DCAA’s External Quality Control Audit
In our opinion, except for the deficiencies described in this report, the system of quality control for the DCAA in effect for the 3‑year period ended June 30, 2019, has been suitably designed and complied with to provide the DCAA with reasonable assurance of performing and reporting in conformity in all material respects with applicable professional standards. Audit organizations can receive a rating of pass, pass with deficiencies, or fail. The DCAA has received a rating of pass with deficiencies.
Every couple of years, DCAA’s quality control system gets an “external peer review.” In March, the DOD Inspector General published its latest peer review findings. The initial quote, above, is the summary of the report: “pass with deficiencies.”
Long-time readers may recall that the DOD Inspector General hasn’t always reported favorably on the quality of DCAA’s audits. Moreover, DCAA went without an externally reviewed quality system for several years, because the agency failed a peer review. In 2017, we reported that DCAA had passed its peer review, even though 25 of the 67 selected audit reports had deficiencies. To put it another way: nearly 40% of the audit reports selected for review by the DOD Inspector General had deficiencies. Importantly, no deficiencies were found (in 2017) to be significant deficiencies that would have imperiled DCAA’s audit quality system.
We took some issue with that 2017 audit, quoting a finding from the report that stated:
For 18 of 67 audits (27 percent) we selected for review, we found one or more instances in which DCAA auditors did not obtain sufficient, appropriate evidence to support an opinion expressed in the report. We found this deficiency in all six DCAA regions. Among the 18 audits, we found a total of 25 instances when the auditors did not obtain sufficient, appropriate evidence to support DCAA’s opinion that contractor proposed costs were reasonable, allowable, or compliant with contract terms.
Back in 2017, we opined on that particular finding as follows:
Well, gosh. More than a quarter of all selected reports lacked sufficient evidence to support audit conclusions. That seems like kind of a big deal to us. Yet, the IG, using professional judgment, did not deem that deficiency to be a significant deficiency.
Moreover, as the IG itself noted in the report, this is a repeat finding from the external peer review it conducted in 2014. The IG stated that DCAA had taken corrective actions in response to the 2014 finding, but the corrective actions had proven ineffective and “based on the results of our current review, DCAA still needs to consider additional steps to ensure that auditors gather sufficient evidence to support reported opinions.”
If this were a contractor business system review and there had been a repeat finding, we all know what the result would be.
We had more to say in that vein; you can read our 2017 article (link above) if you are so inclined. In the meantime, let’s see what the IG had to say in 2021.
The Inspector General team selected 60 DCAA audit reports from a universe of 3,616 audits performed between July 1, 2018 and June 30, 2019. From the sample of 60, the IG found 50 findings associated with 29 of the reports. In essence, roughly 50% of all DCAA audit reports selected had at least one finding; and many had multiple findings.
In 19 of the 60 audits (or about one-third), the auditors “did not obtain sufficient, appropriate evidence to support their opinion.” The audit report noted that this finding was a repeat from its 2017 peer review, which was at that time a repeat finding from the 2014 peer review. DCAA keeps struggling to implement corrective actions to improve in this area; however, “Based on the results of this peer review, the DCAA still needs to take additional actions to ensure that auditors obtain sufficient, appropriate evidence.”
We’re sure they will get it right the next time the DOD IG shows up.
There were other findings. As far as we could tell, each finding in the latest peer review audit report was a repeat finding from the 2017 audit report. DCAA had taken its promised corrective actions, yet those corrective actions proved to be insufficient to remediate the issues.
Repeat findings. Ineffective corrective actions.
Yet, DCAA gets another pass.
GSA Multiple Award Schedules and Compliance Risk
There’s a risk continuum for government contract compliance. Nearly two years ago I presented at the Society of Corporate Compliance and Ethics’ Annual Compliance Institute on the topic of “Taking a Dynamic Approach to Compliance Risk Assessments for U.S. Government Contractors”—and that was the takeaway from my show.
As I told the audience: “USG contractors work in a highly dynamic environment where compliance risks must be frequently evaluated, because they are frequently changing. Annual ‘snapshots’ will create gaps in compliance planning.” (Emphasis in original.) You can find the entire presentation on my LinkedIn profile, if you are so inclined.
A contractor’s compliance risks are based on factors that include (but are not limited to) contract type, contract value, competitive versus non-competitive awards, awarding agency, and the contract clauses found in the contracts. A small business has a different compliance risk profile than a large contractor. A contractor subject to Full CAS coverage has a different compliance risk profile than one that is Exempt or subject to only Modified coverage. A contractor that sells commercial items under FAR Part 12 procedures has a different risk profile that one that submits certified cost or pricing data under FAR Part 15 negotiated contract procedures. Et cetera. You get the idea.
