• Increase font size
  • Default font size
  • Decrease font size
Apogee Consulting Inc

Lack of Adequate Accounting System Costs Contract Award

Nick Sanders
E-mail Print PDF

Two things about this article that are not new: (1) Courts (and too many contracting officers) think DCAA approves a contractor’s accounting system; and (2) joint ventures are at competitive risk if they do not clearly explain how they will operate after contract award. We’ve discussed these issues before, notably in this article and in our lengthy analysis article available to site members. (Membership costs nothing, poses no risk, and has benefits!)

The new thing is a recent bid protest decision at the Court of Federal Claims, in the matter of Metrica Team Venture (MTV). MTV was a joint venture of six team members, led by Metrica. MTV was bidding on the Alliant 2 Small Business GWAC. The solicitation required bidders to submit a “self-scoring worksheet” in which bidders were permitted to claim points for meeting specific criteria. Among the points available, bidders could claim 5,500 points for having a “certified Cost Accounting System” (called a certified “CAS” in the judicial decision—but not to be confused with the Federal Cost Accounting Standards).

According to the bid protest decision, the Alliant 2 solicitation stated that, in order to claim the points, bidders were required to—

… provide verification from the Defense Contract Audit Agency [‘DCAA’], Defense Contract Management Agency, or any Cognizant Federal Agency of an acceptable accounting system that has been audited and determined adequate for determining costs applicable to the contract or order in accordance with [Federal Acquisition Regulation (‘FAR’)] 16.301-3(a)(3).

Metrica was the leader of the JV and it did have a certified CAS. Unfortunately, however, none of the other five team members met the requirement. No problem! The JV team executed an agreement that stated that Metrica would do the accounting for the JV. That would solve the problem, right?

Wrong.

As Chief Judge Sweeney explained in her decision—

… the CO deducted 5500 points from the total claimed by MTV because it only provided evidence that one member—Metrica—had a certified CAS, and those points were available only if the offeror provided evidence of a certified CAS in the name of each member or the name of the joint venture. At the end of his review, the CO concluded that MTV’s validated score was 62,700, which was 5100 points below the cutoff.

(Internal citations omitted.)

Had MTV been allowed to claim the 5,500 points associated with a certified CAS, it was probable that it would have been awarded an Alliant 2 GWAC; but because it wasn’t granted those points, the JV lost out on a potentially lucrative contract award.

MTV protested but Judge Sweeney didn’t buy it. She wrote: “The crux of the parties’ disagreement is whether, under the terms of the solicitation, a joint venture possesses a certified CAS in its name when one member has such a CAS and is contracted to perform accounting for all of the other members.” In this situation, she found that the Alliant 2 solicitation was unambiguous and required that “… the credential must be issued to the joint venture—not one member acting on behalf of the other members.” She concluded that—

… offerors are only entitled to points for having a certified CAS if that credential is possessed by the joint venture or each member of the joint venture. Because neither MTV nor each member possessed a certified CAS, the CO did not err when he deducted points from the total claimed by MTV for MTV not substantiating the points it claimed for having such a CAS.

Clearly, the decision turned on the language of the solicitation. Another solicitation with different language may have not been as restrictive, and may have permitted the approach to accounting system adequacy envisioned by Metrica. On the other hand, why would you risk it?

The message here is clear. If you are a Federal contractor and you want to grow your business, one of the most important needs you have is an accounting system that DCAA (or DCMA) can determine to be adequate. We are at a loss to understand why any business—large or small—would conclude otherwise. Yet, as shown by this bid protest decision, five out of six Federal contractors didn’t have the necessary policies, procedures, and/or controls. Five out of six is 83 percent. That’s a high percentage.

So our advice now is the same as it’s always been. If you are a Federal contractor (or want to be one) then you really must invest in your accounting system. It’s not sexy. It’s not immediately revenue-generating. It may require spending money at a time when cash is tight. We get all that. Those are great reasons for procrastinating in this area. But then again, if you procrastinate for too long, then you risk running into a situation where you don’t have what you need when you need it. And then you lose a major contract award and you’ll get to see all that potential revenue go to your competitors.

