Subcontractor Risk Management, Redux
If it weren’t so troubling it would be hilarious.
Remember when we wrote about the importance of supply chain risk management? Remember when we asserted that programs generally under manage risks in their supply chains? Yeah, we do too. We also remember that lady at the Top 5 defense contractor who pooh-poohed our attempts at risk identification by telling us that her suppliers would never do terrible things such as engage in product substitution or falsely certify test results. Oh, no. Her company would never do business with that kind of supplier, no way.
Anyway, those thoughts came to mind once again when we read that Pratt & Whitney had briefly suspended deliveries of engines for the F-35 Lightning II Joint Strike Fighter because of concerns over the pedigree of the titanium used in the engines. The article reported that Pratt & Whitney was no longer accepting parts made by its supplier, A&P Alloys. (A&P Alloys denied the allegations.)
The article noted that Pratt & Whitney has faced continued challenges in managing its suppliers, writing—
The Defense Contract Management Agency wrote in a June internal assessment that Pratt & Whitney’s ‘continued poor management of suppliers is a primary driver for the increased potential problem notifications.’ The incidents ‘have resulted in delinquent deliveries of engines,’ the agency said. ‘This trend will continue until the contractor improves its management of subcontractors and suppliers.’
Bates, the Pratt & Whitney spokesman, said ‘the vast majority’ of problem notifications ‘are minor issues or no issues at all’ and ‘do not have any impact on specifications or field performance’ of engines. Only four of the 30 notifications ‘required action in the field,’ he said. The Pentagon’s F-35 program office said in a statement that Pratt & Whitney’s ‘persistent problems stem from the supply chain’ because 80 percent of the engine is produced by many different subcontractors. …
Pratt & Whitney isn’t asking the Pentagon to pay the cost associated with removal and replacement of ‘parts with the suspect titanium,’ Bates said.
One reason behind Pratt & Whitney’s decision not to pass on the cost of replacing the titanium engine parts may be because they were planning to recover the increased (and possibly unallowable) costs from the supplier, A&P Alloys. A subsequent news article reported that a lawsuit had been filed, accusing A&P Alloys of “fraud and breach of contract,” stemming from "intentionally submitted certifications falsely representing the pedigree and quality of its material."
The article reported—
Pratt is suing for damages and attorneys fees arising from fraudulent misrepresentations about the metals and attempts to impede Pratt's efforts to uncover the alleged misconduct, according to the lawsuit.
According to the lawsuit, A&P's owner denied representatives from Pratt and Lewis access to A&P's headquarters when they were seeking documents and refused to turn over requested records.
Pratt put its costs at more than $1 million thus far, the lawsuit said.
Based on the article (link above), we can tell that A&P Alloys was a lower-tier subcontractor. It was actually a supplier to Lewis Machine LLC, who was a subcontractor to Pratt & Whitney. Should the fact that it was a supplier of a supplier excuse Pratt & Whitney of responsibility for managing that supplier? In truth, was it not the responsibility of Lewis Machine LLC to properly manage its suppliers?
Well, we guess one could make that argument in court.
But the fact of the matter – the crux of the situation – is that Pratt & Whitney was responsible for delivering F-35 engines to the customer. Period. It was responsible for program execution, regardless of whether it performed all the work in-house or outsourced everything to multiple supply chain tiers and had thousands of suppliers performing the work. Pratt & Whitney was responsible, which is why it is their name in the headlines and not Lewis Machine LLC or A&P Alloys.
As previously noted, Pratt & Whitney has been on notice for some time that it has had supply chain management problems. More specifically, according to another article, Pratt & Whitney has been on notice for some time that specialty metals in the program supply chain (specifically including titanium) have been at risk. The article reported –
The court documents claim that A&P Alloys lied numerous times about the origins of the metal and, in some cases, told intermediate suppliers to withhold information from Pratt & Whitney.
