Purchasing System Controls
Contractors that generate more than $25 million in sales to the Federal government via cost-type contracts or sole-source fixed-price contracts (including modifications thereto) are eligible to receive a visit from DCMA functional specialists who will perform a Contractor Purchasing System Review (CPSR). The objective of a CPSR is “to evaluate the efficiency and effectiveness with which the contractor spends Government funds and complies with Government policy when subcontracting.” (Ref. FAR Subpart 44.3.) Special CPSR focus areas include—
(a) The results of market research accomplished;
(b) The degree of price competition obtained;
(c) Pricing policies and techniques, including methods of obtaining certified cost or pricing data, and data other than certified cost or pricing data;
(d) Methods of evaluating subcontractor responsibility, including the contractor’s use of the System for Award Management Exclusions (see 9.404) and, if the contractor has subcontracts with parties on the Exclusions list, the documentation, systems, and procedures the contractor has established to protect the Government’s interests (see 9.405-2);
(e) Treatment accorded affiliates and other concerns having close working arrangements with the contractor;
(f) Policies and procedures pertaining to small business concerns, including small disadvantaged, women-owned, veteran-owned, HUBZone, and service-disabled veteran-owned small business concerns;
(g) Planning, award, and postaward management of major subcontract programs;
(h) Compliance with Cost Accounting Standards in awarding subcontracts;
(i) Appropriateness of types of contracts used (see 16.103); and
(j) Management control systems, including internal audit procedures, to administer progress payments to subcontractors.
Astute readers looking at the CPSR focus areas above might notice a curious omission. It’s difficult to discern where the DCMA functional specialists would evaluate a contractor’s internal controls that would mitigate risks of corruption. For example, where is the evaluation of the contractor’s controls that act to prevent receipt of bribes and kickbacks by personnel involved in purchasing?
That’s where DCAA comes into the picture. DCAA auditors can perform additional testing of the contractor’s internal controls related to its purchasing system—at least in theory. In fact, the DCAA has prepared an internal control matrix that can be a useful tool for contractors seeking to assess their purchasing system internal controls. In theory, DCAA can either perform its audit procedures as part of the CPSR team, or on its own (based on its perception of risk).
We say “in theory,” of course, because DCAA doesn’t, as a rule, actually perform audits of contractors’ purchasing system internal controls in the current environment. Reviews of contractors’ business systems are not the highest priority for the Pentagon’s audit agency at the moment. Such audits have fallen to the bottom of the in-box in the same way that post-award “defective pricing” reviews have slipped in priority, and in the same way that Disclosure Statement adequacy reviews have slipped in priority. (That’s not to say that no such reviews are being performed; but it’s fairly clear that the number of such reviews has dropped precipitously, such that there is a very low probability that your company will experience one in the near future.)
The Department of Defense has thus effectively ceded purchasing system internal control testing to the contractors. It is up to the contractors to both establish their internal control systems and to test them for efficacy. And in times of budgetary pressure, should we be surprised if contractors decide that they have more important investments for their overhead dollars? Should we be surprised if contractors decide to cut back, or to forego altogether, the kind of internal reviews and testing procedures that would tend to ferret out employee wrongdoing—such as those that would detect corruption by personnel involved in purchasing?
The thoughts above may provide some context for a recent news story, reporting that a former Boeing “procurement officer” and three vendors were indicted by a Federal grand jury for mail and wire fraud “stemming from a bribery and kickback scheme involving Boeing military aircraft parts.” According to the news report—
Boeing Procurement Officer Deon Anderson allegedly provided J.L. Manufacturing, a Washington-based aerospace job machine shop, non-public competitor bid information and historical price information in connection with multiple Boeing military aircraft part purchase order requests. That information was used in bids submitted by J.L. Manufacturing to Boeing for approximately nine different Boeing parts requests - of those nine, J.L. Manufacturing was awarded seven, totaling more than $2 million. In exchange for the information, J.L. Manufacturing's Robert Diaz and Jeffrey Lavelle made cash payments to Anderson in St. Louis and California.
In addition, the indictment states that another Boeing sub-contractor, William Boozer, the owner and operator of Globe Dynamics, asked Anderson to provide non-public competitor bid information and price information in exchange for cash payments. Anderson gave Boozer information for bids on behalf of Globe Dynamics for approximately 16 different Boeing requests. Of the 16 bids, Globe Dynamics was awarded seven purchase orders to supply U.S. military aircraft parts to Boeing - totaling more than $1.5 million.
Boeing is reportedly cooperating with the prosecutors, as well it should. We’d like to think it was Boeing’s vigilance that detected the alleged wrongdoing, but we have our cynical doubts. Consequently, it behooves Boeing to cooperate fully, lest allegations of lax oversight and lack of controls lead it to an unwanted membership in the five percent withhold club.
