A Unique Approach to Timekeeping Fraud
As far as we knew, the epitome of timekeeping fraud wasn’t mis-reporting actual time worked but, instead, altering FICA (Social Security) withholdings to inflate amounts withheld on an employee’s W-2, which would then entitle that employee to a corresponding tax credit. That was the most creative approach we knew.
But then came Michelle Holt, a secretary with U.S. Air Force, Air Combat Command, Communication Support Squadron, at Joint Base Langley-Eustis. She took creative timekeeping fraud to the next level, raising the bar for the next fraudster.
Ms. Holt was a salaried employee on the General Schedule (GS) grade for the federal civilian workforce. As such, she was entitled to overtime pay if authorized by her employer, was also entitled to other forms of holiday and annual leave, and premium pay for any federal holidays worked.
According to this Department of Justice press release—
Holt falsely claimed over 42,000 hours in unauthorized overtime for hours she did not work, as well as other amounts of unauthorized holiday leave, sick leave and annual leave, all amounting to losses to the United States of more than $1.4 million. In recent years, Holt’s overtime pay was over double that of her regular salary.
The timekeeping fraud was perpetrated for nearly 17 years, apparently with nobody being the wiser that one employee had found a means to effectively triple her secretary’s salary through claiming overtime hours (among other things) for which she did not work. To put that fraud into perspective, that’s about 2,500 hours of overtime claimed per year. And nobody noticed.
How did Ms. Holt accomplish this feat? According to the DOJ—
Holt accomplished the fraud by making manual retroactive adjustments to protected computer time and attendance systems to add overtime, reverse leave taken and reverse holiday leave. In doing so, Holt used another employee’s log-in information without that employee’s knowledge or authorization.
Essentially, then, Ms. Holt falsified her identity with respect to accessing the timekeeping system and made “manual retroactive adjustments” to change her timekeeping records after they had been reviewed and approved by her supervisor. By doing so, she bypassed one of the primary timekeeping controls, which is that somebody reviews and approves the timecard before it is entered into the system.
Nice.
Ms. Holt was sentenced to four years in prison plus she was ordered to repay the $1.4 million she had obtained from her scheme.
Now that we know this is a possibility, now that we know somebody can bypass a supervisor’s review and manipulate the labor data after it has been input, how might we detect such wrongdoing?
First, let’s look at overtime. What kind of compensatory control can we devise?
We can run a report, either monthly or quarterly or annually, that shows overtime hours recorded by salaried employees (or by hourly employees). We can organize that report from highest to lowest. We can decide that anybody recording less than a certain amount of overtime hours can be dropped from the report. For example, let’s run the report quarterly and say that anybody recording less than 40 hours of overtime in a 13-week quarter will not be reported—but that anybody who recorded more than 40 hours will be reported, and that we want to see who recorded the most right at the top of the report.
Had such a report been run, we bet Ms. Holt, who was claiming roughly 625 hours of overtime per quarter, would have been right at the top.
A simple phone call to Ms. Holt’s supervisor would have revealed that the timecards that had been approved did not have such quantities of overtime hours on them … which would have led to further investigation, we presume. In other words, Ms. Holt’s scheme would have come to light within the first quarter or two of being initiated, rather than surfacing only after nearly 17 years had passed.
Now let’s talk about the Paid Time Off (PTO) manipulations.
How about we design a report that shows the PTO elements by employee, including starting and ending balances? Let’s run that report once a year.
For the average employee, there will be a starting vacation (leave) balance and an ending vacation balance. The ending balance will equal starting balance plus annual leave earned during the year, minus any leave taken. If the employee didn’t take any leave then the ending balance will equal the starting balance plus the annual accrual.
Let’s limit our report only to those employees who didn’t take any leave during the year—i.e., to those employees whose ending balance equals starting balance plus annual accrued leave. There won’t be that many employees who are on that report, because most employees take vacations. (In fact, if you work at a bank you are required to take vacations.)
For those few employees on that list, we’ll make a phone call to the supervisor to confirm that the employee didn’t take any vacation during the year. (Most supervisors know if their employees were out for a week or two; often it’s on a calendar somewhere.) If the supervisor indicates that the employee did indeed take a vacation (leave) during the year, then we’d follow up with further investigation.