Pressure built at Pratt & Whitney and appeared to spill out publicly days after the visit, when the company's head of engineering and operations, Danny Di Perna, spoke to businesses at an industry event, visibly upset about some supplier issue. ‘There are some folks out here … that do bad things with material,’ Di Perna said on May 30, not specifically citing the titanium problem but explaining that he had been dealing with an issue since 7:30 the night before. ‘I'm very upset about it. … But I'm telling you, integrity.’ Although he cited no specifics of the issue, he constantly returned to supplier honesty and quality. ‘The supply chain I don't think is ready’ for higher production, he said. ‘We are not going to put up with nonperformance anymore.’
The federal court case offers a unique glimpse into how Pratt & Whitney maintains quality and compliance among its field of suppliers for hundreds of thousands of parts. With steep production increases on the horizon, the incident shows just how much the company relies on the honesty of its suppliers and redundant testing measures to keep the operation on track. …
Last year, separate issues regarding its titanium supply resulted in Pratt & Whitney's reviewing parts in many of its engines. In that case, as in this one, the company said that the parts were found to be out of conformance with standards but safe enough to not pose a flight safety risk.
(Emphasis added.)
This situation would be hilarious if it were not so troubling.
Here we have the single most expensive fighter program in the history of the United States, and (according to news reports) the single most important program for engine-maker Pratt & Whitney. Here we have continued supply chain management problems—literally a recurrence of the same specialty metal pedigree problems. Here we have at least a million dollars wasted and millions more dollars of legal fees yet to be spent, and headlines impugning the Pratt & Whitney brand and more headlines yet to come. This is not how one would wish the Pratt & Whitney executives to be spending their time.
And what is the root cause?
Ineffective supply chain risk management.
Oh, you can gussy it up and point fingers and cry “fraud” – and no doubt that is being done and will continue to be the Pratt & Whitney party line. But the root cause, in our view from 1,500 miles away, is that Pratt & Whitney failed to engage in adequate program risk identification and failed to effectively manage its supply chain risks.
But maybe those folks in charge of program supply chain management assumed that their suppliers would never, ever, do anything wrong. They trusted the honesty, the integrity, of their suppliers. Would you say that was simply naiveté in action – or perhaps more than a bit negligent?
Bottom-line: It’s tough to manage program risks when you put on blinders and refuse even to consider them.
Now let’s try a little experiment.
You tell us you don’t have budget to spend on sending quality assurance inspectors down two and three (or maybe even four and five) tiers deep into the program supply chain. You tell us you have neither the resources nor the funding to deploy enough people to enough suppliers to ensure that everything in on the up-and-up. You tell us that you can’t inspect quality into a program supply chain, that quality has to be embedded at the cultural level. And you have no money to spend on some kind of IT-based product pedigree system.
Okay, we say. That’s your call. We agree that a quality-focused culture is more effective than an inspection-focused culture. But that assumes your supply chain is mature enough to create that culture. In the meantime, you have to decide how to manage the supply chain you have, not the one you wish to have. But we get that it is your decision to decide how to deploy the scarce resources you have. If you decide to limit supplier inspections (or not to implement a secure program supply chain product pedigree system) because of budgetary concerns, that’s clearly your call to make.
But consider this:
Because of your decision, the company will suffer adverse publicity, have an interruption in planned deliveries (which will impact sales) and you will incur at least one million dollars in additional costs plus untold millions in legal fees (most, if not all, of which will be unallowable—which will impact your profit). In addition, you will spend an inordinate number of labor hours trying to solve the problem and develop a work-around, which will divert your scarce resources to solving a problem that might well have been prevented in the first place. Plus you will also upset the customer of the company’s single biggest program, the customer who will (at a minimum) submit a performance review into a government-wide database for use on future source selection decisions.
Because of your decision not to proactively identify and manage your program supply chain risks, you will put your single biggest revenue stream at risk.
How much would you be willing to spend on supplier risk management now?
