chevron-down Created with Sketch Beta.


The Procurement Lawyer Winter 2023

Contractor Compliance and Internal Investigations: Practical Strategies for 2023 and Beyond

Diana Lyn Curtis Shutzer and Nicholas Thomas Solosky


  • Examining internal and external triggering events that require companies to initiate internal investigations
  • Walks through the practical steps of conducting an investigation
  • Discusses question of what steps a contractor should take if the investigation uncovers credible evidence of a violation
Contractor Compliance and Internal Investigations: Practical Strategies for 2023 and Beyond
microgen via Getty Images

Jump to:

Allegations of misconduct on a federal project represent a significant crossroads for a government contractor. The contractor must quickly assess the source of the allegations and whether they rise to the level of requiring disclosure to the government.

The process of making that determination (i.e., whether to disclose to the government) should be serious, deliberate, and process driven. Internal compliance programs should provide a smooth transition to an internal investigation when required, including standards for how to conduct the investigation. Standard measures include:

  • How will the company review and collect documents?
  • Who are the relevant witnesses who should be interviewed—and who will conduct those interviews?
  • Will outside counsel be involved?
  • Should the investigation conclude with a written report?

In this article, we examine the internal and external triggering events that require companies to initiate internal investigations. We also walk through the practical steps of conducting an investigation, including properly staffing an investigative team, preparing for witness interviews, and ensuring that investigation reports and other important investigation materials remain protected.

This article also tackles the monumental question of the steps a contractor needs to take if the investigation uncovers credible evidence of an actionable violation (whether actual or even potential). The question of whether to disclose can become a “bet-the-company” proposition. Disclosing a potential violation may lead to fines and other substantial penalties, but those results pale in comparison to the consequences of failing to disclose or to conduct a proper internal investigation. Such inaction can lead to the same fines and penalties (and likely in higher dollar amounts), as well as suspension, debarment, increased government scrutiny, and even criminal prosecution.

Bottom Line Up Front—Assessing the Enforcement Landscape in 2023 and Beyond

To develop a rational compliance and internal investigation program, contractors should start by taking a step back and assessing the current landscape.

The Biden White House and Department of Justice (DOJ) have strongly emphasized the enforcement of corporate compliance (including holding individuals accountable for corporate wrongdoing). As discussed in more detail below, this compliance initiative is highlighted by a new focus on cybersecurity with the Civil Cyber Fraud Initiative.

At the same time that the DOJ is ramping up enforcement, it is incentivizing voluntary self-disclosure of misconduct as a means of avoiding harsh penalties. As Deputy Attorney General Lisa O. Monaco stated in a 2022 speech, “In many cases, voluntary self-disclosure is a sign that the company has developed a compliance program and has fostered a culture to detect misconduct and bring it forward. Our goal is simple: to reward those companies whose historical investments in compliance enable voluntary self-disclosure and to incentivize other companies to make the same investments going forward.”

The implication is clear: Contractors that have reasonable processes in place to identify, isolate, investigate, and self-disclose misconduct are in a position to save money (significant fines, penalties, and costs) and preserve goodwill (avoiding guilty pleas, compliance monitors, and sanctions like suspension and debarment).

Based on this guidance, contractors should take proactive steps to:

  • Implement robust compliance programs (and assess institution requirements related to cybersecurity as part of those programs);
  • Review internal controls related to investigating reported misconduct; and
  • Reconsider internal benchmarks for voluntary self-disclosure.

Compliance Programs and the Role of Internal Investigations

Contractors that do business with the federal government are already living in the age of mandatory compliance programs and reporting requirements.

The Federal Acquisition Regulation (FAR) requires the vast majority of federal contractors to have a written code of business ethics and conduct (Code). Through its Code, the contractor must establish a business ethics awareness and compliance program within 90 days of contract award that provides training to principals, employees, agents, and subcontractors (as appropriate) on the organization’s standards, procedures, and other aspects of the code of ethics and compliance with an internal control system.

Practical Best Practices Sidebar: A contractor’s goal in drafting and implementing the Code should not be checking a box or meeting minimum requirements. Contractors should be thoughtful about potentially troublesome compliance issues and address those issues in detail as part of the Code. Contractors should also take seriously the emphasis on employee training. Employees in the field (rather than in the C-suite) are most likely to encounter compliance failures early on. Training those employees to identify, isolate, and properly report compliance issues is the best first line of defense.

