• Increase font size
  • Default font size
  • Decrease font size
Home News Archive DCAA Audit Quality: Lessons Learned from the Brouhaha

DCAA Audit Quality: Lessons Learned from the Brouhaha

Wednesday, 07 October 2009 00:00 administrator
E-mail Print PDF

lessons learned

Having waded through reports, testimony and reaction, we thought we’d see if there are any lessons to be learned from all the brouhaha surrounding alleged failures of DCAA audit quality and DOD contractor oversight.

 

Contractor Internal Control Systems

 

Generally, everybody got it right that the key to controlling the unholy trinity of waste, fraud, and abuse is the robustness of contractors’ internal control systems.  The Commission on Wartime Contracting said that “contractor business systems and internal controls are the first line of defense … weak control systems increase the risk of unallowable and unreasonable costs on government contracts.”

 

But there was some confusion regarding exactly which “key business systems” a DOD contractor was supposed to have.  The Commission on Wartime Contracting (CWC) listed ten control systems from right out of the DCAA Contract Audit Manual (CAM).  But the Government Accountability Office (GAO) noted that not every contractor has every one of these ten systems and pointed out how DCAA auditors had wasted considerable time auditing one Federally Funded Research and Development Center’s nonexistent billing system according to the requirements of the DCAA standard audit program, and recommended that the billing system be determined to be “adequate” even though it didn’t exist.

 

As the GAO reported, “a contractor must have an adequate accounting system to be awarded a government cost-reimbursement contract, an adequate billing system to submit invoices for payment without government review, and an acceptable estimating system to support a contracting officer’s approval of pricing proposals.”  Other systems, such as purchasing controls, are mandated by FAR requirements.  It is not at all clear why the other systems in the list of controls are audited by DCAA.

 

Lesson Learned: DCAA needs to determine which internal control systems it will audit, and ground that determination in the requirements of the acquisition system.  (Indeed, Director Stephenson testified that “we are currently assessing the type of systems DCAA will need to audit and the type of opinion to be provided.”)  Further, DCAA needs to build flexibility into its standard audit programs.  Not every contractor will have the same slate of business systems, and part of learning about a contractor should be the documentation of the contractor’s unique approach to establishing its internal controls.

 

 

Evaluating Contractors’ Internal Control Systems

 

This is another area that most stakeholders got right.  The part they got right was agreeing that DCAA hasn’t gotten it right.  DCAA’s December 2008 change to its audit programs, establishing a binary “pass/fail” rating system for contractor internal control systems has led to audit reports that “are not informative enough to help contracting officers make effective decisions,” according to the CWC.  The CWC asserted that the new guidance resulted in “many more adverse audit opinions,” but also “undermined the significance of audit findings and weakening their effectiveness.”  The DCAA’s approach “does not adequately depict relative degrees of impact … [and] contracting officers need audit opinions with clear and quantifiable risk information.”  Further, DCAA’s failure to always “estimate a cost impact for the deficiencies it has identified” does not help the contracting officers who “balances the cost risk against the importance of the mission.” Finally, the CWC also noted that “there is no regulatory requirement for DCAA to render an overall opinion regarding the adequacy of many of the 10 business systems audited by DCAA. In fact, with respect to audit resolution procedures, DoD FAR Supplement (DFARS) 242.7502 instructs the contracting officer to consider significant deficiencies as opposed to an overall opinion regarding adequacy.”

 

The GAO agreed, reporting that “professional standards have long recognized different levels of severity with regard to reporting deficiencies and material weaknesses in internal controls.”  Moreover, the GAO stated—

 

By eliminating the “inadequate-in-part” opinion, the new policy does not recognize different levels of severity and could unfairly penalize contractors whose systems have less severe deficiencies by giving them the same opinion—”inadequate”—as contractors having material weaknesses or serious deficiencies that in combination would constitute a material weakness.

Lesson Learned: The DCAA needs to revise its audit guidance with respect to evaluations of contractors’ internal control systems. The audit agency needs to focus on identification of control weaknesses and system deficiencies, and on giving DCMA contracting officers the necessary information to evaluate the overall adequacy of the control systems.  If they feel compelled to make a recommendation to the contracting officers, it should be solidly grounded in testing of the internal controls.

 

 

Evaluating Contractors’ Codes of Ethics/Business Conduct and Internal Control Systems

 

The GAO surveyed 57 DOD contractors and found nearly 100% had established compliant codes of ethics and business conduct, as well as related internal control systems. The GAO report found that there was a bit of a gap in the verification of contractor compliance with the requirements; DCMA is relying on DCAA’s evaluation (which takes place as part of DCAA’s evaluation of the overall control environment and accounting system controls) but DCAA will be issuing its current “pass/fail” rating—which, as noted above—will not be particularly helpful to the DCMA contracting officers.

 

The GAO noted that ““the sentencing guidelines … state that the failure to prevent or detect a particular offense does not necessarily mean that the program is generally ineffective in preventing and detecting criminal conduct.”  Since the contractor ethics and disclosure requirements are based on those sentencing guidelines, one would hope that DCAA audit guidance would incorporate that philosophy.  Unfortunately (as we reported), such is not the case. The current pass/fail DCAA system rating approach will not mesh with the U.S. Sentencing Commission guidance and, unless DCAA changes its approach, contracting officers are going to be stuck in the middle (once again).

 

Lesson Learned: DCAA needs to pull its evaluation of codes of ethics/business conduct and related contractor controls out of its current audit program and create a separate audit program to focus on this area.  The audit program should accept that no system of internal controls will be perfect, and permit the reporting of individual deficiencies instead of an overall system rating.

 

< Prev   Next >
 

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.