At that point, all those rationalizations for putting off the investment in your back office are going to ring hollow. They are not going to seem like smart cash flow or management focus decisions; they are going to look like failed leadership.

At that point: it’s on you.

 

Allowability of Precontract Costs

Nick Sanders
E-mail Print PDF
Precontract costs are not preproduction costs. Let’s get that out of the way first. The SF-1408 requires, as a condition of having an adequate accounting system, that a contractor must be able to segregate preproduction costs from production costs.

According to the DoD’s Contract Pricing/Finance Guide (Volume 3, Chapter 8)—

Preproduction costs, also known as start-up or non-recurring costs, can be characterized as out of the ordinary costs associated with the initiation of production under a particular contract or program. Examples of preproduction costs include:

  • Preproduction engineering;
  • Special tooling;
  • Special plant rearrangement;
  • Training programs;
  • Initial rework or spoilage; and
  • Pilot production runs.

There is really no question but that the foregoing costs are allowable; the issue is that contractors have to be able to segregate those costs from their recurring production costs. (Exactly why that ability is so critically important to the government has never been explained to my satisfaction.) Interestingly, the Guide assumes that the costs will be proposed as Other Direct Costs (ODCs), not as the constituent cost elements that may comprise the efforts (e.g., labor, materials, subcontractor costs, etc.). The Guide also states that such costs may be deferred and recognized over the life of production, which is something to keep in mind for future competitive proposals—not to mention Boeing’s EELV litigation.

But this article isn’t about preproduction costs; it’s about precontract costs, which are something else entirely.

The FAR cost principle at 31.205-32 is remarkably brief and to the point. It states—

Precontract costs means costs incurred before the effective date of the contract directly pursuant to the negotiation and in anticipation of the contract award when such incurrence is necessary to comply with the proposed contract delivery schedule. These costs are allowable to the extent that they would have been allowable if incurred after the date of the contract (see 31.109).

Right away, precontract costs are defined broadly, as any costs that were incurred by the contractor “before the effective date of the contract.” Period. Labor, materials, subcontractor costs, preproduction costs—whatever. Any costs incurred before the effective date of the contract (which may be different from the date upon which the contract was executed) are precontract costs.

If those precontract costs were incurred by the contractor “directly pursuant” to the contract’s negotiations and if those precontract costs were incurred by the contractor “in the anticipation of the contract award” and if those precontract costs were incurred by the contractor “when such incurrence [was] necessary to comply with the proposed contract delivery schedule,” then the precontract costs are allowable.

But they are allowable only to the extent they would have been allowable if incurred after the date of the contract. In other words, an otherwise unallowable cost cannot be made allowable by virtue of it having been incurred before the effective date of the contract.

What does that reference to 31.109 mean? As we all know, FAR 31.109 refers to Advance Agreements, which is where the contractor and government enter into an agreement that establishes the treatment of certain costs. We discussed the topic of Advance Agreements in this article. If you mosey over to 31.109, you will see that use of Advance Agreements is recommended with respect to treatment of precontract costs; or, at least, precontract costa are one of the listed topics for which an Advance Agreement might be considered by the contracting parties.

We touched on Advance Agreements in the context of precontract costs in this article. But note that article was hardly a “deep dive” into the topic we are discussing today. It was more a discussion of the allowability of costs incurred either before, or after, the contract’s official period of performance.

Getting back to this topic, we need to ask whether the allowability of precontract costs conditioned upon an executed Advance Agreement? No. Absolutely not. Whether an Advance Agreement exists does not impact the allowability of precontract costs in the slightest. Having one may be helpful in terms of avoiding disputes (or audit findings), but it is not a requirement.

In summary, precontract costs are allowable if (1) the costs were incurred directly pursuant to negotiation of the contract and in anticipation of award, (2) the costs were necessarily incurred in order to comply with the proposed contract delivery schedule, and (3) the costs would have been allowable if incurred after the date of the contract.

Some court cases seem to indicate that allowability turns on whether or not the government has provided prior approval for the contractor to incur its precontract costs. That finding would seem to add a fourth requirement to the three listed above; a requirement not found in the FAR nor in the Radant Technologies line of cases at the ASBCA. Our layperson’s understanding is that those contrary decisions are found at the Court of Federal Claims. Karen Manos has a 2013 article that discusses those other cases, and we suggest readers seek it out. In the meantime, if you have a dispute that involves precontract costs, you may have a better outcome at the ASBCA, if you can file there.

