• Increase font size
  • Default font size
  • Decrease font size
Apogee Consulting Inc

Timekeeping Fraud

Nick Sanders
E-mail Print PDF

Timekeeping fraud continues to be the most prevalent form of employee misconduct—and one of the easiest to prove.

In the DoD OIG’s Semiannual Report to Congress, covering the six-month period ending 31 March 2016, the Defense Inspector General reported that labor mischarging comprised 60 percent of all contractor disclosures made during that period. The DoD OIG reported that, during the six-month period ending 30 September 2016 (which is the most current reporting period) labor mischarging made up 71 percent of all contractor disclosures.

And those two data points are consistent with history. Labor mischarging—timekeeping fraud—is by far the number one reason contractors made disclosures, as required by the contract clause 52.203-13. (For details about contractor disclosures, see my article, “Audits of Mandatory Contractor Disclosures under 52.203-13: Everything You’ve Been Told is Wrong,” available on this website under “knowledge resources.”) Despite employee training and contractor internal controls designed to prevent such misconduct, it is still the number one reason for employee disciplinary action.

It’s not just contractor employees, of course. It’s anybody, really, who thinks they can get away with breaking the rules. And that also includes government employees and those independent contractors who work directly for the Federal government.

Such as Dan Glauber.

Dan worked as a contract employee for the Office of Personnel Management (OPM), where he served as a system administrator. To be clear: Dan was not a government employee, but he was an independent contractor hired directly by OPM. It was a full-time gig. It didn’t last very long, though. He only made it a little over three months (April 2012 through August 2012) before being terminated. It’s not clear why he was terminated, but we can guess that the 323.75 hours he recorded on his timesheet during that period where he wasn’t present at the OPM worksite may have played a role.

After Dan was terminated, one of the causes for his absentee status was uncovered. It seemed that Dan also worked, full-time, for NSA as a subcontractor. NSA investigators determined there were 269.5 hours recorded on Dan’s timesheets, for which he was not present at the work site. These missing hours were recorded during the period May 2012 through August 2012.

So Dan did the dream. He pulled down pay for two full-time gigs at the same time. Unfortunately, that was timekeeping fraud. The interesting thing is that, while the OPM folks noticed his absences and investigated, the NSA folks seemingly did not notice until the OPM folks clued them in.

Oops!

According to the obligatory Department of Justice press release, Dan was convicted of making false statements, and was sentenced “to five years of probation. During that time, he will be placed on GPS monitoring for 90 days, must perform the community service, and must pay a total of $70,646 in restitution.”

Why do employees keep on falsifying their timesheets, despite all the training and all the internal controls deployed to prevent such wrongdoing, and despite all the downside of getting caught?

We don’t have the answers, but we strongly suspect one causal factor is that the supervisory review and approval of employee timesheets isn’t as strong an internal control as it’s cracked-up to be. Really, in this virtual world, how much insight can a supervisor have into an employee’s time when the employee is performing work in another building, or perhaps in another location far away? What good is that supervisory signature when the supervisor may have no idea how the employee spends their time?

HR tends to link supervisory timesheet reviews with the organizational structure. The supervisor who reviews and approves timesheets is same one who does the annual performance reviews. Perhaps it’s time to revisit that linkage and decouple it. Perhaps the supervisor who reviews and approves an employee timesheet should be the one who is there actually supervising the employee on a day-to-day basis. That way, there will be some real assurance that when a supervisory signature is found on an employee timesheet, it was based on real insight and knowledge. It was not just a rubber stamp.

We’re just sayin’….

 

 

Compliance Programs with Substance

Nick Sanders
E-mail Print PDF

ComplianceAs I may have mentioned before, I recently was granted the honor of adding “CCEP” after my name, to go with my “CGFM” designation. CCEP means “Certified Compliance and Ethics Professional.” (CGFM means Certified Government Financial Manager.) The CCEP designation was granted by the Board of the Society of Corporate Compliance and Ethics (SCCE).

Which is really neither here nor there, except to note that, as part of my training, I was exposed to an entirely different view of compliance programs. Normally, when we discuss compliance on this website, we are talking about compliance with statutes and regulations that apply to government contractors, or perhaps about compliance with contract terms and conditions. We talk about the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement.

