect and maintain key documents and key correspondence.

The point of contact's files will later serve as a one-stop shop if your organization must collect documents in response to a government request.

8. Incorporate legal review.

Both to provide your organization with appropriate legal guidance and to guard against the potential suggestion at a later time that decisions were made or actions taken without an adequate legal basis, consider formally incorporating periodic legal review at critical junctures in your internal management procedures and document the legal advice received.

9. Reinforce the imperative of compliance to your workforce.

In these uncertain times of remote worksites, possible furloughs, panic buying, fear and stress, people may feel that the regular rules do not apply. Temptations to cut corners may arise.

A federal contractor can show that it acted responsibly during this time of crisis by setting an ethical tone from the top. For example, the chief executive and/or other top-level managers can communicate to employees in writing that the code of conduct continues to apply, and that the organization expects employees to continue to comply with established processes and procedures.

Now is a good time to remind employees of the channels available to them if they have questions, need to elevate an issue or report evidence of noncompliance.

Now is also a good time to challenge your ethics and compliance professionals to ensure that the programs they have developed remain active even with people working remotely.

10. Implement, and ensure adherence to, internal controls for preparation of government submissions.

If your organization has not previously implemented written internal procedures for the development of bids, proposals or applications, consider developing a set of internal controls that ensure the program requirements are fully met before making submissions to the government.

Consider incorporating a system to document the accuracy and basis for any certifications contained in the submission.

11. Confirm internal accounting procedures for the expenditure of funds.

Similarly, if your organization does not have prior experience in the receipt and management of funds from the government, consider the development of dedicated accounting procedures with the ability to document and track the use of all funds received from the government.

As a component of these procedures, it would be helpful to incorporate periodic internal financial audits to ensure proper documentation is being maintained on an ongoing basis.

12. Plan for future IT migrations and personnel departures.

One of the biggest challenges when collecting documents in response to a government subpoena is locating documents from legacy information technology systems or from long-departed employees.

If your organization is receiving federal funds as part of a coronavirus response effort, it would be prudent to develop a plan to (1) maintain access to the files of key custodians, (2) have those key custodians keep organized files, (3) ensure adequate transition procedures are followed in the event a key custodian moves to another position or departs the organization, and (4) develop an institutionalized, long-term plan to track where key files reside within your organization's electronic management system, particularly if IT migrations are planned.

“12 Steps for Reducing CARES Act Enforcement Risks,” By William E. Lawler III, Gregory F. Linsin, Justin A. Chiarodo, Dominique L. Casimir, and Sara N. Gerber was published in Law360 on May 11, 2020.