As we’ve noted before, we (or actually “I”—but go with it) recently spoke at the Fall Meeting of the American Bar Association’s Section of Public Contract Law on the topic of Contractor Business Systems. As readers of this blog might well guess, we asserted that the administration and/or oversight of Contractor Business Systems costs a lot of bucks and delivers very little bang. We asserted that the premise that contractors’ business systems are the first line of defense against waste, fraud, and abuse, is wrong. We asserted that the whole notion that the majority of defense contractors’ business systems were inadequate, or that the allegedly inadequate business systems contributed to wasteful or fraudulent or abusive business practices, is very largely a fabrication—an imaginary tale dreamed up (we suppose) to scare certain legislators into giving DCAA more funding. We asserted that not only is the focus on Contractor Business Systems misplaced, but that the misplaced focus takes resources away from where they are really needed.

We suggested—or urged, if you will—that it is time to form a joint Government/industry task force to create the “next generation” of contractor internal control systems.

In related news, we (or actually “I”—but go with it) recently spoke at the DCAA Hot Topics Seminar in Dallas, Texas, hosted by the Public Contracting Institute. Again, the topic on the table was Contractor Business Systems, but the focus topic was “Moving Beyond Business System Compliance” to think about where compliance professionals should be spending their time (and where government oversight folks should be spending their time). We asserted that the focus needs to shift from DFARS Business System adequacy criteria (which DCAA largely ignores in any case when auditors create their “significant deficiencies”) to the emerging compliance risks—such as counterfeit electronic parts detection and avoidance, management of controlled unclassified information, complying with anti-human trafficking rules, and maintaining vigilance in the area of cyber-security.

We suggested—or urged, if you will—that it is time to move beyond the six Contractor Business Systems and focus on the real risks faced by contractors (and by extension their Government customers).

This article is where we are going to gather some thoughts that support assertions made in both those presentations. Unlike many articles on this site, there will be no big wrap-up or unifying theme at the end. Instead, we are just going to list some points in no particular order.

• The process of reviewing and determining system adequacy takes too damn long. Remember the Raytheon “pilot” accounting system review—the first one performed by DCAA under the new adequacy criteria and review program? We know that took more than three (3) years to complete. By the time the system review report was issued, many of the facts and evidence relied upon by the auditors was already obsolete.

• And speaking of currency of audit evidence, remember the time when the DoD Office of Inspector General criticized DCAA for using evidence that was no longer current, in violation of GAGAS 6.04b? We do. And we also remember that then-Director Fitzgerald promised the OIG that DCAA would do better. He wrote—

By November 2011, DCAA will issue guidance, which will include the requirement for auditors to (i) perform sufficient testing of data that is relevant to the audit objectives, including the period or point in time covered by the report, (ii) perform testing of data generated by the system throughout the period under audit, and (iii) issue timely audit reports. For audits of contractor business systems, DCAA will perform compliance attestation engagements and report on the contractor’s compliance during a period of time or as of a point in time, consistent with the applicable attestation reporting standards (AT 601.55b) in AICPA’s Statements on Standards for Attestation Engagements. Circumstances where auditors would need to expand testing to obtain sufficient evidence for the conclusions expressed in the report should be limited since the transactions being evaluated in the audit will coincide with the defined period covered by the audit. DCAA agrees with the guidance in GAGAS A8.02g, that the evidence provided in the report is more helpful if it is current and, therefore, timely issuance of the report is an important reporting goal for auditors.

How’s that promised audit guidance coming? More importantly (and less snarkily), DCAA’s inability to issue its Contractor Business System reports timely is a continued GAGAS violation and undercuts the audit agency’s conclusions.

• A big part of CBS administration and management is timely follow-up of initial reviews, to determine whether or not the contractor implemented its corrective actions and whether or not those corrective actions, if implemented, remediated the system deficiencies. Remember that time when the DoD IG told the Director of DCAA that the audit agency was taking too long to perform and issue CBS follow-up audits? What’s changed since that time? Or in other words, what did DCAA do to address the OIG’s concerns? Nothing. DCAA did nothing. Nothing has changed. The status remains quo.

• And remember all those times when the DoD OIG told DCMA that its Contracting Officers weren’t complying with the timelines established in the DFARS and DFARS PGI and DCMA Business Instructions? (One example here. This website contains more than one example.)

• The DAR Council issued a proposed rule that would, in essence, recuse DCAA from performing its share of the CBS reviews. That rule was subject to criticism and went nowhere, and the DFARS Case was closed. Why did the DAR Council believe such a rule was even necessary in the first place? Perhaps it was the recognition that DCAA simply lacked resources to fulfill its share of the regulatory bargain, the division of labor between DCMA and DCAA. Many commenters (including us!) told the DAR Council that would be the case, but the rule-makers didn’t listen.

• Perhaps in recognition that the government resources could not support the regulatory requirements, the threshold for reviewing the adequacy of a contractor’s EVMS Business System adequacy criteria was raised by $50 million (from $50 million to $100 million) via Class Deviation.

• Further to that thought, the Office of Federal Procurement Policy (OFPP) recently issued a memo entitled “Reducing the Burden of Certifying Earned Value Management Systems.” The OFPP memo states, “… the cost of certifying the system as ANSI/EIA-748 compliant can be significant … the cost of a certification can exceed $1 million. In addition, a contractor that achieves certification for its system at one agency may not be recognized by other agencies as having a compliant system and may be required to complete yet another costly certification process.” This revelation (that establishment of separate DFARS adequacy criteria created a duplicate compliance structure, since the DFARS doesn’t apply to civilian agencies) wasn’t shocking to those of us who told the DAR Council that would be the case during the public comment phase. Again, the DAR Council didn’t listen so now OFPP has had to step in to mediate the expensive problem caused by the DAR Council’s deafness.

No big wrap-up here. Just some thoughts/facts that we believe support our assertion that the DFARS Business System administration and oversight regime was poorly thought-out, and that experience is showing that public commenters (including us!) were spot-on in their submitted concerns and criticisms. Now we have an expensive, complicated, poorly-understood process that the parties cannot execute within the regulatory and non-regulatory requirements the DAR Council (and DCMA) established. Just some thoughts/facts that we believe support our assertion that it is time to form a task force to guide the parties past this albatross, this Maginot Line of defense, and into a more substantive “next generation” defense that protects the taxpayers in an affordable and effective manner.