The thing is, it shouldn’t have been that difficult to detect the alleged corrupt arrangement. While it may be possible that a single bidder might win seven of 16 competitions, having another vendor win seven of nine competitions should have raised some eyebrows. That kind of win ratio might well be considered to be a risk indicator for corruption within the purchasing function. It would seem fairly easy to mine procurement system data for such anomalies. (And again, for all we know, that’s exactly what Boeing did.)
Given the Government’s seeming retreat with respect to testing contractor purchasing system anti-corruption controls, it’s more important than ever for contractors to implement data mining and other, relatively inexpensive, techniques that act to detect employee wrongdoing. If nothing else, such controls will tend to keep embarrassingly news reports to a minimum.
SBIR Phase II Contractor Must Comply with CDA
We have often provided counsel to contractors who have Small Business Innovation Research (SBIR) programs, as they transition from the firm fixed-price contract type of Phase I into the cost-reimbursement contract type of Phase II. That transition requires planning and, almost always, a significant change in the way in which the business is managed. Too many small business contractors cannot make the necessary changes and, as a result, end up in a dispute with their government customers.
For one example of the foregoing, see the hard-to-believe case of PHI Applied Physical Sciences, Inc., which we discussed right here. For another example, take a look at our article on Inframat. For a third example, consider the hard lesson learned by Thomas Associates, Inc.
As we considered the challenges for a small business faced with the transition into cost-type contracting we found the entire topic to be depressing, so depressing that we wrote about the sad situation and noted that the House Armed Services Committee (HASC) had similar concerns about the environment in which small business defense contractors operated.
Now we have another example to add to the stack of sad stories: the appeal by Sperient Corporation of “DCAA’s failure to reimburse Sperient for direct and indirect costs,” which Sperient characterized as being breaches of contract. According to Judge Braden, “Sperient seeks $632,765 in damages of for indirect costs incurred in fiscal years 2007 through 2011 and $168,750 for direct costs related to the leased radar range incurred in fiscal years 2007 through 2010, for a total of $801,515.”
The issues first arose in September, 2012, when DCAA “disallowed indirect costs incurred.” Even though Sperient provided DCAA with “additional details supporting the direct costs incurred,” DCAA “took no action” and in March, 2013, Sperient filed its complaint at the U.S. Court of Federal Claims (CoFC).
“Now wait a second,” we hear you saying, “since when does DCAA get to make the final decisions in cost disallowances, and since when does a contractor get to file a complaint without going through the contracting officer?”
Indeed, the record seems to be murky, because Judge Braden did not see fit to explain DCAA’s role in the direct and indirect cost disallowances. All we know is that “The Military Departments … refused to reimburse various costs incurred by Sperient…” presumably based on the DCAA audit report or reports.
With respect to your second question, Judge Braden pondered the same issue. He concluded the CoFC lacked jurisdiction to hear Sperient’s case, because “the court has determined that the SBIR Phase II contracts in dispute are best construed as procurement contracts that require Sperient to obtain a final decision by the responsible CO, pursuant to the Contract Disputes Act.”
The thing of it is, Judge Braden acknowledged that Sperient’s arguments and precedents were “persuasive” even if ultimately not sufficient to win the argument. Sperient’s counsel, who was very knowledgeable about government contract matters, provided a strong showing that, in other (distinguishable) circumstances, a SBIR award had been found to be other than a procurement contract, and thus the procedural requirements of the Contract Disputes Act would not be applicable. Unfortunately for Sperient, however, its strong arguments did not prevail and the case was dismissed (without prejudice).
Now Sperient needs to go back to its contracting officer and get a final decision, which it must then appeal (again) before a court. Seems like a painful re-do, but if you’ve been reading our blog articles, then you know that the courts strictly construe the CDA’s requirements.
The lesson to be learned here is that it’s really not going to be possible to short-circuit the procedural requirements when you decide to take on the U.S. Government in a contracting dispute. As painfully long and expensive as the process is going to be, if you want to have your day in court, then you need to be prepared for it.
|
Giving Auditors Real Time Access
For several years DCAA leadership has grumbled about contractors’ failure to give them online and real time access to accounting data. For example, in its GFY 2012 Report to Congress, DCAA stated—
Read-only access to the contractor’s books and records would greatly assist DCAA to effectively plan and perform all of the audit effort at a contractor location. This is especially important at contractors with highly complex Enterprise Application Integrations environments and Enterprise Resource Planning systems.