What does DCAA say about precontract costs? Not much, it seems.

The Selected Areas of Cost Guidebook, Chapter 57 (“Pre-contract Costs”) is empty. All it says is “Refer to authoritative source.” We are not suggesting that this article is that authoritative source!

The Contract Audit Manual (at 6.202) discusses audit procedures related to precontract costs. It states—

Precontract costs are defined in FAR 31.205-32. Such costs, which otherwise meet the tests of allowability, may be approved for reimbursement by the auditor. If the precontract costs are subject to an advance agreement, the auditor should determine whether the costs incurred meet the conditions of the agreement. However, if there is no advance agreement, the auditor should ascertain whether the precontract costs meet all the tests of FAR 31.205-32 and are allowable to the same extent they would have been allowable if incurred after the effective date of the contract. The auditor should obtain the assistance of the Plant Representative/ACO and, where appropriate, the PCO in reaching this decision whenever necessary to clarify the facts and conditions for incurring precontract costs.

We are pleased to see that the DCAA audit guidance agrees with the decisions at the ASBCA.

Let’s wrap this up. If you are a contractor with a contract award pending, or in negotiations, you can incur precontract costs with an expectation of having them reimbursed or included in the contract price. You don’t need an Advance Agreement nor do you need express permission from the cognizant contracting officer. You need to meet the three tests we discussed in this article. However, if you have a dispute about the allowability of your precontract costs, and you want to litigate, best you take your appeal to the ASBCA.

 

Hanford Clip Show

Nick Sanders
E-mail Print PDF
It’s called a “clip show” in the television biz. According to Wikipedia—

A clip show is an episode of a television series that consists primarily of excerpts from previous episodes. Most clip shows feature the format of a frame story in which cast members recall past events from past installments of the show, depicted with a clip of the event presented as a flashback. Clip shows are also known as cheaters, particularly in the field of animation. Clip shows are often played before series finales or once syndication becomes highly likely. Other times, however, clip shows are simply produced for budgetary reasons (i.e. to avoid additional costs from shooting in a certain setting, or from casting actors to appear in new material).

In other words, there isn’t much new in a clip show. If you’ve watched the series, you’ve already seen all the flashback bits. That doesn’t keep the networks from churning them out, though.

Similarly, auditors churn out “clip show” audit reports from time to time. Most of us have seen them, particularly with respect to business system “reviews.” Instead of performing a lot of new work, the auditors simply piece together snippets of previous reports—as if those reports were somehow appropriate evidence to reach a new conclusion. A good example of a “clip show” Estimating System review report would be one that pieced together findings from forward priced proposal audits conducted over the past year or two. Never mind that the contractor has already corrected the process or people problems that led to those findings; they are presented once again as if they are evidence of a currently deficient business system.

“Clip show” audit reports are an unfortunate fact of life in the compliance environment. So long as all the reviewers sign off on them, they are considered to be just as valid as an opinion based on current and valid evidence. There’s no sense getting upset about them; that’s just the way it is.

Recently, the Department of Energy Office of Inspector General published a “clip show” audit report regarding the DOE’s site in Hanford, Washington. In fairness, the DOE OIG clearly labeled it as such. No, they didn’t call it a “clip show;” they called it a “compilation.” In fact, they called it “Compilation of Challenges and Previously Reported Key Findings at the Hanford Site for Fiscal Years 2012-2018.”

Hey, at least they were honest about it.

Why did the DOE OIG feel compelled to issue the compilation of previously issued reports, each one previously issued over the past six years? According to the report itself: “The Office of Inspector General’s objective is to highlight management challenges and key findings that were identified in its previous audits, inspections, and investigations related to the Hanford Site.” Our interpretation of that sentence is that the OIG feels their previous reports weren’t taken seriously enough, and they are making another attempt to get somebody’s attention.

