• Increase font size
  • Default font size
  • Decrease font size
Home News Archive DCAA Delivers New Accounting System Audit Procedure

DCAA Delivers New Accounting System Audit Procedure

Monday, 12 November 2018 00:00 Nick Sanders
E-mail Print PDF
Way back in 2011/2012, the world changed.

Suddenly, contractor “business systems” were in the spotlight; and the larger contractors were subject to punitive payment withholds if any of their six business systems were found by government reviewers to have “significant deficiencies”—which was a code word for any failure to satisfy those reviewers with respect to overtly subjective criteria that were not actually very auditable.

The government quickly realized that it lacked resources to implement, in any effective manner, the necessary process steps envisioned by Congress and the DAR Council. Consequently, the six business systems were divided into two groups, with one group (Purchasing, Property, and Earned Value) being reviewed by DCMA and the other group (Estimating, MMAS, and Accounting) being reviewed by DCAA. To be clear: DCMA always retained the authority and responsibility for determining whether or not contractor business systems were “adequate,” but each agency was given three business systems for which it had the “lead” role in evaluating.

DCAA has struggled since that time to fulfill its commitments with respect to the three business systems for which it has the lead role. Things had gotten so bad for the resource-limited (or management limited) audit agency that, in 2014, a proposed rule would have pushed the evaluation burden to contractors and “independent” outside entities. (That proposed rule crashed and burned; which was unfortunate for both DCAA and those outside entities that would have cashed in from it.)

One of DCAA’s challenges has been development of an audit program that would facilitate a timely review of a contractor’s accounting system. The early “pilot” programs took as long as three years to issue a draft audit report, which was no good for GAGAS compliance. GAGAS (at 6.60, 2011 version) requires that audit evidence must be “appropriate” to support any conclusions reached. The term “appropriate” is defined to include the concepts of relevance, validity, and reliability. As GAGAS states (at 6.60b, 2011 edition), “Validity refers to the extent to which evidence is a meaningful or reasonable basis for measuring what is being evaluated. In other words, validity refers to the extent to which evidence represents what it is purported to represent.” Accordingly, if DCAA collected evidence in Year 1 of the audit but didn’t reach (or publish) an opinion until Year 3 (or Year 4), then there was a reasonable chance that the evidence was no longer valid, and thus was not appropriate … meaning that there was likely to be a GAGAS deficiency with respect to that opinion. Not good for an agency that has struggled to comply with GAGAS for the past decade, and only received a passing grade on its last external peer review by having that reviewer (the DoD OIG) determine that a 15 percent deficiency rate was good enough for government work. (Seriously. See our 2014 article on the topic, which prompted us to suggest publicly that the DoD OIG had an independence problem and should no longer perform external quality reviews of DCAA.)

Anyway, DCAA has struggled with GAGAS compliance and it has struggled with issuing timely audit reports of decent quality to its customers. In a perfect world, DCAA would like to audit its three contractor business systems once every three years, but if it takes three years (or more) to audit an accounting system, then that goal is going to be hard to attain.

What’s an audit agency to do?

Answering that question has been hard, which is one reason that DCAA has been without an audit program that would tell auditors how to audit a contractor accounting system for quite some time.

To be clear, DCAA has had a pre-award accounting system procedure (audit program 17740), and it has had a post-award audit system procedure for “non-major” contractors (i.e., the small fish not subject to the full contractor business system oversight regime) (audit program 17741); but the audit program for the major contractors—the ones subject to the punitive payment withholds for any “significant deficiencies”—has been missing in action for a couple of years.

DCAA rectified that gap in October, 2018, when it posted audit program 11070 (“Accounting System Audit” or, more formally and correctly, “Compliance with DFARS 252.242-7006 Accounting System Administration Requirements Audit”). Here’s a link to that audit program.

As described in the audit program, its purpose and scope are as follows:

The compliance with DFARS 252.242.7006, Accounting System Administration requirements audit is conducted to examine contractor compliance with the system criteria as prescribed in section (c), System Criteria. As a part of the examination, auditors will:

  • Obtain an understanding of the contractor’s compliance with DFARS 252.242-7006(c);

  • Determine if the contractor is compliant with the accounting system criteria prescribed in DFARS 252.242-7006(c); and

  • Report both significant deficiencies/material weaknesses and less severe than significant deficiencies/material weaknesses that require the attention of those charged with governance.

