It’s Past Time for You to Secure Your Supply Chain
It has been awhile since we wrote about the importance of supply chain management. If you are a long-time reader (and, if so, thank you for that!) you know that, from time to time, we rant about the topic and implore you to do something.
Yeah, like that ever works.
If, for example, you had taken our advice posted in April, 2010, you might have started thinking about counterfeit parts and securing your supply chain, with the stated goal of a “product pedigree … through creating an unbreakable chain of custody from first source through the various manufacturing and fabrication and assembly and finishing steps.” A few months later we told readers that effective management of their supply chain was the single most important driver of operational success. We also told readers about DOD positioning to “reward contractors for successful supply chain management.” We have pointed out both the carrot and the stick, and too few of our readers gave a fig newton. It wasn’t their issue.
More recently, we noted Section 818 of the 2012 National Defense Authorization Act (NDAA) and told readers that DCMA was considering “eliminating the ‘Material Management and Accounting System (MMAS)’ business system, and replacing it with a business system focused on detection and prevention of counterfeit parts (the “secure supply chain” system).”
Thus, nobody should be surprised to learn that the DAR Council recently issued an interim rule to implement Section 806 of the 2013 NDAA, which allows DOD customers to “consider the impact of supply chain risk” in evaluating proposals for certain types of national security system contract awards. According to the interim rule, the phrase “supply chain risk” is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”
Contractors who have already created secure supply chain management systems, including not only policies and procedures, but also actual practices, will have an undeniable competitive advantage in evaluations where supply chain risk is a factor. Those who have not, will not.
If you have been a long time reader, you have had more than three years to prepare for this day. Not that you took advantage of that advance notice, mind you. But the opportunity was there….
In related news, a final DFARS rule was published on the same day as the “supply chain risk” rule that requires “defense contractors to incorporate established information security standards on their unclassified networks and to report cyber-intrusion incidents that result in the loss of unclassified controlled technical information from these networks.”
You have been warned.
ASBCA Takes Hard Line on J.F. Taylor’s Request for Attorney Fees
The original J.F. Taylor decision was a resounding victory for contractors who think DCAA has overreached in its attempts to find a basis for questioning compensation costs. We wrote about the decision right here. Judge Shackleford found that the unrebutted evidence showed that DCAA’s methodology for establishing the reasonableness of executive compensation was “fatally flawed statistically” and “significantly overstated and speculative.”
Good stuff, and a great win for contractors everywhere (though DCAA has, to all appearances, ignored that ASBCA decision and continues to question exec comp costs using the same flawed methodology).
But then J.F. Taylor submitted an application for nearly $200,000 in attorney fees it had incurred appealing the matter, pursuant to the Equal Access to Justice Act (EAJA). Judge Shackleford denied the request, finding that the government’s position was “substantially justified” because it was based on published regulation (citing R&B Bewachungsgesellschaft mbH, ASBCA No. 42221, 93-3 BCA If 26,010, aff'd on recon., 94-1 BCA 126,315). As Judge Shackleford wrote, “… the method used by the government to evaluate the reasonableness of executive compensation had been used over a long period of time and this methodology was part of the DCAA contract audit manual.” In other words, Judge Shackleford conflated the DCAA Contract Audit Manual (CAM)—which is an internal document published by and for DCAA auditors without public input and without the force of regulation—with published regulations such as the FAR. Even the non-lawyers here at Apogee Consulting, Inc. thought that was an error of law that demanded a Motion for Reconsideration.
J.F Taylor’s attorneys thought so too, and filed that Motion. In a recent decision, Judge Shackleford denied it as well.
Judge Shackleford’s decision was based on the fact that the government’s position was supported by legal precedent—namely, the Techplan decision. Even though the original decision found that DCAA “generally followed” the Techplan approach to evaluating exec comp, the Judge also found that J.F. Taylor’s expert statistician challenged “Step 6” of the Techplan analysis, and that challenge was unrebutted. Therefore, the Judge opined that—
That [failure to rebut] may have been a tactical error in defending the claim, but not one fatal to substantial justification of the position it took relying on Techplan as precedent. … [while] reliance on the DCAA manual and long standing practice alone might not justify an otherwise unreasonable position, but those factors combined with the fact that the methodology in the manual was based upon legal precedent (Techplan) justified the government's position.