Our interpretation may be supported by the words of the report. It states:

The Hanford Site has been plagued with mismanagement, poor internal controls, and fraudulent activities, resulting in monetary impacts totaling hundreds of millions of dollars by the various contractors involved at the site. As many of the weaknesses continue, without more aggressive oversight of contractors and subcontractors, millions of dollars will continue to be at risk for inappropriate charges and potential fraudulent activities. We are hopeful that the consolidated summary of the previously issued significant Office of Inspector General findings from FYs 2012–2018 provided in this report will serve as evidence of systemic internal control weaknesses and fraudulent activities and ultimately result in the Department strengthening its oversight of Federal operations and contractors.

Although we recognize that the Department has implemented improvements in response to prior Office of Inspector General findings, weaknesses continue with the management of contractors and subcontractors at a level that, in our opinion, results in an unacceptable level of risk of inappropriate charges to the Government.

The compilation report then continues with about 35 pages of “flashback” audit findings and press releases relating to various Hanford contractors, subcontractors, employees, and vendors. It’s great reading if you want to see the kind of (illegal) shenanigans that fraudsters can commit; but perhaps not so great reading if you are one of the entities or individuals mentioned within the body of the report. If you are a DOE employee charged with contractor oversight/compliance, we suspect it's very depressing reading indeed.

What’s the value of such a report? Well, it can serve to highlight historical compliance challenges and, to the extent those challenges have not been resolved, it can serve as an additional spur to action. As the DOE OIG stated in the report summary—

As many of the weaknesses continue, without more aggressive oversight of contractors and subcontractors, millions of dollars will continue to be at risk for inappropriate charges and potential fraudulent activities. We are hopeful that this consolidated summary of the previously issued significant Office of Inspector General findings from fiscal years 2012–2018 will serve as evidence of systemic internal control weaknesses and fraudulent activities and ultimately result in the Department strengthening its oversight of Federal operations and contractors.

It will be interesting to see if anything changes. Will Congresspeople express concern or even anger with the situation? Will DOE invest more money and personnel to Hanford contractor oversight? Will the prime contractors invest more money and personnel into their operations?

Our experience tells us that the answers to the foregoing questions probably will be “no.” Nobody cares about investing in controls and oversight unless forced to by litigation and/or settlement terms. For example, we don’t see Congress appropriating another $100 million for Hanford contractor oversight; nor do we see DOE moving $100 million from Savannah River to Hanford for the same reason. And until somebody puts money where mouth currently is, we don’t see much impetus to significant change in the control environment.

Sorry to be so cynical, but there it is.

In the meantime, we get OIG reports that provide a compilation of audit findings, like flashbacks in a clipshow. If you’ve never seen the show before, then they might look like new findings. But if you’ve been watching for a while, then you’ve seen it all before.

 

Everybody’s a Critic, Especially the DoD Office of Inspector General

Nick Sanders
E-mail Print PDF

DCAA used to maintain a “proposal adequacy checklist” to help auditors determine whether a contractor’s proposal met the requirements of FAR 15.408. That tool was eliminated when the checklist was incorporated into the DFARS in January 2014. Per the DFARS solicitation provision 252.215-7009, a prospective contractor must complete the checklist and submit the completed checklist along with its proposal, when certified cost or pricing data are being required.

Yes, readers. You got it. The result of the change was that the effort previously performed by DCAA auditors was shifted to the contractors. As has become the norm with the audit agency that is chronically short of resources (or perhaps short of the competence to manage the resources it has).

The DFARS proposal adequacy checklist has 36 boxes to be checked (or items to be discussed if the answers don’t fit into the boxes). According to the regulations, the purpose of checking the boxes is “to facilitate submission of a thorough, accurate, and complete proposal.” But sometimes, even though all the boxes have been checked, DCAA finds that the submitted proposal is not thorough, accurate, or complete.

What happens then?

According to the Department of Defense Office of Inspector General (DoDOIG), “DCAA issues a memorandum to the contracting officer that outlines the noncompliances and the actions required to correct the noncompliances.”

And then what happens?

Well, at that point things become a bit hazy. The DoDOIG is not particularly clear on who does what—or who should do what. The most that can be said is “The contracting officer is responsible for determining the extent of support required to evaluate a contractor’s price proposal ….” In other words, DCAA is not the final arbiter of whether a contractor has submitted sufficient (certified) cost or pricing data; that’s the responsibility of the cognizant contracting officer.