Considering Fraud as a Function of Executive Leadership
Normally, when we discuss fraud and/or internal controls designed to detect (if not also prevent) corrupt activities, we point out that establishing effective internal controls is the responsibility of the executive leadership function. Two notable examples of our viewpoint on this matter come to mind. In the first example, we discussed how a Vice President of Finance was able to embezzle more than $30 million from headphone-maker Koss. We noted that the SEC had much to say (in its complaint and proposed settlement agreement) regarding the lack of diligence found at the top of that corporation. In the second example, we discussed how the Treasurer and Comptroller of the city of Dixon, Illinois (a town with an annual budget of roughly $8 million), was able to embezzle more than $30 million over six years. In that case, a long-time trusted city employee was not well monitored by her superiors at the City Council, and the annual audit failed to detect the sizable illegitimate transactions.
Where are we going with this? Well, we’re thinking that an organization devoted to integrity and ethical behavior needs to hold its top leadership accountable for any transgressions by its employees. Leadership needs to be held accountable – especially when root cause analysis indicates that a significant causal factor in the fraud was a lack of oversight or other form of gross negligence.
It’s not enough to simply blame the employee and point a finger at the auditor. Those at the top of the pyramid need to be held accountable for any poor decision-making and for any lack of diligence in performing their duties.
We assert it is management’s duty and obligation to establish an effective set of internal controls designed to detect and prevent employee corruption. We assert is it the responsibility of the leadership team to exercise diligence in ensuring an appropriate segregation of duties. We assert the executives are responsible for investigating allegations of wrong-doing and for ensuring that documents they sign (such as SOX 302 Certifications) are accurate in all respects.
We assert that when the executive leadership team fails to invest in an effective internal control system, they are negligent and should be held accountable for that negligence. We assert that when the senior leaders of an organization delegate their oversight responsibilities to subordinates, they are negligent. We assert that that when upper management rubber-stamps documents and certifications, or when they white-wash allegations of internal corruption, or when they hire the lowest-price external auditor and refuse to permit that auditor an adequate budget to conduct a rigorous audit, then they should be held accountable for those poor decisions.
We are saying, basically, that not only does “tone at the top” matter – but that the top must be held accountable for their actions (or inactions) in addition to the tone they set. Not only the words, but the actions. An organization that does not hold its leadership accountable is living on borrowed time.
But what happens when it is the senior leadership team who is the source of corruption?
We were inspired to think about these things by a recent Department of Justice press release, announcing that –
The former chief executive officer (CEO) of ArthroCare Corporation was sentenced to serve 20 years in prison, and the former chief financial officer (CFO) was sentenced to serve 10 years in prison today for their leading roles in a $750 million securities fraud scheme. Two other former senior vice presidents of ArthroCare were also sentenced to prison terms for their roles in the scheme.
What happened? According to the press release –
At sentencing, the court found that investors lost approximately $756 million as a result of the defendants’ scheme to artificially inflate the share price of ArthroCare stock through sham transactions. According to court documents, between 2005 and 2009, Baker, Gluk, Raffle and Applegate executed a scheme to artificially inflate sales and revenue through a series of end-of-quarter transactions involving several of ArthroCare’s distributors. Products were shipped to distributors at quarter end based on ArthroCare’s need to meet Wall Street analyst forecasts, rather than distributors’ actual orders. ArthroCare then fraudulently reported these shipments as sales in its quarterly and annual filings at the time of the shipment, enabling the company to appear to meet or exceed internal and external earnings forecasts. ArthroCare’s distributors agreed to accept these shipments of millions of dollars of excess inventory in exchange for lucrative concessions from ArthroCare, such as upfront cash commissions, extended payment terms, and the ability to return products. In some cases, like that of ArthroCare’s largest distributor, DiscoCare, the defendants agreed ArthroCare would acquire the distributor and the inventory so that the distributor would not have to pay ArthroCare for the products at all. … On July 21, 2008, after ArthroCare announced publicly that it would be restating its previously reported financial results to reflect the results of an internal investigation and account for the defendants’ fraud, the price of ArthroCare shares dropped from $40.03 to $23.21 per share. On Dec.19, 2008, ArthroCare again announced publicly that it had identified more accounting errors and possible irregularities related to the defendants’ fraud. That day, the price of ArthroCare shares dropped from approximately $16.23 to approximately $5.92 per share.
