• Increase font size
  • Default font size
  • Decrease font size
Home News Archive Internal Control Breakdown

Internal Control Breakdown

E-mail Print PDF

nci-logoIt is a recurring theme on this blog that internal controls are investments that pay for themselves. In fact, we often assert that internal controls have a return on investment that is easily quantifiable and shows that they are a very smart investment. Today, we return to that theme with further evidentiary support for our assertions.

We want to talk about NCI, Inc., a Beltway IT service provider that generates north of $300 million in annual sales. Revenues are 100 percent sales to the US Government. Defense and Intelligence Agencies make up 60% of sales, while other Federal civilian agencies make up the other 40 percent. 92% of revenues come from prime contracts. (Source: 2015 Annual Report.) You might say that NCI, Inc. is the quintessential government contractor.

NCI, Inc. is also a publicly traded company. It trades on the NASDAQ; ticker symbol NCIT. As such, the company is subject to the Sarbanes-Oxley Act of 2002, and is thus required to comply with Section 302 of that Act. Pursuant to Section 302, the 2015 Form 10-K included the following statement:

Management is responsible for establishing and maintaining adequate control over financial reporting. Management used the criteria established by COSO in Internal Controls—Integrated Framework (2013) to assess the effectiveness of our internal controls over financial reporting. Based upon the assessments, our management has concluded that as of December 31, 2015, our internal control over financial reporting was effective.

Further, pursuant to Section 404 of that Act, the 2015 Form 10-K included the following statement from the company’s auditors (Deloitte & Touche LLP)—

In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2015, based on the criteria established in Internal Control—Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.

All of which is precursor to the very recent press release by NCI, Inc., announcing that it had begun an internal investigation into the actions of its (now former) controller. Let’s quote from the press release:

… based upon preliminary findings, [NCI, Inc.] has discovered that its controller, acting alone, embezzled money from the Company. The employment of the controller has been terminated, and the Company has commenced an internal investigation with the help of outside counsel and forensic accountants.

While the investigation is ongoing, the Company believes that its former controller embezzled approximately $18 million over the last six years. NCI is working with legal counsel and cooperating with federal authorities to determine the best course of action from a legal, regulatory and recovery perspective, and will provide further information as soon as practicable. …

Of the estimated $18 million of embezzled funds, the Company believes that approximately $5 million was taken during 2016 and the remaining $13 million was taken over the prior five years. The Company’s preliminary findings indicate that these funds were reflected as expenses in the Company’s financial statements. These expenses were treated as allowable indirect costs on its government contracts but should have been classified as unallowable costs. …

In addition, as part of the investigation, the Company is reviewing its internal controls over financial reporting. Although the investigation is ongoing, the Company believes that material weaknesses existed in its internal controls during the relevant periods during which the embezzlement occurred. As a result of these weaknesses, investors, analysts and other persons should not rely on management’s reports on internal controls over financial reporting or the Company’s independent registered public accounting firm’s audit reports on the effectiveness of the Company’s internal controls over financial reporting filed with the Company’s Form 10-K for the fiscal year ended December 31, 2015. The Company is implementing steps to strengthen its internal controls and to remediate the weaknesses that it has identified.

(Emphasis added.)

On the day that NCI, Inc. reported the news its share price dropped from a high of $13.95 per share to $12.50 per share, a decrease of more than 10 percent in one day. (It has since rebounded back to $12.65 per share, which is hardly good news to investors.)

This is clearly a disaster for the company. It cannot possibly reflect well on management or on the auditors. (We should note here that we don’t yet know how this scheme came to light. It might well have been discovered by management or by the auditors during their 2016 reviews.) The company may be facing shareholder suits as well as SEC fines and penalties. That internal investigation, which includes outside counsel and forensic accountants, is going to be expensive. Deloitte may have to face some tough questions from the PCAOB. It’s not going to be fun for anybody, to include the ex-controller, who may well end up facing criminal charges.

But that’s not the real problem here. The real problem is the government contract compliance issues that come along with this story.

The story in the press release is that the controller (allegedly) embezzled $18 million over a period of six years, and recorded the embezzled funds as allowable indirect expenses. Those allowable indirect expenses became the basis of the company’s billing rates. Those billing rates were used to prepare invoices to the US Government. (Remember, 100 percent of the company’s sales were to US Government Agencies.) Each one of those invoices was prepared with billing rates that were inflated (to some unknown extent) by imaginary allowable indirect costs—indirect costs that did not exist in reality. Thus, each one of those invoices submitted over a six year period is a potential false claim. This situation could end up being very expensive for the company (though we expect they will end up settling for some percentage of the liability).

Further, those rates were used to price contracts. Some of those contracts were firm, fixed-price. Thus, to some (unknown) extent, those firm, fixed-price contracts were priced using inflated rates. That means they were over-priced and should be adjusted downwards. That will be expensive.

But that’s not all.

In order to receive cost-type contracts, NCI, Inc., is required to have an adequate accounting system. DCAA may have performed a pre-award or post-award accounting system review on NCI, Inc.--it would be surprising if they had not done so. A company's accounting system’s adequacy is documented on a form SF 1408. According to the SF1408 (and DCAA's accounting system evaluation audit program) one of the key requirements of an adequate accounting system is to segregate allowable from unallowable costs. Thus, NCI just put its accounting system adequacy at risk. If the accounting system goes, the ability to win future cost-type contracts is at risk.

At a minimum, we expect DCAA to be making a number of visits to this contractor in order to evaluate the company’s internal controls and other procedures, in order to assess the risk of a future recurrence. The company may need to hire additional staff to support the audits.

We do not know how the controller executed his scheme. However, the fact that he got away with the scheme for more than five years points to one or more internal control weaknesses that existed despite management’s assertion to the contrary, and despite the external auditor’s independent review. It’s going to be very, very, expensive to remedy those weaknesses, to deal with investigators and auditors and attorneys, and to make the government whole from inflated bids and invoices.

As an alternative to the pain about to be experienced by NCI, Inc., may we suggest investing in making sure your company’s internal controls are top-notch?

In related news, on January 25, 2017, Lockheed Martin reported that “it expects to report a material weakness in internal control over financial reporting for Sikorsky Aircraft Corporation in its 2016 annual report at the end of February.” According to the report (link above), Lockheed Martin reported that—

… its management had determined that Sikorsky did not ‘adequately identify, design and implement appropriate process-level controls for its processes and appropriate information technology controls for its information technology systems.’ Its internal control over financial reporting was, therefore, ‘ineffective’ as of Dec. 31, 2016 …”

Readers may remember that LockMart purchased Sikorsky from United Technologies Corporation in 2015. When Sikorsky was part of UTC, the external auditors (PricewaterhouseCoopers LLP) did not report any material internal control weaknesses.

Internal controls: a wise investment in avoidance of many problems.

Think about it.

 

 

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.