Or is it?

In a recent audit report, the DoDOIG seemed to acknowledge the primacy of the CO’s discretion, while criticizing DCMA COs for failing to document how they dealt with DCAA’s determinations of “noncompliance” with FAR Table 15-2 requirements.

The IG looked at 23 contractor proposals where DCAA had “advised the contracting officers that the proposals did not comply with the FAR requirements, including FAR Table 15-2.” The IG could not fault the COs actions. The report stated “For all 23 contractor price proposals, the contracting officers took appropriate actions to address the proposal inadequacies identified by DCAA ….”

But it seems that no DoDOIG audit report can be issued unless there is some criticism of DCMA; and this audit report was no exception to that rule. Even though the DCMA COs took “appropriate actions,” not all of them documented those actions to the satisfaction of the IG auditors. The audit report found that “for 9 of the 23 proposals, contracting officers did not comply with the FAR requirements for documenting the negotiation because they did not adequately document the contractor price proposal inadequacies or the actions taken to address the inadequacies in the contract file.”

The basis for the IG audit finding was stated to be FAR 15.406-3 (“Documenting the Negotiation”). According to the audit report, that FAR subsection “requires that contracting officers document in the contract file the principal elements of the negotiated agreement.”

In fact, FAR 15.406-3(7) does require that COs add to the contract file “A summary of the contractor’s proposal, any field pricing assistance recommendations, including the reasons for any pertinent variances from them, the Government’s negotiation objective, and the negotiated position.” (Emphasis added.) The question is, when DCAA tells a CO that the contractor proposal is noncompliant with FAR Table 15-2—but states nothing more—is that actually a recommendation? We mean: Unless the DCAA memorandum actually contains a recommendation to do something, our reading of the regulation would seem to indicate that there would be nothing to document, other than (perhaps) “DCAA said the proposal was crap; I looked at their findings and disagreed with the assessment(s). I was able to negotiate a fair and reasonable price despite the alleged noncompliance(s).”

Also, what qualifications does a DCAA auditor have to determine whether a CO can or cannot) overcome the (alleged) inadequacies of a contractor proposal? Are DCAA auditors routinely trained in negotiation techniques? Are they certified Master Negotiators? Because if not, then perhaps all that’s happening is that a DCAA auditor is signaling that one or more of the 36 proposal adequacy boxes haven’t been properly checked. And not all of those boxes are equal! Some boxes matter more than others. But you wouldn’t know that from the DoDOIG audit report (which curiously omits any discussion of the requirements of DFARS 215.408(4) and the solicitation provision 252.215-7009).

Anyway, even though the IG auditors saw fit to omit discussion of pertinent regulatory guidance—and even though the IG auditors saw fit to omit discussion of the competence of a DCAA auditor to actually determine whether or not a contractor proposal was suitable for audit—the IG auditors were able to confidently conclude that “Without adequate documentation, the contracting officers could not readily demonstrate that they had appropriately addressed the contractor price proposal inadequacies before they negotiated a fair and reasonable price with the contractor.”

Which is a flawed conclusion, since the auditors never demonstrated that was a required step.

The root cause of the so-called “noncompliance” of the contracting officers was, according to the audit report, “a lack of DoD policy and instruction” telling the COs to document the DCAA findings of the so-called contractor “non-compliances” and disposition each one in the contract file. It’s not surprising (to us) that there was no DoD policy or instruction, because none was required. But that’s not how the DoDOIG saw it.

Despite our criticisms of the criticisms of the DoDOIG audit report, “Defense Pricing and Contracting Principal Director agreed to implement guidance that requires contracting officers to document the actions they take on contractor price proposal inadequacies.” Unlike the responses from COCOMs and DPAP, there was no response published in the DoDOIG audit report that came from the office of Vice Admiral Lewis (Director, DCMA).

(Ed. Note: Gratuitous and possibly libelous opinions on the willingness of senior DoD leadership to back up the contracting officers in the field deleted from this post in a rare moment of discretion.)

 

DCAA Delivers New Accounting System Audit Procedure

Nick Sanders
E-mail Print PDF
Way back in 2011/2012, the world changed.