Again, if we implemented that compensatory control, any shenanigans would come to light within a year or so.
Finally, holiday leave. Each company has its own holiday policy but every government contractor offers at least the Federal minimum holidays. There are 10 Federal holidays. Let’s assume eight labor hours a day. Eight times ten = 80 hours of holiday time per year. That’s what we expect to see. Sure, there are times when people work on holidays, but those exceptions are known.
We can design a report that identifies any employee who recorded less than 80 hours of holiday time per year. (You can tailor the report to match your company’s holiday policy.) There will not be very many employees listed on that report.
For each employee listed, we will make another phone call. If we learn that the supervisor was unaware an employee had worked through a holiday, we’ll investigate further.
The point is, this is not rocket science. The labor hour information you need is almost certainly in your labor accounting system. All you have to do is to design and run the reports, and then have the wherewithal to make the (few) phone calls required.
By the way, if you learn that the employee’s hours were legitimate but the supervisor was clueless about hours worked (even though that same supervisor signed-off on the timecards), then you will have learned something valuable about your primary timekeeping accuracy control. And you will also have learned something valuable about the competency of that supervisor.
We would thank Ms. Holt for prompting us to think along these lines, but that “thanks” doesn’t seem appropriate at this time. Maybe we’ll offer them in four years, or perhaps earlier if she receives time off for good behavior.
Cyber-Security and CPSRs
There are those who listen and prepare, and there are those who do not listen and are therefore surprised. Which are you?
Which is your company?
Let’s find out.
Question #1: How long has Apogee Consulting, Inc. been warning its clients and blog readers about the importance of cyber-security?
Answer: Nearly 10 years. Our first article that mentions cyber-security was posted in November, 2009. We wrote: “We frequently report on advances in aerospace and defense technology. As the AW&ST article reminds us, our adversaries are making advances as well, perhaps in areas in which we are vulnerable to exploitation. In 21st century warfare, securing the lines of command, control, communications, and computers (C4) and making effective use of ISR information may be more important than securing the lines of supply.”
It would not be our last article on the topic. Just a few months later, we discussed some proposed DFARS contract clauses and opined that “it seems entirely appropriate for the DOD to consider issuing basic standards of minimum cyber protection to its industrial base, and to require reporting (including root cause analyses) when network breaches occur and data is compromised. And we applaud the opportunity offered industry to help shape the rule and its implementation. We hope knowledgeable companies will help DOD craft a good rule that is easily implementable. After that, companies will need to comply with the requirements of the new contract clauses, or else risk accusations of breach of contract (or worse).”
Those early articles were followed by many more. Our point is: had you listened and acted, you would have had nearly a decade to get ready for DOD’s current emphasis on cyber-security.
Question #2: Is your Purchasing System cyber-ready?
Answer: Probably not. It caught many folks by surprise when DOD decided to verify contractors’ cyber-readiness and cyber-compliance via reviews of contractor purchasing systems (CPSRs). It was only last month that DOD’s approach became apparent. We told you about the situation almost immediately.
Question #3: Forget cyber-security. Let’s talk about good ol’ supply chain management. You know: interaction with suppliers after award of a subcontract. Does your company place the proper emphasis on that aspect of program management?
Answer: Almost certainly not. And it’s a shame, too. Apogee Consulting, Inc. is not just a bunch of beancounters; we have chops in the program management space as well. And with respect to supply chain management, we have been exhorting readers to focus on this area for, quite literally, years. Here’s one good example from 2010, where we told readers “The risks demand a serious and near-term response. Our goal should be to establish a “product pedigree” for our supply chain through creating an unbreakable chain of custody from first source through the various manufacturing and fabrication and assembly and finishing steps.” That was nine years ago. And that wasn’t even our first article on the topic! We continued to beat that drum over the past nine years, including this straight-in-your-face posting (also from 2010) that opined: “Listen, folks: Whether you call it Supply Chain Management, supplier management, or subcontractor management, it is the key to success. Period.” (Emphasis in original.)