From time to time we talk about other, related, matters—such as the Foreign Corrupt Practices Act (FCPA) or the export control regime (ITAR, EAR). We touch on Ethics/Business Conduct Policies when we discuss FAR Part 3. We mention investigations and contractor disclosures. (Indeed, we’ve written two in-depth analyses of contractor disclosures, which are available on this site under “knowledge resources.”)

But we have not really done a deep dive into the legal view of corporate compliance programs before. We have not dug into how such programs are defined by the Department of Justice and the U.S. Sentencing Guidelines. We glided past those issues because (1) there wasn’t much if any need to discuss them, and (2) we felt uncomfortable with those matters because we weren’t (and still are not!) attorneys. However, that second hesitation was removed when I attended the SCCE training and passed the test, and was awarded the CCEP designation. Now I think we can discuss the legal view of corporate compliance programs with some confidence that we know whereof we speak.

That all being said, today we want to discuss the very recent promulgation, by the Department of Justice, of a document called “Evaluation of Corporate Compliance Programs.” It is a document that identifies eleven areas in which a company’s compliance program will be evaluated by the DOJ when they are considering prosecution options.

This is an important document because it tells us what elements the DOJ considers to be important. As we list the eleven elements, ask yourself how well your company would fare if the DOJ evaluated you in these areas. They are:

  1. Analysis and Remediation of Underlying Misconduct, including root cause analysis, analysis of any prior indications, and efficacy of remediation.

  2. Senior and Middle Management, including conduct by corporate leadership, communication and shared commitment to ethical conduct, and the structure/expertise of the corporate oversight function (e.g., Board of Directors).

  3. Autonomy and Resources available to the compliance function, including experience, qualifications, and stature within the corporation. Also includes empowerment and funding/resources. There is a hint in this factor that a fully outsourced compliance function will be viewed with suspicion.

  4. Policies and Procedures, including internal assessments of the efficacy of the command media, oversight of compliance by process owners, and employee accessibility to the command media. This factor also includes a subfactor regarding controls, payment systems, and vendor management

  5. Risk Assessment, including the risk management process and the process used to gather information/metrics to design its misconduct detect/prevent processes. This factor also evaluates the feedback loop—i.e., how do “manifested risks” influence subsequent risk assessments and internal controls?

  6. Training and Communications, including availability of compliance guidance to employees and communication back to the workforce about misconduct that has been detected. In our experience, a number of corporate attorneys are reluctant to discuss misconduct after the fact. The DOJ evaluation factor asks the following questions (quoting): What has senior management done to let employees know the company’s position on the misconduct that occurred? What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?

  7. Confidential Reporting and Investigation, including the effectiveness of the investigations, the qualifications of the investigative personnel, and whether the results of the investigations are used to enhance controls.

  8. Incentives and Disciplinary Measures, including the disciplinary process and how personnel are held accountable, and whether ethical/compliance behavior is incentivized by the company.

  9. Continuous Improvement, Periodic Testing, and Review, including the effectiveness of the internal audit function, whether internal control testing was updated/enhanced as the result of the misconduct, and the currency/scope of risk assessments.

  10. Third Party Management, including risk assessments and related controls, and whether the third parties are incentivized to act in a compliant manner.

  11. Mergers & Acquisitions, including the role of compliance and risk assessments in the due diligence process, and whether risks identified during the due diligence efforts are remediated during post-acquisition integration.

This blog has been geared towards those compliance practitioners working in the government contracting environment. We talk a lot about FAR, about DCAA, about the government contracting process. We talk about compliant cost accounting and billing practices. But clearly there is a bigger picture for government contractors: there is a bigger compliance regime in which FAR/CAS and other contracting compliance matters are but a part. This article has attempted to show the bigger picture.

We trust it was of value to you.

 

Final Voucher Services

Nick Sanders
E-mail Print PDF

Another week gone by, and the ASBCA website is still down with Error 403 problems. Thus, we still cannot write about the KBR decision, nor can we write about the newer A-T Solutions decision. So instead we’ll discuss the latest MRD (audit guidance) from DCAA.