Suddenly, contractor “business systems” were in the spotlight; and the larger contractors were subject to punitive payment withholds if any of their six business systems were found by government reviewers to have “significant deficiencies”—which was a code word for any failure to satisfy those reviewers with respect to overtly subjective criteria that were not actually very auditable.

The government quickly realized that it lacked resources to implement, in any effective manner, the necessary process steps envisioned by Congress and the DAR Council. Consequently, the six business systems were divided into two groups, with one group (Purchasing, Property, and Earned Value) being reviewed by DCMA and the other group (Estimating, MMAS, and Accounting) being reviewed by DCAA. To be clear: DCMA always retained the authority and responsibility for determining whether or not contractor business systems were “adequate,” but each agency was given three business systems for which it had the “lead” role in evaluating.

DCAA has struggled since that time to fulfill its commitments with respect to the three business systems for which it has the lead role. Things had gotten so bad for the resource-limited (or management limited) audit agency that, in 2014, a proposed rule would have pushed the evaluation burden to contractors and “independent” outside entities. (That proposed rule crashed and burned; which was unfortunate for both DCAA and those outside entities that would have cashed in from it.)

One of DCAA’s challenges has been development of an audit program that would facilitate a timely review of a contractor’s accounting system. The early “pilot” programs took as long as three years to issue a draft audit report, which was no good for GAGAS compliance. GAGAS (at 6.60, 2011 version) requires that audit evidence must be “appropriate” to support any conclusions reached. The term “appropriate” is defined to include the concepts of relevance, validity, and reliability. As GAGAS states (at 6.60b, 2011 edition), “Validity refers to the extent to which evidence is a meaningful or reasonable basis for measuring what is being evaluated. In other words, validity refers to the extent to which evidence represents what it is purported to represent.” Accordingly, if DCAA collected evidence in Year 1 of the audit but didn’t reach (or publish) an opinion until Year 3 (or Year 4), then there was a reasonable chance that the evidence was no longer valid, and thus was not appropriate … meaning that there was likely to be a GAGAS deficiency with respect to that opinion. Not good for an agency that has struggled to comply with GAGAS for the past decade, and only received a passing grade on its last external peer review by having that reviewer (the DoD OIG) determine that a 15 percent deficiency rate was good enough for government work. (Seriously. See our 2014 article on the topic, which prompted us to suggest publicly that the DoD OIG had an independence problem and should no longer perform external quality reviews of DCAA.)

Anyway, DCAA has struggled with GAGAS compliance and it has struggled with issuing timely audit reports of decent quality to its customers. In a perfect world, DCAA would like to audit its three contractor business systems once every three years, but if it takes three years (or more) to audit an accounting system, then that goal is going to be hard to attain.

What’s an audit agency to do?

Answering that question has been hard, which is one reason that DCAA has been without an audit program that would tell auditors how to audit a contractor accounting system for quite some time.

To be clear, DCAA has had a pre-award accounting system procedure (audit program 17740), and it has had a post-award audit system procedure for “non-major” contractors (i.e., the small fish not subject to the full contractor business system oversight regime) (audit program 17741); but the audit program for the major contractors—the ones subject to the punitive payment withholds for any “significant deficiencies”—has been missing in action for a couple of years.

DCAA rectified that gap in October, 2018, when it posted audit program 11070 (“Accounting System Audit” or, more formally and correctly, “Compliance with DFARS 252.242-7006 Accounting System Administration Requirements Audit”). Here’s a link to that audit program.

As described in the audit program, its purpose and scope are as follows:

The compliance with DFARS 252.242.7006, Accounting System Administration requirements audit is conducted to examine contractor compliance with the system criteria as prescribed in section (c), System Criteria. As a part of the examination, auditors will:

  • Obtain an understanding of the contractor’s compliance with DFARS 252.242-7006(c);

  • Determine if the contractor is compliant with the accounting system criteria prescribed in DFARS 252.242-7006(c); and

  • Report both significant deficiencies/material weaknesses and less severe than significant deficiencies/material weaknesses that require the attention of those charged with governance.