Contractors are increasingly generating and storing accounting data and records in a digital environment. Whether it’s an Electronic Timecard System, an Electronic Management Records system storing invoices/vouchers, or an automated General Ledger journal entry posting and reconciliation of accounting records within an enterprise accounting system, original accounting source data and records have become increasingly developed and available solely within electronic environments and formats. DCAA has always maintained that direct access to contractor original accounting ‘books of entry’ or source records, whether manually or electronically generated, is authorized under FAR 52.215-2 Audit and Records—Negotiation. Nonetheless, many contractors have denied DCAA the read-only access to their electronic accounting systems data. Accessing these source records is necessary for DCAA to efficiently perform its audit mission and support the Contracting Officer.
Specificity of the authority for direct and online access to contractor’s data would improve both the audit and DCAA’s ability to support the Contracting Officer. For example, direct, read-only online access would allow DCAA to respond more quickly to contracting officers because we could obtain the necessary data directly rather than having to repeatedly request the data from a contractor representative. Furthermore, the access would decrease the amount of costs and personnel resources needed by contractors to support audit requests for data. In addition, online access would advance DCAA audit efforts by allowing real time contract cost monitoring and continuous risk analysis, including the use of advanced data analytics. DCAA is continuing to determine what specific legislative proposal is necessary to ensure that DCAA has appropriate access to a contractor’s online data.
Permit us to respectfully disagree with the foregoing. We disagree with both the premise and conclusions put forth in the official report from DCAA to the U.S. Congress.
We disagree with the foundational premise that the contract clause 52.215-2 grants to DCAA auditors the right to access contractors’ electronic systems—including systems on which accounting data are stored—at their discretion and without limit. Indeed, a review of the clause language indicates that DCAA does have broad access, but certainly not unfettered access. For example, the clause grants DCAA access to the contractor’s physical plant—but only the parts of the plant “engaged in performing the contract” and only at “reasonable times.” Consequently, it seems unlikely that a court would interpret that clause as granting DCAA open access, 24 hours per day, seven days per week, into a contractor’s accounting system, to include those aspects of the accounting system unrelated to government contract costs.
Moreover, we disagree with the notion that online access to contractors’ accounting systems would permit DCAA auditors to “respond more quickly” or increase efficiency. We disagree with the implicit accusation that contractor audit liaison personnel are unresponsive to DCAA audit requests (“repeatedly request the data”). And we certainly disagree with the conclusion that, if DCAA had unfettered online real time access to contractors’ accounting systems, then those contractors could lay off their audit liaison personnel (“decrease the amount of costs and personnel resources needed by contractors to support audit requests”). We disagree with essentially every single word written by DCAA leadership to Congress.
We disagree because our experience has proven otherwise.
Now, we need to be careful here, because of client confidentiality. But following are some general statements based on our first-hand experience.
-
Modern ERP accounting systems are expensive, complex, and difficult to learn. In order to learn the contractor’s individual, customized, implementation of Oracle Financials, PeopleSoft, SAP R/3 or whatever, employees often have to take multiple classes spanning many hours if not weeks of training. These multi-segment systems don’t come out of a box; nor are they birthed, like the goddess Venus, fully formed and riding in a seashell. So who’s going to train the DCAA auditors in the nuances of the contractor’s ERP? The contractor? Don’t be ridiculous. Show us that requirement in a contract clause; we are confident you will not be able to do so. (Truth be told we know of at least one contractor who’s spent tens of thousands of dollars training DCAA auditors in accessing its ERP system. The problem is that the auditor staff doesn’t stay the same, auditors forget how the system works because they only access it every so often, etc. Thus, the contractor spends more money every year retraining DCAA auditors.)
-
Modern ERP accounting systems have rigorous security features, including individual roles, rotating passwords, and automatic account disablement based on too many login errors or a failure to access the system within a given time period. For example, if a registered user doesn’t access the system at least once every six or eight weeks, then the account is disabled. Thus, if an auditor doesn’t access the system every so often, then the account may be disabled and the auditor will be prevented from accessing the system thereafter, until the account is reset. In order to get the account reset, the auditor will have to call the contractor’s IT Security function. How will the auditor get the name/number of the right person to call? Don’t say the auditor should call the contractor’s audit liaison personnel, because they were laid off when DCAA was given their system access. The fact of the matter is that where DCAA auditors have been given access to contractors’ ERP systems, the contractor will subsequently spend a not-insignificant amount of time maintaining that access on behalf of the auditors. In other words, giving DCAA auditors access to the accounting system costs more money, not less.
-
When DCAA auditors have been given access to contractors’ accounting systems, a new problem emerges. Suddenly, the auditors’ system reports don’t tie to the contractor’s reports, and now it is the contractor’s job to reconcile the two versions of the report. In other words, now the contractor has to diagnose the errors made by the auditor in running the report. So instead of giving DCAA access leading to a reduction in contractor audit support personnel, the reverse is actually true—the contractor has to add personnel who can review DCAA’s methodology and explain where the errors were introduced. (Yes. This presupposes the errors were on DCAA’s side. That’s not always the case; but it is the case in about 90% of the discrepancies we’ve seen.) Further, notice who is now performing the analyses and reconciliations: it is no longer the auditor and is now the auditee. Ironic, no?