More details regarding the fraud can be found here.
What happened to ArthroCare’s external auditor (PricewaterhouseCoopers LLP)?
Although shareholders sued PwC, seeking to hold the audit firm accountable for not detecting the fraud, in 2010, that suit was tossed. According to one report, “The court further held that Pricewaterhouse-Coopers did not intend to mislead investors and was itself misled by ArthroCare's executives about the company's questionable accounting practices.” But that was not the end of the story. In July, 2014, the Public Company Accounting Oversight Board (PCAOB) announced that the PwC audit partner (Mr. Randall Stone) was being held accountable for the botched audit. The press release stated –
The Board found that Stone ignored or failed to properly evaluate numerous indicators that should have alerted him to the possibility that ArthroCare was improperly recognizing revenue on its 2007 sales of medical devices to DiscoCare, Inc. Such indicators included unusual pricing and payment terms, quarter-end sales spikes, and evidence that ArthroCare may have funded DiscoCare's purchases through monthly service fee payments. Sales to DiscoCare helped ArthroCare meet its revenue forecasts for 2007. …
Stone failed to exercise due professional care and skepticism when, among other things, he agreed with the company's proposed accounting for the acquisition without adequately assessing whether such accounting treatment complied with generally accepted accounting principles.
In addition, the Board found that Stone violated PCAOB rules and standards in authorizing PwC's consent to incorporate its previously issued 2007 audit report in ArthroCare's June 2008 Form S-8 registration statement without first completing a reasonable subsequent events investigation. The Board found that when Stone authorized PwC's consent, he was aware of new allegations of impropriety concerning ArthroCare's relationship with DiscoCare in 2007, and he knew that ArthroCare and PwC were continuing to assess those allegations.
Mr. Stone, a CPA who is now an ex-partner at PwC, was assessed a $50,000 civil penalty and barred from associating with a registered public accounting firm for a minimum of three years. It is doubtful if he will be able to perform significant audits for any large accounting firm ever again. So he was certainly held accountable.
When fraud and employee corruption occur, we need to perform a rigorous root cause analysis to understand what and why – and most especially how. Should we determine there was negligence at the upper levels of management, we need to hold those leaders accountable
Conversely, when you find an entity where senior leadership is not being held accountable for its actions (or inactions) then you can be fairly certain you are going to find corruption and fraud somewhere lower in the organization.
|
DOD IG Delivers Good News and Bad News to DCAA
DOG IG Auditor: I have some good news and some bad news.
DCAA Director: Please tell me the good news first, if you would.
DOD IG Auditor: Congratulations! You passed your external quality review!
DCAA Director: That’s great! Now tell me the bad news.
DOD IG Auditor: Your auditors still don’t know how to audit.
Really, the fictitious dialog posted above tells the entire story. You can stop reading right here and get back to Facebook or whatever.
Would you like to know more? Okay, we can help you with that.
First, The Good News
On August, 21, 2014, the DOD Inspector General issued its long-overdue peer review report of DCAA’s quality assurance system. As we’ve noted in the past, DCAA has been without an externally-reviewed-and-determined-to-be-adequate quality assurance system since 2009, which is technically a violation of GAGAS. That problem was rectified when the DOD IG issued its report, and DCAA auditors will no longer have to report the expired quality assurance system in their audit reports. The DOD IG found DCAA’s quality assurance system to be adequate and it received a rating of “pass with deficiencies.”
Yay for DCAA!
Some aspects of the quality system review report caught our eye. Perhaps you will find them to be of interest as well.
-
Instead of the “usual” 1-year period from which audit reports would normally be chosen for review, the IG instead reviewed only audit reports produced in a 6-month period. The IG stated that “we believe the volume of audits at DCAA creates a reasonable sample in a shorter time.” Left unexplained was the rationale for choosing a 1-year review period in prior quality system reviews of past years, when DCAA’s production of audit reports was significantly higher than it is now.
