• Increase font size
  • Default font size
  • Decrease font size
Home News Archive Third-Party Accounting System Reviews

Third-Party Accounting System Reviews

E-mail Print PDF

Accountant2Many readers know that the government has options when it comes to audits that have traditionally been performed by DCAA. For example, draft 2018 NDAA language would permit contractors to engage independent CPAs to perform audits of contractors’ claimed incurred costs in their proposals to establish final billing rates. (Since the NDAA language isn’t final yet, it’s tough to be more specific about the details.)

Another option that is becoming more and more prevalent is the use of independent CPAs to perform audits of a contractor’s accounting system.

Now, you might think that this would be an inherently governmental function. You might think that the government would have a vested interest in performing these audits, since some contract types require a contractor to have an adequate accounting system in order to receive them. You might think that completion of an official “Standard Form” 1408 would be limited to government employees.

And you’d be wrong.

Having an accounting system that has been determined to be adequate for cost-reimbursement contracting is a competitive advantage. Turning that around, we see that the act of establishing an accounting system and having that system found to be adequate for cost-reimbursement contracting is a barrier to market entry. Those contractors that can overcome the challenge(s) are in the club and able to compete for awards; whereas those that cannot are left outside, looking in.

The fact of the matter is that contractors that want to compete for cost-reimbursement contracts need to have an accounting system that has been found to be adequate for such contracts—it is absolutely crucial and it must be done. Yet another fact is that DCAA won’t perform a review of a contractor’s accounting system just because the contractor wants the audit to be performed. DCAA only goes in at a contracting officer request, and a contracting officer only requests a review when the contractor is already a bidder in a competition. Thus, the contractor has to start the bid process, spending precious B&P dollars, without knowing whether or not it has an adequate accounting system. If it gets a pass from DCAA, then great! But if not, then all its efforts have been wasted. That’s a lot of uncertainty to take into a competition that is already an uncertain proposition.

Moreover, it’s not as if DCAA were a swift messenger. It’s not as if a DCAA auditor will come to the contractor and issue a report to the contracting officer that the accounting system is adequate (or not) within a couple of weeks. Normally these things take months. We would say that 60 days would be the absolute minimum, with 90 or 120 days being a more likely duration. In the meantime, both the contractor and the contracting officer are left in the dark, wondering what the auditor is going to say and not knowing. Many a government acquisition schedule could be blown while waiting for a DCAA accounting system adequacy report….

In response to that situation, many RFPs permit a contractor to engage an independent CPA firm to perform an accounting system adequacy review. The contractor can (and should) engage that CPA firm whenever it believes it is ready to have its accounting system found to be adequate. (Never mind that, technically, only a government contracting officer can make such a determination. Contracting officers overseeing a source evaluation and selection process are almost always willing to overlook that nuance and accept whatever the independent CPA is willing to say. It is, sadly, too often a “check-the-box” thing.) Many RFPs require a contractor to have an adequate accounting system, and many RFPs are agnostic regarding who performs the review.

Which is really good news for smaller contractors.

Looking forward, we can see a time when third parties perform reviews of all six contractor “business systems,” but that’s not the focus of this article. We’re talking about accounting system adequacy today, and how third party independent CPA firms can successfully substitute for DCAA in such reviews. (Note: Apogee Consulting, Inc. is not a CPA firm.)

Three caveats on having independent CPA firms perform an adequacy review of your accounting system (or any business system, really).

First, the term “independent” has meaning and is well-defined for such firms. Independent means independent. It means that the same CPA firm that does your bookkeeping and/or taxes cannot perform that review. It means that the same CPA firm that “attests” that your accounting system is adequate cannot help you remediate any internal control deficiencies or issues identified during that review. If you decided to engage an independent CPA firm to review your accounting system for adequacy, you must go find a new firm, one that has both the necessary skills and qualifications, and you must pay them to objectively assess the adequacy of the accounting system using the government’s criteria.