DCAA, as you already may know, publishes much fewer pieces of audit guidance than the agency used to publish. The number of MRDs published each year has fallen precipitously; much like the number of audit reports issued each year has fallen precipitously. Consequently, we are excited when we see a new MRD on the DCAA website, wondering what important new audit guidance it may contain.

So here we are at MRD 17-PIC-001, dated 1/18/2017. It discusses “final voucher services.” According to the MRD, the purpose of the audit guidance “is to emphasize the types of services audit teams may provide to the Cognizant Federal Agency Official (CFAO), generally the Administrative Contracting Officer (ACO), to assist in processing final vouchers for contract closeouts.”

What are final voucher services?

According to the MRD, final voucher services may include:

  • Providing the CFAO with specific requesting information, such as signed rate agreement letters for the fiscal years of the contract, prior years’ Cumulative Allowable Cost Worksheets (CACWSs), etc.

  • Non-audit services as requested, which are limited to compiling factual information and expressly exclude audit services.

  • Final voucher audit services, which are an attestation examination or agreed-upon procedure to address identified CFAO concerns about the contractor’s final voucher.

Readers may recall we’ve opined that the CACWS requirement of FAR 52.216-7 is an illustrative example of additional regulatory burden imposed on contractors. The CACWS is nothing more than an auditor working paper. The MRD guidance is quite clear that not only must a contractor prepare a CACWS (disguised as Schedule I of the DCAA ICE Model for proposals to establish final billing rates), but that a contractor has a duty to update the CACWS “within 60 days of rate settlement” as required by 52.216-7(d)(2)(v). (This would be a requirement of the 2011 version of the contract clause; the MRD is equally clear that contracts containing the earlier version of the clause are not subject to that requirement.)

Indeed that language does state: “The Contractor shall update the billings on all contracts to reflect the final settled rates and update the schedule of cumulative direct and indirect costs claimed and billed, as required in paragraph (d)(2)(iii)(I) of this section, within 60 days after settlement of final indirect cost rates.”

One of the many problems with that statement is that the clause also states (at (d)(5)) that: “Within 120 days (or longer period if approved in writing by the Contracting Officer) after settlement of the final annual indirect cost rates for all years of a physically complete contract, the Contractor shall submit a completion invoice or voucher to reflect the settled amounts and rates.”

So which is it? Does a contractor have 60 days to “update the billings on all contracts to reflect the final settled rates,” or does it have “120 days ... after settlement” to submit a completion voucher? Certainly the 60 day rule would apply to final rates negotiated during performance while the 120 day rule would apply to final rates of the final year of performance but, in the final year of performance, both the 60 day rule and the 120 day rule would apply. So which is it?

This is one of the problems here. The other problem is that the clause requires update of the CACWS after the final billing rates have been negotiated. If you take the position that the (d)(2)(v) clause language only applies to final rates negotiated during performance, whereas the (d)(5) language applies to the final year of contract performance, that clearly means that the CACWS does not have to be updated to reflect the final billing rates for the final year of contract performance.

Let’s do a hypothetical example.

Contractor A has one and only one cost-type contract containing the 2011 version of 52.216-7. The contract has a 4 year period of performance. In compliance with clause requirements, it updates its CACWS to reflect settlement of direct and indirect costs each year within 60 days of agreement. At the end of Year 4, it does not update its CACWS and submits a final voucher within 120 days of agreement. That would seem to us to be compliant with the exact requirements of the contract clause.

Let’s do another hypothetical example:

Contractor B has many cost-type contracts; some of them contain the pre-2011 version of the 52-216-7 clause while others contain the 2011 version of the clause. As its proposal to establish final billing rates is audited and negotiated and settled, it updates its CACWS—but only for the contracts that contain the 2011 language. For the rest, updating the CACWS is not a contractual requirement. We believe that is a compliant posture.