-
The IG reviewed 92 engagements. In 11 of the 92 (12 percent of the sample universe) the IG “identified errors or a lack of sufficient documentation … that limited the reliability of the reports. … Specifically, the DCAA engagement documentation did not contain sufficient information to allow the peer review auditor to understand the judgments and conclusions drawn by the DCAA auditor based on the evidence in the work papers.” A 12 percent failure rate is not so swell, in our view. In contrast, the DOD IG judged it to be good enough. (We are tempted to say “ good enough for government work.”)
-
In addition, the IG identified 3 additional reports “for which the engagement documentation did not support information in the report.” However, for these 3 additional defective reports, “the reliability … was not affected by the errors because DCAA adequately resolved our concerns … during interviews and provided additional information outside the engagement documentation.” We think it interesting that engagement files and working papers did not have to speak for themselves, and could be augmented by discussions and additional information created after-the-fact. That would seem to be a very, very lenient audit approach and we are sure DCAA appreciated the professional courtesy involved.
To sum up, then, the external peer review of DCAA’s quality control system identified defects in 14 of 92 engagements reviewed, for an error rate of fifteen percent (15%). The DOD IG found that error rate to be within tolerance and passed the system.
Yay for DCAA!
As a side note, those of you lucky enough to have your business systems audited by DCAA may want to remember that a 15% error rate is good enough for a passing score. We mean to say that if a 15% error rate is good enough for DCAA’s quality control system, we think a 15% error rate should be good enough for your business system. Your auditors, of course, may not agree.
Now For The Bad News
On September 8, 2014 – just a couple of weeks after giving DCAA a pass on its quality control system – the DOD IG issued another review of DCAA audits issued during Government Fiscal Years 2012 and 2013. The findings were not pretty.
Readers may recall the previous DOD IG review of DCAA audit quality, issued in March, 2013. The findings in that report weren’t pretty either. We reviewed that previous report (link provided), and we concluded as follows—
We could go on and on, just like the DOD IG audit report did, listing example after example of poor audit planning, poor communication, poor documentation, lack of professional competence, lack of adequate supervision, insufficient evidence, delayed reports, and other GAGAS violations. But why bother? The report is, unfortunately for DCAA, damning.
Just as the prior DOD IG and GAO reports on DCAA audit quality have been damning.
We’re not particularly surprised by the findings in the DOD IG report; nor do we suspect our readership is particularly surprised by them. We’ve asserted for some time that the DCAA initiatives intended to increase audit quality have not worked out as planned. As this report demonstrates, DCAA audit quality is still lacking.
In other words, DCAA has implemented its revised procedures and multiple reviews and, as a result, has dramatically delayed its audit report production for no good reason. They still suck.
So we think DCAA may as well just throw the audit reports over the transom to the customer just as quickly as it can. The quality will still be as poor; but at least the reports will be more timely.
But we can hear the chorus of cries from Fort Belvoir from here—‘just wait until the next review!’ Yes, things will be so much better then. Higher quality audit reports issued faster.
Sure.
We’ll be very happy to report on the assessed quality of DCAA audit reports when that next external peer review report is issued. If things have improved significantly, we’ll be first in line to say so.
And so here we are, eighteen months later, discussing the follow-up report. It gives us little pleasure to tell you that, as we expected, the quality of DCAA’s audit reports—as measured by the DOD IG—has not improved significantly.
In the latest report, the DOD IG evaluated 16 DCAA audit reports, including 5 audits of priced proposals and 11 audits of “incurred cost proposals.” The IG identified “1 or more significant inadequacies” in 13 of the 16 audit reports evaluated, for a failure rate of 81%. Yes, that’s correct . More than 8 out of 10 recently issued DCAA audit reports failed the DOD IG review.
We bet DCAA is glad those audit reports weren’t part of the sample used for the external peer review of the audit agency’s quality control system!
Following are some quotes from the DOD IG report. Each numbered item corresponds to one of the 16 Memos the IG issued to DCAA after the review. Since we are only quoting from Memos that interest us, we have to skip around a little bit.