The first question that comes to mind is: what if a contractor is not subject to the DFARS accounting system adequacy criteria? For example, what if a contractor has only EPA or DOE contracts? How will DCAA audit those contractors? The audit program answers that question. It states:

Contractors that do not have DoD contracts … are not contractually required to comply with the DFARS criteria. Nevertheless, the DFARS criteria are suitable standards to use in determining the acceptability of any Government contractor’s system for the accumulation and billing of cost under Government contracts.

If this audit program is used for contractors that have only non-DoD contracts, the language in the audit report shell will need to be tailored accordingly. FAOs needing assistance in tailoring the audit report should coordinate with the regional/CAD technical programs division and Headquarters PAS.

Well, shoot. There you go. Even if you are not subject to the 18 accounting system criteria established by the DFARS, you are still subject to them—according to DCAA.

Part of the new audit approach is to have DCAA auditors request any other audits or studies that may be relevant to the accounting system—to expressly include internal audit reports and external audit reports of financial statements. As the audit program states, “The purpose of this question is to discover any new audit leads that could affect the scope of current audit.”

Another aspect of the audit program that interested us was how it mashed prior DCAA audit approaches into a new framework. In the historic days before 2011/2012, DCAA had 10 contractor internal control systems it evaluated, including such systems as Billing and Labor Accounting. Those systems were eliminated and replaced by the six DFARS business systems.

But we noticed that they are back in the new accounting system audit program. For example, Section D-1 is entitled “Billing System” and Section E-1 is entitled “Labor Accounting.” Apparently, everything old is new again.

Even though the audit program looks familiar, there are some new focus areas worth noting. Perhaps the most challenging of the new focus areas is the emphasis on Information Technology (IT) and IT-related controls. For example, audit steps to be performed include:

  • Have contractor provide overview of IT Organization Structure to demonstrate its ability to act independently. For example, the overview should fully discuss IT management and organization (e.g., centralized or decentralized, shared services, business unit, geographical organization, etc.).

  • Have contractor provide overview of computer operations to include computer processes and control points for system integrity and reliability of all activities impacting the system’s physical operations.

  • Have the contractor provide an overview of the ERP Data Flow Architecture (process map). The presentation should include descriptions of all ERP modules, submodules, subsystems, other applications, databases, external data warehousing system, interface tables, etc., and controls, processes and interface tools for ensuring integration. If Legacy environments exist, include index of modifications contained within system documentation record.

  • Have the contractor demonstrate all third party IT service providers, type services, and the controls and processes for monitoring performance. Obtain IT service providers’ contract agreements and service level agreements covering the roles and responsibilities, expected deliverables and policy and procedures for monitoring third party IT service providers.

  • Have the contractor demonstrate the security techniques and related management procedures (e.g., network topography, to include identification of firewalls, security appliances, gateways, DMZs, network segmentation, intrusion detection, etc., and the identification and location of hardware and software) to authorize access and control information flows from and to networks that provide assurance of processing and data integrity associated with the contractor’s accumulation, processing, recording and reporting of Government costs.

  • Have the contractor demonstrate controls and processes for monitoring IT security implementation, infrastructure and related events for prevention, detection and timely reporting of unusual and/or abnormal activities and maintaining logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations.

  • Have the contractor provide overview of logical security controls for protection of computer resources against unauthorized use, modification, damage or loss, user levels are controlled and identified, logical access restrictions are controlled by passwords and logical access is recorded and monitored).

  • Have contractor provide policies and procedures for process of software acquisition, development, and modification for maintaining data integrity.

The foregoing steps may be new but they are not really unexpected, are they? The government’s recent emphasis on cybersecurity (see, e.g., the new DFARS contract clause 252.204-7012) means that DCAA should emphasize it as well. The point is: be prepared for inquiries into the above areas.

We will have to see whether or not the new audit program can be performed timely. Our opinion—based on past experience with similar audits—is that the long-pole in the tent is going to be all the new IT-related stuff we listed. Our experience tells us that DCAA auditors with sufficient qualifications to both understand and evaluate contractors’ IT systems and controls are in short supply. Consequently, the audit schedule will need to take into account obtaining those scarce audit support resources and keeping them focused on the audit assignment in front of them, while fending off attempts to “steal” those resources away to support other audits.

Anyway, we’ll see how it goes.

 
More Articles...


Page 39 of 278

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.