Second, the government’s criteria are not entirely objective and they are tiered. The lowest tier is the Standard Form (SF) 1408 criteria. In theory, when you engage an independent third-party CPA firm to evaluate your accounting system, that’s the set of criteria that should be used. However, DCAA has its own pre-award accounting system review program, and its criteria tend to bias towards the 18 official DFARS accounting system adequacy criteria found at DFARS 252.242-7006. To our way of thinking, those criteria apply only if you have that DFARS clause in your contract. The American Institute of Certified Public Accountants (AICPA) wrote the DAR Council years ago, expressing concerns with the subjectivity of some of the 18 DFARS criteria; but of course the DAR Council did nothing with that input. Thus, in a pre-award situation you would want to focus your independent CPA reviewers on the SF 1408 criteria, because it would be a more focused (and less expensive!) audit, and it would also be easier on them. That said, if you have the DFARS accounting system clause in your contract, you may want to engage somebody to look at your system using those criteria because you should want to know if there are any concerns or issues before DCAA shows up.

Third, the format of the independent CPA “attestation” report is very important. When DCAA issues a report, it does so using its impressive government letterhead, using a standard format. You should want the report of your independent CPA firm to look similarly official. Letterhead, sections, signature. You get it. The point is that the outside firm is substituting for DCAA, and they need to be as official as possible. That creates some measure of credibility in the eyes of contracting officers who need to find that somebody has found your accounting system to be adequate. If you don’t get an official-looking attestation report on letterhead, the value of that outside review decreases dramatically.

For a real-life example of what can go wrong, let’s look at a recent bid protest decision filed at the U.S. Court of Federal Claims, in the matter of FreeAlliance.com LLC v. U.S. (H/T to WIFCON.com.) FreeAlliance was a bidder for a National Institutes of Health (NIH). The RFP was specific regarding certain requirements. It stated that offerors “must have verification . . . of an accounting system that has been audited and determined adequate for determining costs applicable to this contract in accordance with FAR 16.301.”

According to the COFC decision—

NIH authorized offerors to provide verification by any one of four sources: (1) the Defense Contract Audit Agency (‘DCAA’); (2) the Defense Contract Management Agency (‘DCMA’); (3) any federal civilian audit agency; or (4) a third-party Certified Public Accounting (‘CPA’) firm. In the event any member of a CTA relied on a third-party CPA, the verification had to be on the letter head of the third-party CPA and certified by a CPA.

Finally, the verification instruction provided that the proposal must include:

[A] contact name and contact information (i.e., phone number, address, email address) of its representative at its cognizant DCAA, DCMA, federal civilian audit agency, or third-party accounting firm and submit, if available, a copy of the Pre-Award Survey of Prospective Contracting Accounting System (SF 1408), provisional billing rate, and/or forward pricing rate agreements.

FreeAlliance had an official DCAA audit report discussing the adequacy of its accounting system. However, its two team members (HealthTech Solutions and NISH Consulting) did not have a DCAA report; instead, they chose to engage third-party CPA firms to evaluate their accounting systems. According to the COFC decision—

Neither verification was submitted on a third-party CPA letterhead. Instead, both verifications were on a brief form, not furnished by the agency. The form recites that ‘[i]n support of the CIO-SP3 Ramp On proposal, the below company has been or is proposed as part of the Contractor Team Arrangement. Determination of compliant and adequate accounting system is marked necessary for performance under this subcontract. This form or representative certification is therefore [required].

HealthTech added that it used a “DCAA-compliant” accounting system and it had purchased a “DCAA-compliant” timekeeping system. It also noted that it had engaged a third-party to review the design of its accounting system controls. NISH Consulting said even less than HealthTech did. Readers should note that there is absolutely no such thing as a “DCAA-compliant” accounting system or timekeeping system. The most that can (or should) be claimed is that such systems can facilitate compliance with FAR requirements when properly implemented and consistently applied. Further, readers will note that neither HealthTech nor NISH Consulting complied with the RFP requirements.