1. Audit Report No. 3321-2009K10180035. The IG found “that 66 percent of the invoices and 59 percent of the claimed costs audited … had already been examined in an assist audit conducted by the DCAA Iraq Branch Office, under Assignment No. 2131-2007R10180002-S1. … In addition, 91 percent of the costs questioned [in the audit report reviewed] had previously been questioned by the DCAA Iraq Branch Office. On May 30, 2008, the DCAA issued a Form 1 … on July 15, 2010, the contracting officer reached a negotiated settlement with the contractor. ... Therefore, the Resident Office’s efforts to later re-examine the same invoices and requestion the same costs did not serve a useful purpose.” Further the IG reported that “We found that the Resident Office reported $8,725,017 of questioned costs in the DCAA DMIS, even though the Iraq Branch Office had previously reported $6,128,000 of the same questioned costs in the DMIS. … The accuracy of DMIS information is important because DCAA frequently uses it as a management tool, and DCAA reports key statistics from DMIS to Congress and various federal agencies.”
3. Audit Report No. 4551-2009B1101001. The IG found that “the field audit office (FAO) spend an excessive number of hours auditing a billing system that is no longer in use, reported on transaction tests that were not current or relevant, and recommended the withholding of contractor payments without sufficient evidence.” The IG reported that “FAO auditors spent 7,416 hours to complete the audit.” Although the testing on the billing system was “comprehensive and well documented,” the IG noted that the FAO “expended an excessive amount of time testing the legacy system [that was no longer being used] and reported on the results of tests that were not current.” Looking at the delays between the performance of audit procedures and issuance of the audit report, the IG reported that “the FAO did not issue its report … until one year and six months after the last tested transaction. The oldest tested transaction was nearly four years old [by the time the report was issued].” The IG looked further, and reported “while the audited took only one month and 19 days to prepare the initial draft report, the FAO spent the remaining time (over one year and two months) performing several management/technical reviews, editing the report format, and incorporating the contractor’s response. GAO noted that the same FAO took two years to issue the 2005 report after completion of testing.”
6. Audit Report No. 2701-2006A10100002. The IG reported that “In Exhibit A (G&A), Note 6 and Exhibit G (Penalties), the auditor incorrectly identified and applied a penalty to an unreasonable training cost which is not specifically unallowable under FAR 31.205 and is therefore not subject to a penalty.”
9. Audit Report No. 4151-2005T10100004. The IG found that “The working papers did not include any support for how the FAO computed its reported penalty participation rates.” In addition, the IG asserted that the auditor had mishandled the impact of the contractor’s adjustment of two unallowable bonus costs charged as direct contract costs.
11. Audit Report No. 482102011R21000012. The IG thought this audit did not accomplish very much. It reported that “After expending 4,807 hours the DCAA Audit Report … did not meet the needs of the AMCOM contracting officer. The DCAA work papers do not establish that DCAA complied with existing DCAA policy and communicated effectively with the contracting officer.” As a result of the issues the IG identified, “the AMCOM contracting officer had to expend additional DoD resources and convene a post-audit report issuance fact-finding summit to make the DCAA audit report useable for negotiating the contract.” According to the IG report, “the contracting officer advised the OIG that the purpose of the ‘summit’ was to sit with DCAA to reconcile the gaps [between] the audit findings and the request for audit and to make the audit report useable for negotiating the contract. The contracting officer identified the omission by DCAA of the review of the proposed indirect rates as one of the reasons for convening the fact-finding summit.” Moreover, the IG again found problems with DMIS reporting and reported that “the final amount reported in DMIS for net savings, $18.9 million, was not calculated in accordance with DMIS guidance.”
16. Audit Report No. 1261-2007J10100537. The IG reported that “The FAO took 4 years to complete the assignment... The FAO manager told us [the audit] was delayed to focus on ‘higher-priority’ work. However, there was no indication in the working papers that the audit had been significantly delayed for other priority work. In fact, the auditor continued to charge the assignment intermittently over the entire 4-year period.”
