Eventually one learns that the Defense Contract Audit Agency (DCAA)—the auditors with whom most government contractors interact—maintains a file on each contractor, in which Internal Control Questionnaires, CASB Disclosure Statements, audit reports (especially Mandatory Annual Audit Reports), and the like are stored so that they can be reviewed during risk reviews and other activities. It’s like a contractor’s Permanent Record. In fact, it’s called the “Perm File.”

The DCAA Contract Audit Manual states (at 3-204.3)—

When developing the audit scope, review the permanent file (including assessments of internal control system and control risk summarized on the internal control assessment planning summary sheets or internal control questionnaires, and audit lead sheets) and prior audit work packages to determine what data are available, what audit steps were done in the past, and the findings from those steps. This may identify areas where additional audit work is advisable (i.e., areas of high risk) or where audit scope can be reduced (i.e., areas of low risk).

After the revelation that DCAA maintains Perm Files, one soon learns that the Perm File isn’t as permanent, or as comprehensive, as anybody would reasonably think it would be. As a contractor, when DCAA asks for something you already provided a year or two ago, you’d like to say “go pull it from the Perm File.” But then the auditor looks at you funny and shakes their head. It’s not there. Chances are, nobody updated the Perm File when they should have. Or maybe it was updated but the auditor can’t find what they’re looking for. Or maybe they can’t actually find the Perm File. Auditors use judgment to determine what goes into the Perm File; maybe one auditor’s judgment differed from another’s. You don’t know and the auditor probably doesn’t know. The reason doesn’t matter; all you know is that the Perm File isn’t really what you thought it was and it isn’t what reasonable people would reasonably expect it to be.

To be clear, not everything is supposed to go into the Perm Files. The audit working papers (stored electronically via CaseWare) normally do not; they eventually end up at the National Archives and Records Administration (NARA). Which is about as deep as we are going to go into that. A Google search led us to DCAAM 5015.1 (“Files Maintenance and Disposition Manual”) but the document that came up was dated 2001 and signed by Bill Reed, so we’re not going to delve into it. Try to contain your disappointment.

What we do want to talk about is a new MRD, dated September 29, 2020, entitled, “Guidance on the Contractor Information Survey (CIS).” What is the CIS? According to the MRD, the CIS is “a tool for obtaining information about contractors to assist the audit team in identifying potential areas where future audit effort may be warranted.” In addition, the CIS “will assist the audit team in understanding the contractor’s organizational structure and business, the overall design of the contractor’s accounting system, and basic information related to internal control.”

Sounds a lot like a Perm File, doesn’t it?

However, unlike a Perm File, the CIS is not to be used “as an integral part of the risk assessment process.” In the MRD, the word “not” is bolded.

Which makes us wonder. If the CIS is not a part of the risk assessment process (unlike a review of the Perm Files per DCAAM 3-204.3, as quoted above), then what exactly is it to be used for? What value does it add? Because if it doesn’t add any value, then completing it is just wasted time.

The good news is that it’s DCAA’s time to waste. It seems clear from the MRD that the auditors complete the CIS, and not contractor personnel. But still … we’ve all been there, right? We’ve all helped our auditors complete their required documentation because doing so helps ensure it is accurate, and because doing so get’s the audit completed that much faster. We have to wonder how much of the CIS will really be completed by the auditors, and how much will end-up getting handed-off to a contractor.

Another piece of good news is that the CIS is aimed primarily “at smaller contractor locations where they have had little or no audit effort in three to five years.” Remember, under the new DCAA risk-based incurred cost audit selection process (which really isn’t new at this point), some contractors may go years with an audit of final rates or incurred costs. (We think this is a bug, not a feature; but nobody else seems to care much about it.) Thus, the apparently role of the CIS is to document information about those contractors in between the very infrequent DCAA audits.

The CIS (Version 1.0) includes three parts, as follows:

• Part A assists in understanding the contractor’s organizational structure, size, complexity, and business base.

• Part B assists in understanding the design of the contractor’s accounting system and basic information related to internal control.

• Part C provides for the auditor’s identification of potential recommended activities for future planning.

If you look at the questions the auditors are supposed to answer, you get the feeling that they will be reaching out to contractors. For example, how are the auditors supposed to answer the following question? “Have there been any changes in the last two years, or are there plans to implement future changes, in the methods used to account for or allocate costs?” Or what about “Use the embedded Excel file to document the contract/subcontract information for contracts awarded in the previous FY.”

We are thinking that the smaller contractors who have escaped in-depth DCAA audits, because they are “low-risk contractors,” are going to be getting some phone calls and/or emails in the near future….