Unsurprisingly, the FreeAlliance team was tossed from the competition. From the decision: “NIH noted that the verification ‘simply stated that the accounting system was found to be adequate; it does not state that the accounting has been audited and determined adequate for determining costs applicable to the contract in accordance with FAR 16.301-3(a)(1) as is required.”


FreeAlliance filed a protest at GAO. It was not sustained. FreeAlliance then filed another protest at COFC. It’s protest was similarly not sustained. Let’s quote from the decision—

In the procurement process, the offeror is responsible for ensuring its proposal complies with the requirements of solicitation; the agency has no duty to correct an offeror’s mistakes during the procurement process. The RFP provided four options for verifying an adequate accounting system: DCAA audit, DCMA audit, a federal civilian agency audit, or a third-party CPA audit. The first two options demonstrate that the agency was seeking substance in its verification of an adequate accounting system. A DCAA or DCMA audit would be performed according to a standard that would assure the government that the offeror could adequately track and account for its costs under a cost reimbursement contract.

FreeAlliance itself elected to submit to a DCAA audit, which provided a detailed review of the adequacy of its accounting system to determine costs applicable to a contract.

On the other hand, FreeAlliance’s CTA members submitted verifications using the third-party CPA option. Any verification was required to provide that the system have been ‘audited and determined adequate for determining costs applicable to this contract in accordance with FAR 16.301-3(a)(1).’ In addition, when using a third-party CPA, ‘the verification letter shall be on the letter head of the third-party CPA firm . . . .’ Neither HealthTech nor Nish provided a verification on CPA letterhead. The origin of their verification forms is uncertain; FreeAlliance stated during oral argument that they were likely from a past solicitation.

… FreeAlliance had the responsibility of meeting the RFP requirements and now bears the burden to prove that the agency was arbitrary and capricious in excluding its proposal for noncompliance. We accept the government’s insistence on compliance with the letterhead provision, because the letterhead adds credibility to the third-party verification as contrasted with plaintiff’s form, which is devoid of any comparable authentication. Further, the agency did not act arbitrarily when it read HealthTech’s footnote to mean that the required verification had not yet occurred. HealthTech’s verification was noncompliant due to its lack of third-party CPA letterhead. When the format error is combined with the ambiguous, limited substance, NIH chose a reasonable response of deeming the verification unacceptable.

… Nish’s verification similarly lacks a CPA letterhead and provides no detail regarding the depth or type of review or that the system is adequate for determining costs applicable to the contract.

Due to the deficiencies, the agency’s review of this form was not arbitrary.

[Internal citations and footnotes omitted.]

So take this lesson to heart. If you decide to bypass DCAA—and there are definitely times when that would be the correct decision—make sure that you obtain from your third-party auditor a formal report on letterhead, one that establishes the work that was performed as well as the associated results of those efforts. If you fail to do so, you may have just wasted your money.




In March 2009, Nick Sanders’ article “Surviving Government Audits: Have the Rules of Engagement Changed?” was published in Government Contract Costs, Pricing & Accounting Reports (4 No. 2 GCCPAR P. 11). Apogee Consulting, Inc. is proud to announce that Mr. Sanders’ article was selected for reprint and publication in Thomson West’s The New Landscape of Government Contracting.  Mr. Sanders, Apogee Consulting’s Principal Consultant, joins such distinguished contributors as Professors Steven Schooner and Christopher Yukins, Luis Victorino and John Chierachella, Joseph West and Karen Manos, Joseph Barsalona and Philip Koos and Richard Meene, and several others.  The text covers a lot of ground, ranging from the American Recovery and Reinvestment Act (ARRA) to Business Ethics and Corporate Compliance, and includes several articles on the False Claim Act and the Foreign Corrupt Practices Act.  In addition, the text includes the full text of many statutory and regulatory matters affecting Government contract compliance.


The book may be found here.