To sum up the obvious, despite the recent “pass with deficiencies” rating on its quality control system, it seems quite clear that the vast majority of DCAA audits still fail. Some lack quality, some lack value to the requestor, some are late. Some audits suffer from all three attributes of failure.
According to the DOD IG, DCAA still has room for improvement. We concur in that assessment.
Why DCAA is Having Problems: A Conversation with a DCAA Auditor
Sometimes we wish we were making this stuff up.
But no, reality is strange enough without having to resort to fiction writing.
We recently had a conversation with a DCAA auditor. It was a professional conversation, not at all any sort of “off-the-record” discussion that you can sometimes have if you are lucky enough to develop a rapport with your auditor. Nope. This one was official and formal, and the tone was serious. This one was for real.
And we think it illustrates all-too-precisely what in the hell has happened to the audit agency that was once held up as the gold standard for all governmental audit agencies.
We think it illustrates, quite accurately, why audits take so much longer than they used to take, and why so many more hours are necessary to push an audit report out the door. We assert that it illustrates, quite accurately, why GAO has expressed concerns with the quality of the DCAA audit reports. We suggest that it evidences the current preoccupation with working paper documentation in lieu of actual audit procedures, and why that preoccupation is a fatal flaw for the agency. We feel it is an indicator that auditor training is seriously lacking and, as a result, professional judgment is seriously flawed.
It was a short conversation, really. But it confirmed so much.
Perhaps we are biased and lack objectivity. Perhaps we are reading too much into a simple conversation between a junior level DCAA auditor and an entity being audited.
So we’ll ask you to judge for yourself. What do you make of the following conversation?
Email from Auditor: Hello. I have been requested by your ACO to perform a 19100 review of your client’s recent Disclosure Statement revisions for compliance.
Apogee Consulting: Hi there! How can we help you?
Auditor: Before we have our walk-through, I need you to fill out this list of individual Cost Accounting Standards. For each Standard, please tell me the date the Standard was effective, as well as the date the Standard was applicable, for your entity.
Apogee: [WTF?] We’re not sure what you mean. Our client is a large business that has been fully CAS-covered for many years. At this point, all Standards are applicable. Perhaps we are misunderstanding your request? Let’s have a telephone call to clarify what you need. Perhaps if you tell us why you need it, we can give you what you really need, since it can’t be what you asked for in writing.
(Now switching from email to phone conversation.)
Auditor: I need what I asked for in writing.
Apogee: As we told you, our client is a large business. It has been doing business with DOD for many years. It is fully CAS-covered. All Standards are both effective and applicable for the entity.
Auditor: I understand what you are saying. But even so, I need what I requested.
Apogee: Isn’t that effort just a waste of time? Look, how about we stipulate in writing that the entity is fully CAS-covered? How about we put in an email that all Standards are applicable to the entity?
Auditor: No good. That’s not what the audit program calls for.
Apogee: You mean the new audit program that just went into effect? The one that focuses on Disclosure Statement compliance instead of adequacy?
Auditor: Yes, that’s the one. I’m required by the new audit program to obtain a list showing the effective date and applicability date for each individual Cost Accounting Standard.
Apogee: You can’t be serious, right?
Auditor: Don’t believe me? Check for yourself. See Section C-1, Step 1, found on page 5 of 7, of the new audit program.
Apogee: [Stunned silence.] Yeah. We see it. It says “ Prepare a list detailing CAS applicability dates for each standard used to evaluate compliance of the contractor’s disclosed cost accounting practices (CAM 8-301.c.). Note: Use the list to determine if the Cost Accounting Standard is applicable, based on the date of applicability, before citing a CAS noncompliance .” So basically, you need to make sure a Standard is applicable to our client before you assert a CAS noncompliance?
Auditor: Yes.
Apogee: Well, that makes sense, we guess. But as we previously mentioned, all Standards are applicable to this client. We’ll be happy to put that in writing, if you like. A management “representation” or “assertion,” if you will.
Auditor: Nope. I need a list for my working papers. That’s what the audit program calls for, and that’s what I need to prepare. And you will prepare it for me.