And so, having recited the litany of our reporting on this issue, having clearly supporting the assertion that “we told you so,” we now tell readers that the latest DCMA CPSR Guidebook has been updated. In the words of one contractor’s purchasing compliance lead, the result is “ugly” for contractors. Appendix 24 of the Guidebook states—
When DFARS 252.204-7012 is applicable, the contractors must implement the security requirements specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The Contractor's purchasing system will be evaluated to assess that:(a) The contractor’s procedures ensure contractual DoD requirements for marking and distribution statements on DoD Controlled Unclassified Information (CUI) flow down appropriately to their Tier 1 Level Suppliers [and] (b)The contractor’s procedures to assure Tier 1 Level Supplier compliance with DFARS Clause 252.204-7012 and NIST SP 800-171.
That bit above is not really anything new; it is almost a verbatim recitation of the policy letter we discussed last month. But what may be “ugly” is the following direction to CPSR teams:
The PA should ask the contractor to demonstrate their ability to protect CUI in accordance with DFARS 252.204-7012 and NIST SP 800-171. The PA will review subcontracts/POs to determine if the contractor has flowed down DFARS 252.204-7012 in all applicable procurement files within the selected sample. The PA should validate that CUI is properly marked in procurement files containing DFARS 252.204-7012 and be aware that no CUI should be present in procurement files where DFARS 252.204-7012 is not included. The contractor must demonstrate how the CUI was transferred to their subcontractor. The PA should request that the contractor provide prime contracts containing CUI which was transferred to a subcontractor. The contractor must exhibit examples of CUI data transfers to demonstrate their ability to comply with this requirement.
(Emphasis added.)
But wait. There’s more:
It is becoming clear that the ability of a contractor to comply with DFARS 242.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) is going to affect how the CPSR team scores compliance with Purchasing System adequacy criteria associated with supply chain management.
To wrap this all up, you and your company should be ready for the CPSR review team’s questions in this area. You should do fine.
Unless, of course, you haven’t been reading this blog. In which case, this sudden emphasis on cyber-security and secure supply chains may be coming as an unpleasant surprise demanding quick and expensive action.
Or—and this would be worse—you’ve been reading our warnings in these areas and you’ve been ignoring them. These posts have just been rants for your amusement, not to be taken seriously. In which case, shame on you.
|
CASB Staff Discussion Paper – A Call to Reasonableness
The CAS Board recently issued a new Staff Discussion Paper (SDP) that covered conformance of CAS with GAAP requirements in general, and conformance of two specific Standards with GAAP. This article will not rehash the 49-page SDP in detail. Follow the link and read it for yourself.
Instead, we are going to focus on significant issues/questions raised within the SDP. These are issues and/or questions for which the CAS Board staff has requested input from stakeholders—including contractors. We will probably submit input (time permitting). Will you?
The SDP states—
The growth in GAAP content presents potential opportunities to modify or eliminate overlapping CAS requirements where GAAP standards may be applied reasonably as a substitute for CAS to support contract cost and pricing. Such reductions might help to reduce overall burden in the procurement process by allowing contractors to more heavily rely on GAAP, which they are already using to report on their daily business activities. … At the same time, rolling back CAS and relying on GAAP may create challenges where the standards are similar, but not the same, and leave the Government vulnerable to future GAAP changes that, as explained above, are implemented with a purpose that differs from the goals of CAS.
CASB organized the existing 19 Standards into four groups: (1) Standards focused primarily on cost measurement and assignment of costs to accounting periods; (2) Standards focused primarily on allocation of costs; (3) Standards with complex rules satisfying unique needs of Government contracting; and (4) Standards that are generally foundational principles of Government contracting.
Unsurprisingly, the Board started with examining the Standards associated with the first group, which includes CAS 404 (Capitalization of tangible assets), CAS 407 (Use of standard costs for direct material and direct labor), CAS 408 (Accounting for costs of compensated personal absence), CAS 409 (Depreciation of tangible capital assets), CAS 411 (Accounting for acquisition costs of material), CAS 415 (Accounting for a the cost of deferred compensation), and CAS 416 (Accounting for insurance costs).