Having so found, Judge Shackelford then indulged in a bit of what attorneys might call obiter dicta, opining that—
While one could quibble over the status of the DCAA manual and the established practice by DCAA in approaching executive compensation cases, the fact remains that the Techplan decision was established law that the government relied upon and that the DCAA manual was based upon; and, on that basis, we do not modify our decision that the government's position was substantially justified.
So okay, then. Unlike our prior article where we thought Judge Shackleford’s elevation of the DCAA CAM to regulatory status was a travesty and judicial error of epic proportions, we’re not going to go there again. You win some; you lose some. J.F Taylor won its case in main and avoiding paying some $500,000. The fact that it had to spend $200,000 to do so is an unfortunate reality of litigation.
We are not going to get all worked up regarding how the Judge changed the basis of his original finding, so as to continue to find that the government’s position was “substantially justified.” We’re not going to get all worked up about how he elided J.F. Taylor’s attorneys’ arguments about the purpose of the EAJA. DCAA and DCMA got away with another one, apparently.
It happens.
In order for the contracting community to roll back the tide of unreasonable DCAA findings and unsupported Contracting Officer decisions, individual contractors, such as J.F. Taylor, need to stand up and say, “enough is enough.” Those courageous contractors need to spend the funds litigating, even with little likelihood that they will have their attorney fees reimbursed. Only in such a manner can the rule of law prevail over the petty bureaucrats and their flawed administrative policies.
|
DCAA Finds New Ways to Reduce its Audit Backlog
In September, 2012, the Defense Contract Audit Agency (DCAA) announced a fundamental change to its approach to auditing contractors’ proposals to establish final billing rates (also known as “incurred cost submissions”). We discussed the new, “risk-based,” approach in some detail.
A fundamental aspect of the new approach was the bucketing of contractors’’ proposals into either “low risk” or “high risk” categories. In order to be classified as a “low risk” proposal, several criteria must have been met. For example, DCAA must have performed at least one full-scope incurred cost audit on the contractor in the past. The contractor must have no inadequate business systems with deficiencies that might have a “significant impact” on the contractor’s ability to calculate an adequate proposal. And—perhaps most importantly—the previous DCAA audit must not have questioned a significant amount of claimed costs.
The September, 2012, DCAA audit guidance included a table that defined “significant exception dollars” in terms of strata based on the contractor’s proposed “auditable dollar value” (ADV). For example, if the contractor’s proposed ADV was between $15 and $50 Million, total questioned costs needed to have been less than $55,000. Anything more and the contractor’s current final billing rate proposal could not be classified as being “low risk”. For a proposal with an ADV between $50 to $250 Million, total questioned costs needed to have been less than $100,000. (Proposals with an ADV greater than $250 Million could never be classified as being low risk.)
The beauty of falling into the “low risk” bucket is that it greatly decreased your chance of DCAA actually performing an audit of your claimed costs. Again, the probability associated with a contractor’s proposal being audited was based on ADV strata. For example, if you were found to be low-risk, and your proposed ADV was between $50 and $100 Million, then there was only a 10% chance your proposal would be audited. Conversely, there was a 90% chance your proposal would never be audited and you would be able to finalize billing rates that were equal to your proposed final billing rates. DCAA would simply send a Memo to the cognizant ACO, and that would end the audit agency’s involvement in the process.
We know several, smaller, contractors who’ve already experienced that happy result. They’ve finalized rates and never had to go through an audit. Lucky them.