Under the Code, the contractor must “timely disclose, in writing, to the agency Office of the Inspector General (OIG), with a copy to the Contracting Officer,” any credible evidence (down to the subcontractor level) of violations . . . in connection with the “award, performance, or closeout of [the] contract.” The disclosure requirement set forth in 48 C.F.R. § 52.203-13 is mandatory. “In fulfilling this legal obligation, contractors are not required to carry out a complex investigation, but only need to take reasonable steps that the contractor considers sufficient to determine that the evidence is credible.”

Recent Enforcement Trends

The vital role of internal corporate investigations is highlighted by recent government enforcement actions and penalties. In each of the examples below, the government brought a significant enforcement action against a contractor for alleged compliance failures.


Cybersecurity is the newest compliance frontier for government contractors.

The Department of Defense (DoD) has made headlines in recent years with the Cybersecurity Maturity Model Certification (CMMC) program. The DoD implemented the program in June 2019, followed in fairly short order by updated versions 1.0 and 2.0. While the program remains in flux (with still more changes and requirements set to appear in 2023), do not be fooled. The vast majority of government contracts contain cybersecurity requirements that contractors need to comply with right now.

The purpose of cybersecurity is to safeguard government information from “cyber incidents.” Contractors that submit certifications on federal projects are usually certifying that they are taking such steps. Recently, the government made news by bringing a first-of-its-kind False Claims Act action against a contractor that misrepresented the status of its cybersecurity compliance program.

Small Business Fraud

Small business contracting fraud remains a common area of government investigations and enforcement. The reason is at least twofold. First, there is a bipartisan agreement on protecting the integrity of small business programs. That is, contracts set aside for small businesses should be awarded to and performed by legitimate small business concerns. Second, small businesses often lack robust compliance departments, making violations (even unintentional ones) low-hanging fruit.

The DOJ’s focus on protecting the integrity of small business programs was at the heart of a recent multimillion-dollar settlement. The DOJ alleged that a contractor falsely continued to certify its status as a “small business concern” even after being acquired by an other-than-small business—resulting in the wrongful award of 22 contracts intended to be set aside for small businesses.

Other Contract Clauses

While not the most helpful advice, the truth is that compliance issues can arise under any contract clause requiring contractor compliance. It is hopeful to the point of naivete for a contractor to expect that every one of its employees will know the precise requirements of all clauses in its contract. Instead, the goal of a good compliance program is to train employees to know common pitfalls and report even suspected problems (even if they are unsure of the precise nature of the violation).

A helpful example is the Buy American Act (BAA), a domestic preference statute that, in a nutshell, requires contractors to use American-made goods on federal projects. In 2022, the DOJ continued to conduct enforcement actions against contractors that wrongfully signed certifications while supplying foreign products.

There are a plethora of FAR clauses implementing the BAA for various types of materials, as well as exceptions for various trade act source countries. While individual employees may not know the precise BAA variation at issue, a baseline understanding of domestic preference requirements could help to identify and avert a compliance issue before it becomes a true compliance failure.

The Triggering Event

Having established how compliance issues can arise (which is to say, from just about anywhere in a contract), we turn to the most common sources for how contractors learn about potential violations. Whether the information comes from inside the company or from external sources, contractors need to implement effective monitoring procedures and treat all allegations seriously. Not every incident will require the kind of full-blown investigation discussed in this article, but they should all be examined with appropriate rigor and in good faith.

Employee Complaints and Whistleblower Reports

A good compliance program focuses on employee training and education. This is because employees on the front lines are most likely to become aware of misconduct at the time it happens—long before it reaches upper management or the C-suite.

For this reason, a contractor’s internal control programs should include mechanisms for employees to report issues quickly and effectively and in a risk-free way. At a minimum, this should include complying with the Code requirement of an “internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality, by which employees may report suspected instances of improper conduct, and instructions that encourage employees to make such reports.”