Generally speaking, a contractor who is selling to the Federal government under a GSA Multiple Award Schedule (MAS) has a lower risk profile than one that sells directly to another Federal agency, especially the Department of Defense. In fact, GSA MAS are only supposed to offer items and services that qualify as commercial items, as that term is defined at FAR 2.101. When a contractor prepares its annual proposal to establish final billing rates as required by the contract clause 52.216-7, the GSA contracts are lumped along with any other commercial sales the contractor might have into “other-commercial.”
You might well conclude that GSA MAS sales are lower-risk. And you’d be right to do so, except “lower risk” is not the same thing as “risk-free.” There are risks associated with GSA MAS sales, including (but not limited to):
-
Accurate disclosure of “commercial sales practices”
-
Accurate identification of “Basis of Award” customers (those customers whose prices will be compared to the prices offered to GSA)
-
Compliance with the Price Reductions Clause (which requires that discounts offered to Basis of Award customers also be offered to the GSA)
-
Accurate calculation and timely payment of the Industrial Funding Fee (IFF)
-
Compliance with Trade Agreements Act
-
Compliance with required labor qualifications
I was recently reminded of the GSA MAS risks when I came across this press release from the Dept. of Justice, announcing that “SAP Public Services, Inc. has agreed to pay the United States more than $2.2 Million to resolve allegations that it violated the False Claims Act by failing to pay required fees” on its GSA MAS contracts.
SAP Public Services sold software engineering and support to government customers through its MAS contracts, but it cancelled those contracts in 2014. But it was too late. An internal investigation discovered compliance errors, and the company was required to disclose those errors to the GSA under the contracts’ mandatory disclosure provisions. Before I get into the details of the errors, let’s note that SAP Public Services received praise (and, I’m sure, credit) for its cooperation with Federal agency officials. The Deputy U.S. Attorney was quoted as saying “From the time that this matter was brought to its attention, SAP has committed itself to setting things right, despite considerable time and expense. We appreciate its cooperative approach and its intensive investigative efforts to get to the bottom of what happened here.”
What happened?
According to the press release, it seems that SAP Public Services made errors when calculating the IFF due GSA. “The United States’ investigation – conducted in conjunction with a robust internal investigation by SAP Public Services – determined that SAP Public Services failed to account for the IFF it owed on several contracts…”
But that was not all. SAP Public Service also (apparently) failed to comply with the Price Reductions Clause. The press release stated “SAP Public Services … did not always provide the appropriate contractual discounts …”
But that was not all. SAP Public Service also (apparently) failed to comply with the labor qualifications in its GSA MAS contracts. The press release stated “SAP Public Services was required to … meet certain educational or experiential qualifications in its staffing assignments. … SAP Public Services … did not always provide the appropriate … staffing.”
Thus, a $2.2 million settlement to resolve False Claims Act allegations involving at least three of the six compliance risk issues identified earlier in this article.
Before your company sells to the Federal government via a GSA (or Veterans Administration) MAS contract, consider making a robust compliance risk assessment. It’s probably in your best interest to do so.
|
Product Substitution is Bad Business
Last year we reported about fraudulent quality testing that led to substandard steel castings being supplied to naval construction. That was an expensive lesson for the company that employed the Director of Metallurgy who falsified the test results.
More recently, an environmental laboratory analyst was sentenced to two years of probation and ordered to pay a $2,500 fine for falsifying laboratory test results, according to this Dept. of Justice press release. According to the DOJ, the analyst “failed to properly calibrate and tune the quality control instruments, which was the foundation of the quality control process. This failure resulted in unreliable measurements of pollutants and hazardous substances, and therefore invalidated the testing process.”
That’s not good, and we suspect the laboratory that employed the analyst may have paid some expensive attorneys to make sure it was the analyst who was sentenced, and not the laboratory executives.
These are examples of product substitution fraud, which occurs when a contractor supplies nonconforming materials to the government. Most government contracts contain specifications that define what constitutes acceptable materials (and the quality assurance steps to ensure the materials meet spec). When a contractor falsifies lab results or other quality assurance report and, as a result, the government receives nonconforming materials (or materials that cannot be objectively determined to be conforming because of falsified tests), then that is product substitution. The “fraud” part speaks to intent.
Those two stories about are not good, but those aren’t today’s stories.