The first question that comes to mind is: what if a contractor is not subject to the DFARS accounting system adequacy criteria? For example, what if a contractor has only EPA or DOE contracts? How will DCAA audit those contractors? The audit program answers that question. It states:

Contractors that do not have DoD contracts … are not contractually required to comply with the DFARS criteria. Nevertheless, the DFARS criteria are suitable standards to use in determining the acceptability of any Government contractor’s system for the accumulation and billing of cost under Government contracts.

If this audit program is used for contractors that have only non-DoD contracts, the language in the audit report shell will need to be tailored accordingly. FAOs needing assistance in tailoring the audit report should coordinate with the regional/CAD technical programs division and Headquarters PAS.

Well, shoot. There you go. Even if you are not subject to the 18 accounting system criteria established by the DFARS, you are still subject to them—according to DCAA.

Part of the new audit approach is to have DCAA auditors request any other audits or studies that may be relevant to the accounting system—to expressly include internal audit reports and external audit reports of financial statements. As the audit program states, “The purpose of this question is to discover any new audit leads that could affect the scope of current audit.”

Another aspect of the audit program that interested us was how it mashed prior DCAA audit approaches into a new framework. In the historic days before 2011/2012, DCAA had 10 contractor internal control systems it evaluated, including such systems as Billing and Labor Accounting. Those systems were eliminated and replaced by the six DFARS business systems.

But we noticed that they are back in the new accounting system audit program. For example, Section D-1 is entitled “Billing System” and Section E-1 is entitled “Labor Accounting.” Apparently, everything old is new again.

Even though the audit program looks familiar, there are some new focus areas worth noting. Perhaps the most challenging of the new focus areas is the emphasis on Information Technology (IT) and IT-related controls. For example, audit steps to be performed include:

  • Have contractor provide overview of IT Organization Structure to demonstrate its ability to act independently. For example, the overview should fully discuss IT management and organization (e.g., centralized or decentralized, shared services, business unit, geographical organization, etc.).

  • Have contractor provide overview of computer operations to include computer processes and control points for system integrity and reliability of all activities impacting the system’s physical operations.

  • Have the contractor provide an overview of the ERP Data Flow Architecture (process map). The presentation should include descriptions of all ERP modules, submodules, subsystems, other applications, databases, external data warehousing system, interface tables, etc., and controls, processes and interface tools for ensuring integration. If Legacy environments exist, include index of modifications contained within system documentation record.

  • Have the contractor demonstrate all third party IT service providers, type services, and the controls and processes for monitoring performance. Obtain IT service providers’ contract agreements and service level agreements covering the roles and responsibilities, expected deliverables and policy and procedures for monitoring third party IT service providers.

  • Have the contractor demonstrate the security techniques and related management procedures (e.g., network topography, to include identification of firewalls, security appliances, gateways, DMZs, network segmentation, intrusion detection, etc., and the identification and location of hardware and software) to authorize access and control information flows from and to networks that provide assurance of processing and data integrity associated with the contractor’s accumulation, processing, recording and reporting of Government costs.

  • Have the contractor demonstrate controls and processes for monitoring IT security implementation, infrastructure and related events for prevention, detection and timely reporting of unusual and/or abnormal activities and maintaining logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations.

  • Have the contractor provide overview of logical security controls for protection of computer resources against unauthorized use, modification, damage or loss, user levels are controlled and identified, logical access restrictions are controlled by passwords and logical access is recorded and monitored).

  • Have contractor provide policies and procedures for process of software acquisition, development, and modification for maintaining data integrity.

The foregoing steps may be new but they are not really unexpected, are they? The government’s recent emphasis on cybersecurity (see, e.g., the new DFARS contract clause 252.204-7012) means that DCAA should emphasize it as well. The point is: be prepared for inquiries into the above areas.

We will have to see whether or not the new audit program can be performed timely. Our opinion—based on past experience with similar audits—is that the long-pole in the tent is going to be all the new IT-related stuff we listed. Our experience tells us that DCAA auditors with sufficient qualifications to both understand and evaluate contractors’ IT systems and controls are in short supply. Consequently, the audit schedule will need to take into account obtaining those scarce audit support resources and keeping them focused on the audit assignment in front of them, while fending off attempts to “steal” those resources away to support other audits.

Anyway, we’ll see how it goes.

< Prev   Next >
 

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.