Special care is needed because contractors must make these reporting options available to employees while simultaneously avoiding even the appearance of the threat of retaliation. State and federal laws broadly prohibit whistleblower retaliation, including protections against legally actionable retaliation under the Civil False Claims Act.

Audits and Other Internal Processes

In addition to compliance programs and other mechanisms designed for the express purpose of rooting out compliance issues, contractors should also pay attention to more common operational processes (like audits and financial reports) for evidence of anomalies that may signal misconduct.

By integrating these processes into the company’s culture of compliance, contractors can treat internal audits and reviews as components of their risk mitigation tools. Results can be shared with employees as part of regular Code trainings and updates—and, of course, any irregularities should be reviewed and investigated if warranted.

The Investigation Team: Who Should Conduct the Investigation

There are several approaches to fielding an investigation team. Generally, the team should be determined by the type of investigation, the individuals involved, the seriousness of the accusations, and whether it is likely to result in a disclosure. Companies may use internal investigators or an outside legal counsel team. There are advantages and disadvantages to each. For example, an internal investigation team may already have good rapport with certain witnesses, but for that reason may not be perceived as neutral. An outside legal team, by contrast, brings the assurance of objectivity, but may lack working knowledge of the company culture and employee relationships. It is also not necessary for the investigation team to be attorneys to maintain work product protection.

Regardless of which approach is selected, the investigators, in addition to understanding the applicable laws, should possess the following soft skills:

  • Attention to Detail. It is essential that any investigator has the ability to focus on the investigation and retain information gleaned from witness interviews and document reviews, as well as the judgment, to identify patterns or inconsistencies in determining the relevant facts and timeline of events.
  • Objectivity and Freedom From Bias. Objectivity is necessary to understand what happened to cause the triggering event. While the investigator is putting together the pieces, they need to keep an open mind and not jump to unsupported conclusions. It is also key that the investigator remain neutral.
  • Interpersonal Skills. Especially during witness interviews, it is important that the investigator build a rapport with the witness to solicit relevant facts. Witnesses can be nervous or even combative, so investigators must be able to adjust their approach to put the witness at ease and elicit the most relevant information to determine what happened.
  • Good Judgement of Character. Investigators need to determine the credibility of the source of information. Witnesses do not generally admit when they are trying to obscure the truth. A good investigator will need to read the room, understand body language and facial expressions, and then determine whether the witness is being truthful. Most importantly, they will have to actively listen to identify any inconsistencies in statements.

Conducting Witness Interviews

Witness interviews are a critical step in any investigation. To determine whether there is credible evidence of a violation, the investigation team needs to discover the relevant facts. Witnesses may prove helpful in understanding what happened, who was involved, the sequence of events, and motives behind individual actions. That said, not all witnesses will be forthcoming and some may be inclined to work against the objectives of the investigation team. Investigators need to know how to read the room and adjust the strategy accordingly to obtain the relevant facts needed. At every step, investigators should be evaluating the credibility of witnesses and the veracity of the statements made.

Before conducting interviews, the investigation team should consider:

  • Preparation and Identification of Key Documents. Conducting a thorough document review is an important pre-interview step. These documents give the investigation team a glimpse into the relevant facts and a starting point before the initiation of interviews. Additionally, documents could be used during interviews to corroborate consistent statements, refresh witnesses’ recollections, and confront witnesses when it appears they are not being honest or telling the whole story.
  • Sequence and Timing of Interviews. Generally, interviews are conducted in order of importance, leaving the most important interviews toward the end, which allows the investigation team to be as informed as possible during critical interviews. However, this order of witnesses may be impacted by other factors such as witness availability or potential termination. Additionally, it is ideal to conduct interviews over a relatively short period of time. This mitigates the likelihood that witnesses will tip off or discuss their responses with other witnesses on the interview list.
  • Method for Conducting the Interview. The most effective method for conducting witness interviews is in person because it allows the investigator to glean additional information from the witness’s body language, facial expressions, and other social cues.
  • Individual Witness Factors. The investigation team should look into the background of each witness to learn the individual’s history, experiences, and relationships. This background information may help the interviewer make a better connection with the witness and understand if there is any ulterior motive or hidden agenda behind the witness statements, or if the witness has a propensity to tell the truth.