In this SDP, CASB focused on only two of the Standards in the first group: CAS 408 and CAS 409. The Board promised to issue another SDP focusing on “two other Standards in the first group,” which are currently unidentified but may include CAS 411, a Standard that is woefully outdated and does not address use of ERP systems to acquire goods via aggregated demand.
The Board has invited input regarding its planned approach. For example, is the grouping of the Standards appropriate? Have the Standards been bucketed in the correct groups? Has the Board properly prioritized its efforts?
Another issue for which CASB invites input is whether the existing whether the existing CAS clause found at 9903.201-4 (“Cost Accounting Standards, July 2011) should be revised “to protect the interests of the Government and contractors,” because the current language does not address noncompliances with GAAP. What do you think?
One problem may be that the single CAS clause found in the regulations has been split into seven separate solicitation provisions and contract clauses by the FAR Council (see 52.230-1 through 52.230-7). When discussing the single CAS clause, it is easy to get confused by the individual requirements of the FAR provisions/clauses. We suggest sticking to the CAS language since that’s the only thing CASB has authority to change. (Of course, if the CAS language changes, presumably the FAR Council would need to make conforming changes to their provisions and clauses.)
When looking at both CAS 408 and 409, the SDP asserts that GAAP largely covers the same requirements as CAS does. Of course, the coverage is not exactly perfect and gaps remain. (No pun intended.) Input to the Board should address whether the coverage is sufficient to permit elimination of the Standard(s) altogether, or whether the existing Standard should be rewritten to cover the remaining gaps in coverage. The answer may turn on whether the cost of compliance exceeds any foreseeable benefit that the contracting parties may receive. The opinion of contractors should carry significant weight.
For example, with respect to CAS 408 conformance, the SDP requests input on “whether the GAAP requirement of generally assigning the cost of benefits in the year the employee performed services upon which the benefit was earned would result in a materially different result than the requirement in CAS 408-40(a) to accrue only vested benefits earned.” Moreover, the SDP solicited input regarding “the magnitude of compensated personal absence costs that accumulate but don’t vest, as described in GAAP, taking into consideration the reduction for estimated forfeitures.” Importantly, the SDP requests input on noncompliances with CAS 408. The SDP asks for –
… facts and data of the history of CAS 408 non-compliance issues raised and how they were resolved. In particular, what is the frequency and magnitude of the issues identified on Government contracts? Furthermore, could the issue raised have been considered non-compliant with GAAP, other CAS or FAR?
Looking at CAS 409 conformance, the SDP requests input regarding “what detailed records contractors would keep and for what purpose (e.g., GAAP compliance) if the requirement in CAS 409 to support service lives with actual historic records was eliminated?” Additionally, the SDP solicits input regarding “about the impact to estimated service lives used, if any, anticipated if the requirement to use estimated service lives based on contractor historical experience was eliminated?”
One potential issue identified by the Board is the CAS requirement to “assign to the transferor the gain/loss on disposition of an asset transferred in an other than an arms-length transaction and subsequently disposed of within 12 months of transfer”—a requirement not found in GAAP. Thus, the SDP requests input regarding “the frequency of such transfers and data about the magnitude of the gains/losses experienced on the assets transferred. In addition, how could the selection of service life, depreciation method, and residual value mitigate the risk of a significant gain/loss at disposition?”
Moreover, “The Board is interested in public comments about how contractors set residual or salvage values for categories of assets and the frequency that for a particular asset the residual value used for CAS and a salvage value used for GAAP are the same.”
Finally, as was the case with the CAS 408 discussion—
The Board is interested in public comments with facts and data of the history of CAS 409 non-compliance issues raised and how they were resolved. In particular, what is the frequency and magnitude of the issues identified on Government contracts? Furthermore, could the issue raised have been considered non-compliant with GAAP, other CAS or FAR?
In summary, it’s been a long time—roughly 15 years—since the CAS Board indicated significant interest in revising its regulations or Standards. Contractors are being offered a rare opportunity to help shape at least two Standards, with the promise of another opportunity to help shape two more in the future. We have written about several specific areas of input requested by the Board, and there are other areas buried deep in the CAS-to-GAAP comparison charts included in the SDP.