Today we want to talk about Djibouti.
Djibouti is in Africa, which makes it the purview of the Africa Strike Force, an initiative out of the Dept. of Justice’s Southern District of California. The Africa Strike Force was “developed to combat fraud and corruption as the United States expends resources across Africa,” according to the Dept. of Justice. The Strike Force’s first indictment was issued in October, 2020; it contained 98 counts of conspiracy, wire fraud, and aggravated identity theft. The CEO of the contractor was arrested for and charged with (among other things): “submitted fraudulent quality control plans with résumés of fictitious employees; fabricated quality control checklists, certifying quality control work that was never performed; fraudulent concrete strength test results; and fraudulent claims for construction that was never performed or that did not adhere to specification.” That’s not good.
But that massive October, 2020, indictment is not today’s story.
Today’s story concerns another African contractor, another target of the Africa Strike Force, that settled its fraud allegations by agreeing that it “faked testing results and submitted a series of false documents and false claims to the United States as part of a scheme to defraud the United States in the sale of substandard concrete used to construct U.S. Navy airfields in Djibouti.” Link to the press release: here. The contractor in question was a subsidiary of a French civil engineering company.
According to the press release, the contractor (Colas Djibouti) “created fictitious testing results, made fraudulent representations regarding the concrete’s composition and characteristics, and knowingly provided concrete to the United States that did not comply with the specifications.” Yeah, that’s not good. You’ll notice that the “knowingly” part in that sentence introduces the fraud aspects.
The press released opined “As a result of this criminal conduct, Colas Djibouti ultimately supplied substandard concrete to the Department of Navy in Djibouti that could promote early cracking, surface defects, and corrosion of embedded steel, and thus significantly impair the concrete’s long-term durability.”
Part of the criminal conduct included falsifying water testing: “in response to a request for an analysis of the water used in the concrete mix, Colas Djibouti provided an analysis for a store-bought bottle of drinking water.”
To settle the criminal charges, Colas Djibouti agreed to “forfeit $8 million, pay another $2,042,002 to the Department of Navy in restitution, and pay a monetary penalty of $2.5 million.” That’s $12.54 million.
But in order to settle the civil charges, the company also agreed to pay another $1.858 million, bringing the total to $14.4 million.
As the headline says, product substitution is bad business.
EPA Mismanages IT Contracts
Recently, the Environmental Protection Agency’s Inspector General issued an audit report that documented and sustained allegations received via a Hotline call. The Hotline call had alleged “contract and bidding irregularities with three major information technology contracts.”
We like how the EPA OIG put the salacious findings right on the report cover:
Then, right up front in the report, the EPA OIG provided the elevator-speech summary:
In violation of Federal Acquisition Regulation requirements and contract clauses, the EPA purchased 23 pieces of hardware and software equipment under an expiring information technology contract awarded to CGI Federal. This purchase was outside the scope of the contract and was ultimately never used for that contract. The EPA then improperly solicited bids for one of two subsequent contracts and transferred the equipment to use on the new contract. By approving the purchase, the EPA improperly spent $641,680 in federal funds.
Also:
We also found that the EPA issued task orders under all three contracts without approval from the chief information officer, which is required under the Federal Information Technology Acquisition Reform Act. This resulted in the EPA spending $52.5 million in taxpayer funds without proper approvals
Also (but not headline-worthy):
The Agency also mismanaged these contracts with respect to monitoring property and licenses. For example, the EPA underreported and incorrectly identified purchased equipment in the Agency’s property reporting system and did not record $1.18 million in software licenses in the Agency’s asset management system.
Well, there it is. Not a great look for the EPA contracting officer(s), is it?
Looking at the first finding in a bit more detail, we see that “An EPA CO authorized purchasing $641,680 worth of equipment under contract EP-W-07-024, awarded to CGI Federal, two days before the contract closed.” (Emphasis added.) We’re guessing that somebody noticed that not all obligated funds had been spent, and decided to get them spent rather than deobligating the funds as they properly should have done. So they had the contractor spend the money on equipment that wasn’t needed, and then “EPA transferred the equipment to a new contract, EP-W-18-008.” Importantly, that second contract had also been awarded to the very same contractor, CGI Federal. Unfortunately for both the EPA contracting officer and CGI Federal, the Inspector General reported that the second contract “originally did not allow for government-furnished property.” (The contract was modified after award to permit GFP.)