The Upjohn Warning

Before the interview begins, attorneys must establish the ground rules with employee witnesses by giving an “Upjohn warning.” This warning, which stems from the U.S. Supreme Court’s decision in Upjohn Co. v. United States, requires attorneys conducting internal investigation interviews to inform their corporate employee interviewees of the scope of the investigation and disclose who the attorneys represent.

Specifically, an Upjohn warning should consist of:

  • An explanation of the general subject matter(s) under investigation and that the company retained the attorney to provide legal advice;
  • A clear notice that the attorney represents the employer company and not the interviewee;
  • A statement that the interview is confidential and subject to attorney-client privilege, but that it is the company employer that has the right to exercise that privilege;
  • An explanation that, as the client, the company employer may choose to waive the attorney-client privilege and reveal what is discussed during the interview to third parties;
  • Direction that the employee interviewee should treat the interview as confidential and not disclose what is discussed to anyone, in order to protect the company’s attorney-client privilege; and
  • An opportunity for the interviewee to ask questions about the Upjohn recitals and a confirmation that the interviewee understands the ground rules prior to commencing the interview.

The Upjohn warning is a crucial first step in every internal investigation interview that must not be overlooked. Without the Upjohn recitals, employee interviewees may erroneously believe that the interviewing attorney represents them as employees, along with the company employer that hired the attorney. The Upjohn warning protects the attorney-client privilege of the company client and satisfies the interviewing attorney’s ethical obligations when dealing with unrepresented individuals.

Failure to give an Upjohn warning or providing an insufficient warning may result in the following:

  • The company client losing its exclusive right to control the privilege connected to the internal investigation communications;
  • If applicable, a loss of cooperation credit in connection with a DOJ investigation of alleged civil or criminal misconduct; and/or
  • Discipline by the attorney’s local bar for violation of the rules of professional conduct.

If an interviewee erroneously believes that the interviewing attorney represents them as an individual, such interviewee may attempt to claim the attorney-client privilege over matters discussed during the interview. For example, in a 2005 case before the Fourth Circuit, employees interviewed during an internal investigation attempted to quash a subpoena requesting information about such interviews, alleging that such communications were privileged. The company employer had agreed to waive its attorney-client privilege and turn over the records related to the interviews, but the interviewed employees moved to quash the subpoena, claiming they also had a privilege over the communications.

Although the district court (and later the Fourth Circuit) ultimately held that the employees failed to prove they were clients of the interviewing attorneys, the Fourth Circuit openly criticized “the watered-down ‘Upjohn warnings’ the investigating attorneys gave.” The Fourth Circuit noted that:

Similarly, employee interference in the company employer’s decision to disclose information communicated during an internal investigation can also negatively impact cooperation credit the company can receive during a DOJ investigation. Under the DOJ’s guidelines, credit may be given as a mitigating factor in connection with a criminal or civil investigation of misconduct. To be eligible for cooperation credit, a company under investigation must timely identify all individuals substantially involved in the misconduct and provide “all relevant facts relating to that misconduct.” If employees unreasonably interfere with a company’s decision to turn over privileged discussions and related information to the DOJ, such delay may result in a loss of cooperation credit for the company and strain its relationship with DOJ investigators.

Finally, providing adequate Upjohn warnings is part of an attorney’s ethical obligations when working with unrepresented individuals and when conducting interviews. Under ABA Model Rule 4.1, an attorney shall not knowingly “make a false statement of material fact or law to a third person” in the course of representing a client. Further, under ABA Model Rule 4.3, an attorney “shall not state or imply that the lawyer is disinterested” or “give legal advice to an unrepresented person.” Knowingly failing to inform an employee about who actually holds the privilege over internal investigation communications or providing legal advice to the interviewee may amount to ethical violations that open the interviewing attorney up to discipline by their local bar administration.

Upjohn warnings are essential to protecting a corporate client’s attorney-client privilege and to conducting an ethical internal investigation. Attorneys must ensure that adequate Upjohn warnings are given before each and every employee interview and that interviewees understand the legal relationship and privileges at play before asking substantive questions about the subject matter of the investigation.