If you are concerned about the burdens and complexities of CAS compliance—and aren’t we all?—we urge you to read this SDP carefully and provide the Board with your constructive input. Importantly, if you can speak to the burdens the two Standards create and what savings might be achieved from reduction or elimination, we hope you will do so.
If you don’t speak up now, then we feel you will have no right to complain later if the regulatory revisions don’t go the way you think they should have.
OTs and NTDCs
We’ve written about nontraditional defense contractors (NTDCs) several times on this blog, the most recent of which is this article. We noted in that article that a new DFARS rule permitted contracting officers to treat goods and services offered by NTDCs as commercial items, meaning that no certified cost or pricing data would be required to support the prices being offered.
Which is, of course, a good thing—at least, if you are an NTDC. (NTDCs are defined as any business that “is not currently performing and has not performed any contract or subcontract for DoD that is subject to full coverage under the cost accounting standards … for at least the 1-year period preceding the solicitation of sources by DoD for the procurement.”)
Subsequently we noted that Don Mansfield had opined that the definition of an NTDC might result in the situation where every small business is potentially a NTDC (because, by definition, small businesses are exempt from CAS coverage). Don suggested that they would thus be eligible under DFARS 212.102(a)(iii) for Part 12 commercial item procurement procedures, regardless of whether the small business’ goods/services had been formally determined to be commercial items.
Well, maybe. It makes sense, but our experience tells us that when an interpretation of an acquisition rule makes sense, somebody is going to disagree with it.
Anyway, on March 5, 2019, the Acting Principal Director of Defense Pricing and Contracting (DPAC) issued a guidance memo regarding use of NTDCs and Other Transactions (OTs). The memo makes clear that the purpose of both OTs and NTDCs is to speed access to the innovative technologies of commercial entities.
*Sigh*
We have written many times about DOD’s love/hate relationship with innovation. It’s almost funny that DOD would love to have the innovation offered by commercial entities but doesn’t really want anything that might disrupt the status quo. Think we’re exaggerating? Check out our articles on Palantir’s attempts (including several lawsuits) to try to get a foot in the acquisition door in order to provide DOD with its leading intelligence fusion software.
DOD has an empirically proven love/hate relationship with innovation and with acquisition of commercial items, which is why both Congress and the Section 809 Panel keeps telling DOD to do better in those areas. Over and over again.
So now comes another guidance memo that reminds contracting officers that DFARS permits use of streamlined acquisition methods, including OTs and NTDCs, to facilitate access to that sweet, sweet, privately developed innovative technology. But who will force the COCOMs to require that technology?
One more thing: the memo clarifies that, when a contracting officer uses the NTDC rule to acquire goods and services, that is not the same thing as making a commercial item determination (CID). The memo states “The decision to apply commercial item procedures to the procurement of supplies and services from a nontraditional defense contractor does not require a commercial item determination, and does not mean the supplies or services are commercial.”
That’s a good clarification. It’s consistent with the actual DFARS language. But it leads us to the question regarding whether a NTDC should insist on a CID rather than accept a quick-‘n’-dirty Part 12 acquisition? We mean, accepting streamlined NTDC procedures solves one immediate problem (submission of certified cost or pricing data), but it doesn’t really solve the underlying concern—which is to get DOD to accept a good or service as being a commercial item whose pricing is based on market forces rather than a detailed cost buildup.
In other words, it’s a bit of a trade-off.
The contractor has the leverage to the extent that DOD wants that cheap innovative technology, and once DOD has the tech, much of the leverage goes away. Why should DOD take the time and effort to consider a CID if it doesn’t need to? But if the CID isn’t made, then the contractor will be right back where it started from at the next acquisition. The problem will not have been solved; it will simply have been kicked down the street.
OTs and NTDCs give DOD something it wants: streamlined access to privately funded innovative technology. We suggest that proper consideration for that access should be a commercial item determination, when doing so can be justified by the FAR.
|