Let’s do another hypothetical example:

Contractor C has one cost-type contract (“Contract 1”) containing the pre-2011 version of the clause, and one cost-type contract (“Contract 2”) that contains the 2011 version of the clause. Both contracts are physically completed in the same year. The contractor’s Disclosure Statement states that close-out activities will be charged to the contract for which they benefit. DCAA and DCMA ignore Apogee Consulting, Inc.’s sage wisdom (about the conflict between the (d)(2)(v) and the (d)(5) clause language) and require the contractor to update its CACWS as a condition of final voucher payment. The contractor does so but only for Contract 2. The effort involved in updating the CACWS is considered to be a contract close-out activity, and so the labor efforts are charged to Contract 2 as direct costs. Now Contractor C has direct costs outside the contract’s period of performance, plus it has direct costs in a year not subject to the final rate agreement. Therefore, Contract 2 is not ready for a final voucher. First Contract 2 must be modified to extend the Period of Performance. If the costs involved in updating the CACWS are material in amount, the contractor may be due a price adjustment. Second, the final voucher must be withdrawn and must wait for another year to be audited, negotiated, and finalized. In that year the effort to update the CACWS will be repeated, creating the same problems as before. Is this really what the parties intended? Meanwhile, Contract 1 was done, the final voucher was submitted and paid, and the files can now be put away.

We have suggested that contractors not update the CACWS after billing rates are finalized. That suggestion flies in the face of the express requirements of FAR 52.216-7(d)(2)(v). We’ve (hopefully) explained why a literal reading of that clause language leads to several problems. Notwithstanding our position, we strongly suspect that DCAA and DCMA will refuse to pay a contractor’s final voucher until and unless that pesky CACWS is updated by the contractor.

So what’s the resolution?

Contractors need to ensure that final billing rates reflect a credit against provisional billing rates. Of course the same 52.216-7 clause requires that provisional billing rates be set as closely as possible to anticipated final billing rates, so as to avoid a “substantial” overpayment or underpayment. Substantial is one of those words, like “material” or “significant,” that creates a certain amount of subjectivity and/or ambiguity. Our best advice here is to set provisional billing rates so that there is a very slight (certainly not “significant”) overpayment situation. Thus, the contractor would owe the government a very small check at the time of final billing rate settlement. In this fashion, should the government refuse to process the contractor’s final voucher (which would reflect a very small credit due the government), the contractor can shrug and say “so what?”

Oh, and that MRD we started with? It’s just over 2 pages long. But it contains a 41 page-long PowerPoint attachment. In that attachment, DCAA makes it very clear that the updated CACWS is required even in the year of physical completion—ignoring the (d)(5) clause language.

 

DCMA and DCAA Interaction, as Seen by the DoD Inspector General

Nick Sanders
E-mail Print PDF

We have called them “the Oversight Wars” and, although the war has largely died down since its most confrontational moments six or seven years ago, little hotspots still flare up every so often.

The Oversight Wars, for those who may have forgotten, were a series of hostile reports issued by GAO, DoD OIG, and the Commission on Wartime Contracting. Sometimes the finger of blame was pointed at DCMA; other times it was pointed at DCAA. Sometimes it was pointed at both. It was a form of internecine bureaucratic warfare, seemingly designed to degrade the perception of the defense acquisition environment in the eyes of both Congress and the public.

The latest little flareup appears to be ignited by the work of the DoD Office of Inspector General (OIG). Recently, the OIG issued a report critical of DCMA contracting officers. According to the OIG, DCMA contracting officers weren’t doing a good job of complying with CAS administration requirements. We didn’t think much of the report and we told our readers why we felt the way we did. In a nutshell, we found the OIG’s analysis superficial and its recommended corrective actions equally superficial. We noted that DCMA made it easy for the OIG to have findings because its Instructions established timeframes that were nearly impossible for COs to meet. Whatever.

Just another shot fired in The Oversight Wars.

More recently, the DoD OIG has issued another report critical of DCMA Contracting Officers. This time, the OIG found that the CO’s lack of compliance with “FAR, DoD Instruction 7640.02, or DCMA instructions” with respect to dispositioning DCAA questioned costs led to a situation where “contracting officers may have inappropriately reimbursed DoD contractors for millions of dollars in unallowable costs, the Government did not collect penalties when they should have been assessed, or reported incurred cost findings were not addressed in a timely manner.”

Editor’s note: One of those things is not like the others. Can you identify which it is?