The Report

Despite the broad reach of discovery, investigation materials and reports may receive protection under attorney-client privilege or attorney work-product doctrine, but neither protection is automatic.

Generally, “factual investigations performed by attorneys as attorneys fall comfortably within the protection of the attorney-client privilege.” “In the context of an organization’s internal investigation, if one of the significant purposes of the internal investigation was to obtain or provide legal advice, the privilege will apply.” The burden of demonstrating that a document is protected is on the party asserting the doctrine. While attorney-client privilege and attorney work-product doctrine function similarly to protect it from discovery, they serve distinct purposes:

The attorney-client privilege protects “(1) a communication (2) made between privileged persons (3) in confidence (4) for the purpose of obtaining or providing legal assistance for the client.” The privilege exists “to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.” The privilege is not limitless and “protects only those communications that are confidential and are made for the purpose of seeking or receiving legal advice.” For this reason, courts must narrowly construe attorney-client privilege “because it comes with substantial costs and stands as an obstacle of sorts to the search for truth.”

Similarly, the work-product doctrine shields from discovery “documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party’s attorney, consultant, surety, indemnitor, insurer, or agent).” While a party may at times secure through discovery materials prepared in anticipation of litigation, those circumstances are limited. The party must show a substantial need for the materials to prepare its case and that it cannot, without undue hardship, obtain their substantial equivalent by other means. Even if the party is able to show substantial need and undue hardship, the attorney work-product doctrine protects the mental impressions, conclusions, opinions, or legal theories of an attorney or other representative of a party prepared in anticipation of litigation and such are “afforded near absolute protection from discovery.”

That said, once the report is determined to be protected, it is imperative that the company is careful not to waive these protections. Merely making a disclosure in accordance with FAR 52.203-13 will not waive work-product protections. “To find waiver, a court must find that there has been disclosure of a communication or information covered by the attorney-client privilege or work-product protection. But we will not infer a waiver merely because a party’s disclosure covers the same topic as that on which it had sought legal advice.”

However, providing the DOJ the report will likely waive these protections because not all courts recognize selective waiver:

The client cannot be permitted to pick and choose among his opponents, waiving the privilege for some and resurrecting the claim of confidentiality to obstruct others, or to invoke the privilege as to communications whose confidentiality he has already compromised for his own benefit. . . . The attorney-client privilege is not designed for such tactical employment.

A federal judge in the Western District of North Carolina recently held that “the involuntary or compelled production of privileged or protected documents does not waive otherwise applicable claims of privilege so long as the privilege holder objects and takes reasonable steps to protect its claims of privilege and protection.” It is unclear if other courts will follow suit.

From a practical perspective, when a company decides to share protected materials with the government and risks waiving attorney-client privilege or work-product doctrine, the company should, at a minimum, ask the government to issue a subpoena and/or enter into a confidentiality agreement under which production of the privileged materials would not waive privilege. There may be other circumstances when a company should decide not to cooperate. Sharing an investigation report comes with substantial risk of waiver.

The Mandatory Disclosure Rule

It is longstanding policy that “Government contractors must conduct themselves with the highest degree of integrity and honesty.” In an effort to promote a culture of compliance and to create greater oversight to identify and prevent violations of civil and criminal laws, the FAR Council published the mandatory disclosure rule, FAR 52.203-13. Contractors have an obligation to timely report credible evidence of a violation of federal criminal law involving fraud, conflict of interest, bribery or gratuity violations, or a violation of the civil False Claims Act. Moreover, contractors have an obligation to report credible evidence of any significant overpayments received. These obligations remain ongoing for at least three years after receipt of final payment on a contract.