The reason for the change in audit approach, as our readers know all too well, is that DCAA wasn’t getting its job done. The backlog of unaudited contractor final billing rate proposals was growing and growing and growing, and so was the backlog of physically completed contracts awaiting closeout. DCAA’s implementation of audit milestone tracking and “streamlined” report reviews have not noticeably reduced the time it takes the agency to perform an ICS audit, which (at last report) was roughly four years per contractor proposal. Instead of reducing audit backlog through implementation of efficiency initiatives, DCAA reported that its backlog of ICS proposals actually increased over the past Government Fiscal Year.
While DCAA has kept to its key talking point that all will be well by the end of GFY 2016, the agency’s Director has also quietly admitted that DCAA ““has frozen hiring and will lose about 5 percent of its workforce, or 250 employees, this year.” That situation is not going to help DCAA catch up any time soon.
DOD’s answer to the intractable problem of the growing backlog of final billing rate proposals to be audited? Stop auditing so many submissions.
The not-so-hidden flaw in this cunning plan, as we told our readers in our original article discussing the new approach (first link above), was that the number of “low risk” submissions that met the criteria was going to be much lower than DOD leadership thought. We wrote—
… we think the number of contractor final indirect billing rate proposals that will actually be classified as ‘low risk’ is likely to be relatively low. The criteria DCAA has established for assessing a submission as ‘low risk’ are actually going to be tough for many companies to meet. For example, former DCAA Director Stephenson once testified that as many as two-thirds of contractor business systems were inadequate. If that testimony was accurate, then none of those contractors will have their final billing rate proposals assessed as being ‘low risk’ by DCAA. Thus, we expect that many contractors will see their submissions targeted for audit, regardless of the size of their ADV.
And we were right about that, as Government Accountability Office (GAO) reported. We discussed that GAO report right here. Among our discussion points, we noted that GAO had found that DCAA’s initial assessment of contractor proposals had resulted in more than half the submissions being classified as high-risk, meaning that a full scope audit would be required. In contrast to reality, DCAA’s initial planning has assumed that only about 20 percent of submissions would be found to be high risk. And this was in relation to contractor proposals with ADVs of less than $15 million.
What went wrong? GAO reported that the problem was that too many of the contractors submitting final billing rate proposals had no incurred cost history—and thus (pursuant to its own risk criteria), DCAA could not find those proposals to be low-risk.
Not to be stopped by this unfortunate reality, DCAA has recently revamped its risk criteria so that more contractor proposals can be passed with minimal or no audit testing being performed. In the words of the new DCAA audit guidance—
Policy performed an analysis of audits completed in FY 2013 to determine if our incurred cost sampling process is working in the most efficient manner to apply our limited audit resources to the audit areas with the highest risk. … Based on this analysis, we found that there was room for improvement. Therefore, adjustments were made to the questioned cost thresholds and the sampling percentages.
In addition, feedback from the field indicated that the current risk determination criteria requires revision to better allow auditors to use their professional judgment when determining if an adequate incurred cost proposal is high risk or low risk. Therefore, the risk determination criteria was modified, and the tools were updated to make it less of a checklist and more of a tool to assist the auditor in documenting the judgments they made in arriving at their final determination of high or low risk.
First, let us write (again) that we are in favor of more auditor professional judgment and discretion, and anything that introduces flexibility into the system is just fine by us. (Assuming of course that the auditors have appropriate experience and training so as to properly apply that professional judgment.)
Second, we don’t really care about the new criteria. We don’t really care that the “exception dollar” thresholds were raised so that more proposals can be found to be “low-risk”. That’s nice for DCAA. We don’t expect that very many contractors will be affected by the changes.
Third, it appears that DCAA may have backed off from the requirement that a previous full-scope ICS audit was required to be conducted before a contractor’s proposal could be determined to be “low-risk”. We may be reading between the lines a little bit, but we noticed that the revised audit guidance discusses “previous experience” with the contractor and does not expressly call out a full-scope ICS audit requirement. For example, the guidance says (for proposals with ADVs between $5 Million and $250 Million)—
For all proposals with $5 million - $250 million in ADV, consider the following significant risk criteria:
- Known significant fraud referral (Form 2000) applicable to the proposal fiscal year or the period in which the proposal was prepared
- Pre-award accounting system performed that resulted in an opinion of ‘unacceptable,’ or there are reported business system deficiencies relevant to the incurred cost year under audit
- No previous experience with the contractor such as voucher processing, forward pricing proposal, pre-award accounting system, etc.
