For defense contractors (and non-M&O Dept. of Energy contractors), business systems are “the first line of defense against fraud, waste, and abuse.” How many times have we heard that phrase? It’s been in the Federal Register several times, and in Agency guidance several additional times. The line has been in a Public Law. It’s been all over the place. The phrase has become conventional wisdom by this point.

We like to question conventional wisdom.

On August 11, 2009, the Commission on Wartime Contracting (CWC) “conducted a hearing to obtain testimony from government officials and contractors on the adequacy of contractor business systems.” At that hearing—

The Commission learned that unreliable data from business systems produced billions of dollars in contingency-contract costs that government auditors often could not verify. The government’s ability to detect contract cost errors and material misstatements is seriously impeded by contractors’ inadequate internal controls over their business systems. Further, the two primary government agencies involved, the Defense Contract Management Agency (DCMA) and the Defense Contract Audit Agency (DCAA), are not effectively working together to protect government interests.

The CWC subsequently published a report in September of that year, entitled “Defense Agencies Must Improve their Oversight of Contractor Business Systems to Reduce Waste, Fraud, and Abuse”. The first line of that report was “Contractor business systems and internal controls are the first line of defense against waste, fraud, and abuse.”

And that’s how it started.

Flash-forward 5+ years and there has been a profound sea-change in the focus on contractor business systems since the CWC sounded its warnings. The landscape is entirely different. We have six business systems (not 10 internal control systems). We have deficiencies and significant deficiencies. Significant deficiencies mean disapproval (or inadequacy) and that leads, inexorably, to mandatory payment withholds. Reviewing contractor business systems has become a cottage industry, with consultants and attorneys eager to assist contractors with creating adequate business systems, or remediating those systems that failed DCAA or DCMA audit.

And now we have reenergized DCMA functional specialists and refocused DCAA auditors, with new and improved audit programs to help them evaluate business systems. We have peer reviews of ACO business system adequacy determinations, and at least two levels of Review Boards to help adjudicate disagreements between the ACO and those who performed the reviews. We have process upon process, and guidance upon guidance—all to help focus oversight on the first line of defense against fraud, waste, and abuse.

The thing of it is: it’s all nonsense. It’s pretty much a big waste of taxpayer funds.

Allow us to explain.

Let’s talk about the Maginot Line.

The Maginot Line was France’s first line of defense against German invasion. Constructed between World War I and World War II, the Maginot Line was designed to stop the Germans cold. From Wikipedia—

The Maginot Line was impervious to most forms of attack (including aerial bombings and tank fire), and had state-of-the-art living conditions for garrisoned troops, air conditioning, comfortable eating areas and underground railways.

It seemed like a really good idea at the time. Unfortunately, the Germans didn’t cooperate. They didn’t use the same strategy they had employed in World War I. As Wikipedia noted—

The French established the fortification to provide time for their army to mobilize in the event of attack, allowing French forces to move into Belgium for a decisive confrontation with Germany. The success of static, defensive combat in World War I was a key influence on French thinking. French military experts extolled the Maginot Line as a work of genius, believing it would prevent any further invasions from the east.

While the fortification system did prevent a direct attack, it was strategically ineffective, as the Germans invaded through Belgium, going around the Maginot Line. The German army came through the Ardennes forest and the Low Countries, completely sweeping by the line, causing the French army to surrender and conquering France in about six weeks

Moreover, the Wikipedia article asserted that the Maginot Line, “proved costly to maintain and subsequently led to parts of the French Armed Forces being underfunded and not provided with the troops, equipment and communications needed for the war.” Consequently, “reference to the Maginot Line is used to recall a strategy or object that people hope will prove effective but instead fails miserably, giving way to the ‘Maginot Line mentality’.”

Sound familiar?

The focus over the past 5 years on contractor business systems is the Maginot Line of today’s DoD oversight function, especially the oversight provided by the Defense Contract Management Agency. Like the French focus on their fixed fortifications, it is the wrong strategy. It is the wrong focus. And it takes funding and resources away from other, more critical, areas.

The focus on contractor business systems is not a focus on preventing fraud, waste, and abuse. Instead, it is a focus primarily on policies and procedures. Contractors can best prove the adequacy of their business systems by having really thick policies and procedures that address every one of the applicable adequacy criteria. The best way to pass a business system review is to have a lot of really good policies and procedures; the actual practices are of lesser importance. That’s not to say that certain metrics won’t be part of the review; they will be. It’s just that the corrective action plan to remediate any findings will almost certainly consist of writing better and more robust policies and procedures, and ensuring employees are trained in their contents.

The adequacy criteria themselves are largely ambiguous and subjective, and so disagreements arise easily during audit. As we’ve noted before, DCAA has taken the definition of “significant deficiency” found in the regulations and created something not envisioned by the rule-makers so that the auditors can comply with GAGAS. The irony there is that the AICPA says the adequacy criteria aren’t auditable, and so it’s tough to see how any auditor could ever comply with GAGAS no matter how terms are defined.

The focus on contractor business system adequacy is an imaginary line of defense because policies and procedures are not—nor have they ever been—the first line of defense against fraud, waste, and abuse.

The first line of defense is people. People who make good decisions when faced with conflicting priorities. People who have the training to make those decisions, and the resources to call upon when things get tough. That’s your first line of defense.

People are always the first line of defense and all the policies and procedures in the world won’t stop bad decisions from being made by poorly trained and poorly supported people.

Any approach that focuses on ambiguous, subjective, adequacy criteria, that focuses on written policies and procedures, is a Maginot Line approach.

And while DCMA and DCAA are focused on six contractor business systems, too many contractor employees continue to engage in wrongdoing, including such activities as bribery, kick-backs, and other corrupt behavior. Indeed, the adequacy of a contractor’s business systems is absolutely no guarantee that its employees are engaging in ethical decision-making. The best policies and procedures in the world don’t ensure ethical decision-making. Just ask the executives of Enron.

It’s past time for DoD policy-makers to admit that oversight of contractor business systems, in its current form, is not the first line of defense against fraud, waste, and abuse. They are not the first line of defense, nor have they ever been. In fact, the business systems adequacy criteria have very little to do with preventing waste, fraud, and/or abuse.

It’s past time for DoD to admit that the focus on contractor business systems is a mistake, one that takes resources and funding away from more important things. It’s time to get DCAA out of business systems audits altogether and, to the extent DCMA wants to review certain contractor practices and controls, it should do so in a streamlined fashion, without the multiple layers of bureaucracy and without the nuclear option of payment withholds.