Basically, the OIG auditors examined 22 DCAA audit reports issued between September 2013 and July 2015. During that period, DCAA issued 1,072 audit reports, but the OIG auditors selected only 22 of them to review. That’s a two percent sample, for anybody counting. Also, the OIG noted that it didn’t select those 22 audit reports randomly; instead, the auditors “judgmentally selected” their two percent sample. The OIG report did not mention the factors that contributed to the auditors’ judgment with respect to sample selection.

The point of the audit was not to evaluate the quality/accuracy of the DCAA audit findings; instead, the objective was to evaluate what DCMA did with the audit findings.

  • In 15 of the 22 reports, the DCMA COs did not enter accurate status in the Contract Audit Follow-up (CAFU) system.

  • In 5 instances, the COs did not meet the deadlines established by DoD Instruction 7640.2.

  • In 3 instances, the COs sustained DCAA audit findings (cumulatively worth $4.3 million) but those findings were not incorporated into the agreement on final billing rates, meaning that the negotiated final billing rates were higher than they should have been.

  • In 2 instances, the COs did not sustain DCAA audit findings, but failed to document the rationale for not doing so.

  • In 7 instances, penalties were recommended (cumulatively worth $1.4 million) on costs found to be expressly unallowable, but the COs did not take the recommended action, nor did they expressly waive the penalties (which they have discretion to do). Or to be more specific, in 5 instances the penalties were expressly waived but the OIG found the rationale for doing so to be lacking.

  • In 8 instances, DCAA questioned direct contract costs (cumulatively worth $305 million) but the COs did not take any action.

CDA Statute of Limitations

In at least one instance, the CO explained to the OIG auditors that action was not taken because the CDA Statute of Limitations had expired. The OIG position was, “who cares?” As the audit report stated—

… the contracting officer’s own legal counsel advised the contracting officer that the statute of limitations does not preclude the contracting officer from pursing the questioned direct costs. The legal counsel also advised that the statute may not have expired because the contractor had submitted revised incurred cost proposals to the Government.

We know now (or we think we know) that the CDA SoL starts running when the vouchers containing the direct costs are paid by the Government. Thus, the DCMA legal counsel’s advice was unsound. Further, the advice was seemingly based on the assumption that the contractor might not be aware of the expiration of the statute of limitations, and thus might pay some or all of the questioned costs despite the expiration. That position seems to us to be unworthy of a government agency.

Conclusion

Being a contracting officer is a tough job—made even tougher by bureaucratic rules and near-impossible deadlines. This DoD OIG report points out some areas in which performance can be improved, but it also misses some opportunities to recommend process improvements. For example, would the COs’ job be easier and quicker if the DCAA audit reports were of higher quality? We believe so. Yet the OIG simply did not opine on the overall quality of the DCAA audit reports it selected for review. What were the overall sustention rates? If that information was provided, we didn’t see it.

Another opportunity missed was to track the dates of the milestones in the process, to see whether it was the CO (or perhaps the CO’s management) that was delaying the disposition of the audit findings. Between the pre-negotiation memorandum and the post-negotiation memorandum, how many management review steps were there? Did they add value, or did they simply delay the process? Was there any management override of the CO’s judgment? We don’t know because the DoD OIG audit report didn’t say.

 

 

I Did it My Way

Nick Sanders
E-mail Print PDF

We were going to write a long, involved post about December’s KBR decision at the ASBCA, but their website is down indefinitely. So that plan didn’t happen. This is Plan B. Plan B is a discussion about small businesses, entrepreneurship, and contract compliance.

We do a lot of work with small businesses, those government contractors who start from nothing and build themselves up to a position where they can perform effectively on subcontracts, and perhaps start thinking about going after a prime contract of their own. We do not focus exclusively on small businesses, but the largest contractors already have their full-time compliance teams—so it tends to be the smaller contractors that seek consulting advice.

Each of these businesses starts with a single person, or perhaps a small team. They have a vision of what the market needs and the value they can add. They spend time developing infrastructure. They spend time recruiting. They spend time marketing. And eventually they win a couple of contracts—almost always firm, fixed-price contracts awarded under competitive conditions. (Which are some of the lowest-risk contracts from a compliance perspective.) With respect to service providers, they land T&M subcontracts with fixed hourly billing rates. Since they are small companies, risks associated with T&M contracts are fairly low as well.