- Specific relevant risk with the contractor that has material impact to the incurred cost proposal being assessed (i.e., significant CO/Auditor identified risk)
So it seems to us that DCAA has found a way to remove the key impediment to “risking-away” its backlog of contractor proposals to establish final billing rates. Instead of requiring a previous ICS audit, it now requires “previous experience” and has empowered the auditors to use their professional judgment to find that experience is relevant to the risk assessment.
If true, we expect that DCAA will be able to report good news to Congress in its next report. It will have significantly reduced its backlog of roughly 26,000 contractor final billing rate proposals awaiting audit. It will have accomplished this feat not be streamlining its procedures or redefining “GAGAS-compliant” audits. Instead, it will have reduced its backlog by finding innovative ways to classify proposals as being “low-risk” and, thus, avoiding the need to audit them.
NASA Proposes to Adopt DFARS Proposal Adequacy Checklist
We were dumbstruck to learn that the USPS OIG thought that the DFARS Estimating System adequacy criteria were “best practices” for designing an adequate estimating system. We were croggled to learn that DOE had decided to adopt the DFARS Business System compliance regime. We continue to believe that the DFARS business system adequacy criteria might be fine for a contracting environment that is willing to pay a nearly 20 percent price premium for such niceties, but that the criteria make little or no sense outside of such an environment.
What works for DOD should not be expected to work for civilian agencies—and there is considerable room for debate as to whether the Business System compliance regime actually works well for DOD. As we recently reported, the DOD Inspector General has expressed concerns with the ability of the Defense Contract Audit Agency (DCAA) auditors to conduct business system related audits in a timely fashion. Further, there is some question in our minds as to whether the adequacy criteria associated with Purchasing System adequately address taxpayer interests.
And now NASA has proposed to adopt the DFARS Proposal Adequacy checklist.
Why?
According to NASA rulemakers—
This proposed rule supports the NASA Assistant Administrator for Procurement's “Reducing Transaction Costs in NASA Procurements” initiative by incorporating the requirement for a proposal adequacy checklist into the NFS at 1815.408-70(c), and associated solicitation provision at NFS 1852.215-85, to ensure offerors take responsibility for submitting thorough, accurate, and complete proposals.
Yeah, sure it will. Forcing bidders to complete an onerous checklist is sure to reduce the overhead costs of those same contractors. Oh, wait! NASA doesn’t really care about the overhead costs of its contractors. Instead, NASA cares about “streamlining” its source selections so as to reduce “lead time.” Don’t believe us? Check this out.
Implementation of the DFARS Proposal Adequacy checklist will do neither.
NASA already has jumped on the DOD/DCAA bandwagon with respect to “risk-based” audits of contractors’ proposals to establish final billing rates (aka “incurred cost audits”). (See this memo.) And now the nation’s space agency wants to keep the momentum going by taking on the DOD/DCAA Proposal Adequacy checklist.
What do these two things—DFARS Proposal Adequacy checklist and acceptance of DCAA’s new approach to not auditing contractors’ claimed costs—have in common?
You guessed it: DCAA is what they have in common.
While DCMA is moving away from use of DCAA wherever it can, NASA seems to be cuddling closer and closer. Apparently NASA is so tied into use of DCAA that it is eager to adopt any initiative that DCAA proposes, regardless of whether the evidence supports a linkage between initiative and desired results. Pretty weird for a science-based agency, huh?
If you are a NASA contractor and want to submit comments regarding the proposed adoption of the DFARS Proposal Adequacy checklist, the link to the proposed rule (above) will tell you how to do so.
|