Apogee: But there’s no information in that list! All we are going to do is just read the CAS and tell you what the regulations say the applicability date and effectivity dates are. It’s meaningless.
Auditor: I need what I need. Did you read the CAM reference?
Apogee: You mean the part that says –
c. To facilitate the implementation process, each promulgated standard contains in subparagraph .63 an effective date and an applicability date. The CASB defers the applicability date beyond the effective date in order to provide contractors adequate time to prepare for compliance and make any required accounting changes. Under the regulation, a contractor becomes subject to a new standard only after receiving the first CAS-covered contract following the effective date.
(1) The distinction between the effective and applicability dates is important. The effective date designates when the pricing of future CAS-covered contracts must reflect the new standard. It also identifies those CAS-covered contracts eligible for an equitable adjustment, since only contracts in existence on the effective date can be equitably adjusted to reflect the prospective application of a new or revised standard.
(2) The applicability date marks the beginning of the period when the contractor's accounting and reporting systems must comply with a new or revised standard. Proposals for contracts to be awarded after the effective date of a standard should be evaluated carefully for compliance with the new or revised standard. The proposal need only reflect compliance with the standard from the applicability date forward. Therefore, it is important that the auditor determine the applicability date of the particular Standard (including any revisions) under audit. Any change resulting from early implementation by the contractor is to be administered as a unilateral change. It will result in an equitable adjustment under FAR 52.230-2(a)(4)(iii) for the period prior to the applicability if the CFAO determines that the unilateral change is a desirable change.
Auditor: Exactly. So please fill out the list I sent you, identifying the applicability date and effective date for each of the nineteen individual Cost Accounting Standards.
Apogee: (Oh, dear Lord.) Um, sure. Will do. Should take about an hour. First, we’ll need to find our CAS book.
Auditor: Thank you for your timely cooperation.
And that, dear readers, is exactly what in the hell is wrong with DCAA these days.
EDITOR’S NOTE: For those readers who may not be familiar with the Cost Accounting Standards, there hasn’t been a new Standard promulgated since 1980. Since then, a couple of Standards have been revised (notably CAS 412 and 413), but by 2014 any given contractor is either (a) exempt from CAS altogether; (b) subject only to CAS 401, 402, 405, and 406; or (c) subject to all 19 Standards.
ANOTHER EDITOR’S NOTE: Wouldn’t it make way more sense to tell an auditor: “Hey, before you assert a noncompliance with CAS, make sure the contractor is actually, y’know, subject to that particular Standard? Have the contractor confirm in writing that the Standard is applicable to it before asserting a noncompliance.” You betcha. It sure would make way more sense to do it that way. But if you did it that way, you wouldn’t get such a pretty working paper for the audit file.
A THIRD EDITOR’S NOTE: When the auditor requests that the contractor complete the list, identifying both CAS applicability and effective date for the entity being audited, what in the hell does that even mean from an audit perspective? What if we lied and said something like “CAS 403 is not yet applicable to this entity, so you cannot assert a noncompliance with CAS 403?” How would the auditor know if we were lying or telling the truth? How would the auditor test the accuracy of the dates on the list? When the audit program calls for the auditor to determine the applicability of the Standards to the entity being audited, and then the auditors asks the entity to prepare the actual working paper demonstrating the applicability without testing the validity of the assertions, how does that lead to a quality audit?
A FOURTH AND FINAL EDITOR’S NOTE: Mike Steen, Technical Director at Redstone Consulting, who is quite knowledgeable about DCAA, thinks we are perhaps overreacting a tad. (As is our wont.) In response to our whining post about the new 19100 audit program on LinkedIn, he wrote, “I interpret this as nothing more than DCAA not wanting to express an opinion on actual practices as compliant with CAS and/or with the CAS DS. Stat[ed] differently, DCAA is once again narrowly defining its audit objective, otherwise this would be one more perpetual audit involving hundreds of transactions to provide sufficient evidential matter supporting a conclusion that actual practices were or were not compliant.” He may have a point.
|