In 2022, contractors made 398 mandatory disclosures to the U.S. Department of Defense’s OIG “that identified $25.1 million in potential monetary recoveries for the government.” Disclosures may be communicated in several ways, including email, mail, or hand-delivery, but must be provided in writing. According to reports presented to Congress, these are a few example disclosures made to the DoD OIG over the last year:

  • A DoD contractor disclosed that one of its employees improperly applied volume discounts on contracts over eight years, resulting in cost overcharges for equipment and materials to the government. The contractor, along with an outside auditing firm, initiated an inquiry into this matter and determined that the government overpaid $10.6 million. The contractor terminated the employee responsible for the wrongdoing and implemented measures to prevent recurrence. The contractor agreed to pay the government $12.3 million, of which $1.7 million was designated as interest.
  • A DoD contractor disclosed that a subcontractor prematurely billed the government during a two-year period, leading to overpayments. The contractor initiated an investigation and determined the subcontractor submitted invoices for payment before completing the work. This caused the contractor to submit invoices to the government prematurely. The two subcontractor employees involved in the wrongdoing received written reprimands, and one of them also received a one-week unpaid suspension. The contractor implemented measures to mitigate future occurrences. In addition, the contractor reimbursed $1.8 million to the government.
  • A DoD contractor disclosed overcharging the government for certain pharmaceutical and drug products during a two-year period. The contractor conducted an inquiry and determined price discount adjustments were not applied correctly, implemented corrective measures to avoid similar mistakes in the future, and reimbursed $557,579 to the government for the overpayments.

If 2022 is any indicator for 2023, based on labor and material shortages, mischarging labor and materials will continue to be the focus of mandatory disclosures. These disclosures enable the government to investigate and hold wrongdoers accountable.

The Cooperation Credit

“Cooperation is a mitigating factor, by which a corporation—just like any other subject of a criminal investigation—can gain credit in a case that otherwise is appropriate for indictment and prosecution.” To receive consideration for cooperation, companies must identify all individuals substantially involved in or responsible for the misconduct and all relevant facts relating to the misconduct. This reinforces the DOJ’s priority to hold individuals accountable for committing and profiting from corporate crimes.

On September 15, 2022, Deputy Attorney General Monaco announced changes to the DOJ’s corporate enforcement policies. Companies need to disclose “important evidence more quickly” and present evidence of individual culpability. Individual accountability continues to be a priority for the DOJ:

One of the most effective ways to combat corporate misconduct is by seeking accountability by the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: it deters future illegal activity; it incentivizes changes in corporate behavior; it ensures that the proper parties are held responsible for their actions; and it promotes the public’s confidence in our justice system.

With a continued emphasis on individual accountability, the DOJ will penalize those companies that slow-walk the disclosure of critical documents. “Where prosecutors identify undue or intentional delay in the production of information or documents—particularly with respect to documents that impact the government’s ability to assess individual culpability—cooperation credit will be reduced or eliminated.” Monaco emphasized that the first reaction of cooperating companies must be to notify prosecutors immediately when identifying critical documents.

Through policy changes, Monaco is attempting to incentivize positive changes in corporate behavior. She is also calling for greater consistency and transparency among the different components of the DOJ as to “the steps that a corporation will need to take to receive maximum credit for full cooperation.”

In addition to timely preserving, collecting, and disclosing relevant documents, “the cooperating corporation bears the burden of establishing the existence of any restriction on production and of identifying reasonable alternatives to provide the requested facts and evidence, and is expected to work diligently to identify all available legal bases to preserve, collect, and produce such documents, data, and other evidence expeditiously.”

Wrapping Up and Looking Forward

For those forecasting compliance trends, all eyes are on the pending rollout of the DOJ’s self-reporting program. Based on comments from Deputy Attorney General Monaco, it seems clear that it will draw from certain existing government programs by providing incentives to companies that self-disclose misconduct to the government. The question is whether the DOJ will piggyback off of disclosures to other agencies and departments, or mandate its own separate and independent disclosure.

While waiting for the DOJ’s next move, contractors should focus on fostering the kind of internal processes that lead to better outcomes. That includes creating a company-wide culture of compliance (including employee training), treating potential violations with suitable seriousness (including conducting an internal investigation, if appropriate), and reporting credible evidence to the government based on the best practices discussed in this article.

Considering the DOJ’s guidance to date, contractors should not only take these steps, but also focus on doing so with increased speed and thoroughness. Deputy Attorney General Monaco stressed that companies that delay in disclosing key documents or information often limit the DOJ’s ability to hold individuals accountable for wrongdoing. Contractors should therefore be prepared to explain the nature of the investigation and how the timeline unfolded. On the flipside, a contractor that elects not to disclose—but later comes under government investigation anyway—should have detailed documentation ready to justify that decision.