The point is, they start small, with low-risk contracts, and that gives them a solid foundation for developing experience and past performance credentials. The experience and past performance credentials enable them to bid on larger, more lucrative, contracts.

But what works for low-risk contracts doesn’t always work for higher-risk contracts, such as the cost-type contracts that typically come with SBIR Phase II awards. For that matter, any prime contract awards that are not awarded on a competitive basis are probably going to be subject to cost analysis—which means submission of cost or pricing data (whether or not certified) in a prescribed format. Thus, as small contractors progress into more lucrative contracts—which have higher compliance risks both on the front end and the back end—they need to evolve their back office policies, procedures, and practices.

Many small business government contractors don’t evolve their infrastructure, their back offices, to keep pace with the compliance risks of their newer contract awards. They end up with a mismatch between the needs of their newer contract requirements and the capabilities of their administrative staff. That’s when consultants can add some value.

But the real issue is not the knowledge or expertise of the team; the real issue is that the actual practices may need to change to match the compliance requirements of the newer contracts. The company may need to make fundamental changes to the way in which it does business.

For example, many small businesses operate on a “cash basis” accounting. That is fine for low-risk contracts, but it really doesn’t work for cost-type contracts. Contractors anticipating going after cost-type contracts (either as a prime or as a subcontractor) need to move toward “accrual” accounting. That is a fundamental change with far-reaching ramifications to many aspects of the business.

For another example, many small businesses use Quickbooks. Many small businesses have a bookkeeper to enter transactions into Quickbooks and run reports. That’s fine for smaller, low-risk contracts but, at a certain point, companies need to move away from Quickbooks and find another piece of accounting software more suited to the compliance needs of the higher-risk contracts.1 Some companies will need to move on from their bookkeeper—who may have been in place for years and is now treated like a member of the family—because they need to tap into the expertise of a CPA with government contracting experience.

Sometimes the first inkling of an issue surfaces when DCAA comes in to perform a pre-award accounting system review. The company fails the pre-award review and misses out on an opportunity for which it had been preparing, perhaps for several years. Sometimes a company will pass the pre-award review, but then fail the post-award review, which leads to problems such as demands for repayment of allegedly overbilled costs. In extreme cases, claims of bad accounting or misbilling can lead to allegations of violations of the False Claims Act—which can (and have) killed otherwise successful entities.

Many small business move forward with their new business capture strategy, completely unaware that they also need a back office strategy to go with it.

One problem is that the business may have become accustomed to how it has operated over time. It may not understand the need for change—or it may not want to change. “If the wheel ain’t broke, why fix it?” may be the reply to the consultant who recommends changes to business practices in order to better assure compliance with new contract terms.

This is especially true with respect to labor accounting.

We have experience with one small business—a very successful small business—that has incentivized its staff by paying higher labor costs on direct-billed work than it does on IRAD or other indirect billed work. The owner very much believes in his “innovative” way of doing business. The owner has resisted all recommendations (made by multiple consultants) to change the company’s payroll and labor accounting practices to pay a single rate for all staff hours. When the company failed its DCAA pre-award accounting system survey, it came as a complete surprise. When the company lost out on a large prime contract award because of the failed accounting system survey, that came as a surprise as well. However, regardless of the facts, the small business refused to change and thus it is stuck receiving FFP task orders, mostly as a subcontractor.

And that’s not the only labor accounting issue we’ve had to address in the past few years.

The point of this article is that companies grow and the compliance requirements grow as well. Companies that want cost-type government contracts need to be prepared to account for costs, including labor costs, in a manner that supports billings and audits of billings. This may require change to long-standing (and long-cherished) practices that no longer work in the new risk environment. Companies that refuse to change risk adverse audit findings—or worse.

1Yes, Quickbooks can be made to work for higher-risk contract types as well. With enough work it can meet all contracting requirements. Yet in our experience too many contractors don’t know how—or simply cannot—make Quickbooks do what it needs to do. For that matter, we are not recommending any particular accounting software in this article.

 
More Articles...


Page 76 of 278

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.