DCAA leadership would like Congress and others to believe that DCAA’s inability to access contractors’ accounting systems in real time is a significant impediment that delays audits. That assertion is demonstrably wrong. Experience has shown that, the more access auditors are given, the more problems are created, the more work is generated for contractor support personnel, and the longer the audits take. Experience has shown that the most efficient way for DCAA auditors to get the accounting information they need for their audits is to simply and clearly request it from the contractor’s personnel who are trained in the system and know how to extract it.
DCMA Moves Forward Without DCAA
In another one of those “we told you this was happening and now it has come to pass” sort of things, we report today that—in the words of DCAA leadership—“DCMA policy will now encourage completion of Forward Pricing Rate Recommendations (FPRR) within 30 days of Forward Pricing Rate Proposal (FPRP) receipt and to start Forward Pricing Rate Agreement (FPRA) negotiations within 60 days.”
What does that mean?
Well, we think it means that DCMA is tired of waiting for DCAA to complete its audits before entering into negotiations with the contractors.
That’s not to say that DCAA is solely to blame for the inability of the government to enter into FPRAs. DCMA has to bear some of the blame as well, since its process for approving FPRA negotiations is bureaucratic in the extreme. But the fact of the matter is that DCAA’s insistence on “GAGAS-compliant audits,” coupled with a new focus on accomplishing MAAR testing during routine audits (such as FPRA audits), has led to a situation where DCAA is simply unable to complete its audits in time to support DCMA’s negotiations.
Consequently, DCMA has issued new policy guidance that “emphasizes that the input of all technical specialists (including DCAA) is not required to complete the process unless it is necessary to close a critical gap of information. “ Let’s repeat that for emphasis: input from DCAA is not required anymore.
We learned of this change from DCAA itself, via issuance of a new MRD.
What else did we learn from the new DCAA MRD? We also learned that DCMA thinks it can move forward without DCAA because “DCMA is growing their cost monitoring function” and “DCMA believes that the FPRP audit should confirm information acquired during the cost monitoring process.”
Interestingly, the MRD tells DCAA auditors to keep on performing those FPRA audits, even though DCMA won’t be relying on them anymore. First of all, the MRD tells DCAA auditors to support DCMA audits by communicating “known audit issues” during DCMA negotiations. (This despite those known issues not being supported by any type of GAGAS-compliant conclusions.)
Second, the MRD tells DCAA auditors to issue their report despite the fact that an FPRA has been executed, so that the DCMA contracting officer can use the report’s findings to enter into a new (we assume more favorable to the government) FPRA. We can’t speak for all contractors, but we suspect that if the government wants to rescind the just-executed FPRA and implement lower billing rates, the contractor is not going to feel as if the government negotiated in good faith.
Furthermore, by the time DCAA issues its GAGAS-compliant audit report, we bet the contractor will have already submitted a new Forward Pricing Rate Proposal (FPRP), mooting DCAA’s findings to a very large extent.
This DCAA MRD may be the beginning of the end for the entity that once was inarguably the Federal government’s premier audit agency. If DCMA will no longer be relying on DCAA for Forward Pricing Rate input, where else can they do without the auditors?
One answer to that question comes from Redstone Consulting. In the firm’s recent blog article, it reported that—
… DCMA has started hiring auditors away from DCAA to perform, among other things, CAS disclosure statement reviews. DCMA says they don't need a GAGAS compliant audit to make a determination of adequacy. They only need enough information to make an assessment. … Of course one of our other former DCAA Managers is right with his assessment after I informed him of this latest blow to DCAA’s credibility. DCAA Management probably wouldn't object. With the agency’s apparent single-minded goal of increased dollars audited with corresponding savings as evidenced in emphasized remarks in reports to Congress and other statements (i.e. $6.5 to $1 ‘ROI’), DCAA wouldn't mind getting rid of this apparent ‘non-value added’ effort. Since they don't count towards dollars audited and they don’t contribute to cost questioned or ROI, why do them?
Is this the beginning of the end for DCAA? Lord knows we’ve predicted it before. So let’s not rush into any conclusions.
But it’s tough to argue that DCMA has not made a profound change to its FPRA negotiation approach by deciding to move ahead without input from DCAA. It’s a message to DCAA leadership from its single largest customer. One wonders where DCMA found the courage to make such a fundamental change.
In completely unrelated news, we heard through sources that Mr. Charlie Williams, Jr., Director of DCMA, has announced his impending retirement effective December, 2013.
|