In order to make the shady equipment purchase happen—
The OCFO [Office of the Chief Financial Officer] requested an emergency action in the EPA’s contract system to purchase and transfer the equipment. We found that the OCFO fully intended to use the equipment purchased under EP-W-07-024 on the new contract. The CO and OCFO management stated that they used an emergency action because the EPA’s contract system was unavailable to make modifications to the new contract, so they modified the expiring contract.
The Inspector General succinctly summarized the situation thusly: “The Agency cannot use emergency actions to circumvent contract clauses and the FAR.” Yep.
But the IG wasn’t done with this shady situation. Another aspect to be considered was the type of appropriation used to purchase the equipment. (This is commonly called “color of money” and, normally, contractors don’t care too much about it; but government acquisition and finance folks certainly do.) The IG found that “When purchasing the $641,680 in equipment for EP-W-07-024, the CO used a different appropriation than the one used for the remainder of the contract.” This is called “split-funding” and, while it is an acceptable practice, when split-funding occurs the contracting officer must document a rationale for allocating contract costs to the different colors of money and the contracting officer “must send the split-funding documentation rationale to OCFO management for approval and maintain the documentation in the overall contract file.” This is to happen before contract or task order award.
Would you be surprised to learn that it didn’t happen in this case? Would you be surprised to learn that neither the contracting officer nor OCFO would locate the split-funding rationale when challenged by the IG auditors? Yeah, we weren’t surprised either.
Now let’s take a closer look at the second finding, where task orders were issued without required approvals by the EPA’s Chief Information Officer.
The Inspector General pointed out that “Federal Information Technology Acquisition Reform Act, gives the chief information officer approval authority over IT purchases.” The contracting officer did not notify the CIO, as required by FITARA. “In this case, the EPA’s CIO was unaware of the CO’s purchase of the equipment, so the CIO did not have the opportunity to review inventory for spares, duplicates, and compatible equipment.”
Looking at the award of that second contract to CGI Federal, the IG concluded that it was improper, finding that “the EPA provided government-furnished equipment for EP-W-18-008, even though the EPA did not disclose that it would provide equipment in the contract solicitation.” Because the EPA provided GFP to the winner (who was, perhaps, also the incumbent), “the EPA’s choice to provide equipment for EP-W-18-008 may have led to an unfair competition practice” and may have violated the Federal law that requires agencies to use full and open competition, as well as FAR 45.201(a), which “requires agencies to include anticipated government-furnished property in the solicitation.”
Another interesting aspect of this situation, according to the Inspector General, was the lack of property accountability and tracking. We could not summarize this aspect any better than the IG did in its report—
The OTS staff neglected to follow the EPA Personal Property Manual to monitor, count, or report the purchased equipment, as required by federal requirements and EPA policies. The EPA property management staff—responsible for the care, use, accountability, and security of government-owned property in EPA areas—said that they were not informed of the purchase under EP-W-07-024 because the CO never reported the equipment in the contract file. The EPA did not report the equipment, 23 pieces of hardware and software, as inventory in its 2018 financial reports. The EPA did not report the equipment until a year-and-a-half after it was purchased and after we requested the property records as part of this audit. In addition, the EPA did not maintain a comprehensive list of software inventory and did not track software licenses, as required by regulation. The EPA underreported at least $1.18 million in software license costs in its financial statements and inventory records. As a result, the Agency temporarily lost t rack of the equipment paid for by taxpayer dollars.
Oh, but that’s not all. According to the Inspector General, the EPA wasn’t tracking software licenses either, which is required by Public Law. The IG reported that “Since awarding the contract [to CGI Federal] on December 31, 2017, the EPA issued five modifications that involved software license purchases, renewals, or software maintenance fees totaling $1,180,574.64. The EPA has no record of these software licenses as of the end of fiscal year 2019. The OTS did not include this $1.18 million in software licenses and maintenance fees in the EPA’s property system.” (Notes omitted; emphasis added.)
Essentially, the IG found that the equipment was improperly purchased, it was improperly transferred to a contract that was not intended to receive it. The equipment was not properly approved, nor was it reported or tracked. In addition, other software licenses worth more than one million dollars were not tracked or reported either.
If you are getting the picture of a very lax contracting environment, you are not alone.
For its part, the EPA agreed with the IG’s findings. However, it didn’t believe the second contract had been improperly awarded. That second contract will not be terminated, because doing so would not be in the best interest of the government as the services are still needed. Further, the $642K in equipment was transferred from the contractor’s possession and into the EPA’s possession.
As for the contracting officer that effectuated this shady set of circumstances? We did not see anything to indicate disciplinary action was taken.
|
