DCAA Audits of Government Contractor Business Systems – Key Risk Mitigation Strategies to Promote an Adequacy Determination
Craig Stetson, Partner | Capital Edge Consulting, Inc.
The Defense Contract Audit Agency (DCAA) recently indicated as a 2019 agency initiative a significant increase in their dcaa audit efforts around contractor business systems. The DCAA’s renewed focus on performing contractor business system audits, is largely the result of the DCAA’s recent reduction in its prior and long-standing backlog of incurred cost proposal audits. The DCAA is responsible for oversight of three of the six contractor business systems, including accounting, estimating, and material management and accounting. Under this 2019 initiative, the accounting system will be the primary focus with a planned audit activity of nearly 1,000 audits. Estimating and material management and accounting system audits also are planned to increase significantly from the 2018 activity, however, nothing near the planned accounting system amount noted prior.
The DCAA’s 2019 plan to significantly increase their audits of contractor business systems appears aggressive (considering the level of effort required to perform these audits and the level of available DCAA resources). Contractors should take seriously potential or pending business system audits by the DCAA as the consequences for a determination of inadequacy by the government may be significant and include – i) monetary withholds pursuant to DFARS clause 252.242-7005, ii) loss or delay of contract awards, iii) reduced proposal evaluation scores in accordance with solicitation evaluation criteria (for example, Request for Proposal Section M), iv) increased government oversight across multiple fronts, and v) government CPARS (Contractor Performance Assessment Reporting System) recording of detrimental past performance ratings.
The following five key strategies are critical risk mitigation measures to enhance the likelihood of the government determining contractors’ business systems adequate and reduce contractors’ related compliance risks.
5 Critical Risk Mitigation Measures
1.Knowledge of Business System Requirements and DCAA Audit Objectives (Pre-audit phase)
The DCAA conducts business system audits utilizing specific standard audit programs and detailed audit guidance and procedures incorporated in their internal DCAA Contract Audit Manual (DCAM). The three business system specific standard audit programs and the DCAM are available for review on the DCAA website (www.dcaa.mil). The DCAA audit requirements, guidance, and corresponding procedures were developed for the purpose of a DCAA evaluation and corresponding audit opinion of a contractor’s compliance with the specific business system adequacy criteria incorporated in each of the applicable DFARS business system clauses – accounting (252.242-7006), estimating (252.215-7002), and material management and accounting (252.242-7004). A clean audit opinion will simply designate the contractor’s business system as adequate.
Contractors that do not perform under Department of Defense (DoD) contracts or do perform under DoD contracts not subject to the DFARS clauses noted above, are not contractually required to comply with the specific DFARS business system adequacy criteria. However, for business system audit purposes, the DCAA will nevertheless use these adequacy criteria as the baseline for their business system audit scope, objectives, and procedures. Simply stated, contractors are required to demonstrate and maintain compliance with the adequacy criteria and requirements of these clauses – whether or not the subject clauses actually are incorporated in contracts.
It is very important to understand the applicable audit scope, objectives and procedures that the DCAA will use to conduct their audit. Further, it is equally or more important for contractors to clearly identify and articulate their specific key internal controls that satisfy the corresponding audit objectives and procedures. Understanding the overall audit expectations and responsibilities, as well as existing internal business process capabilities will greatly assist with critical audit preparation, identification of required functional personnel, and gathering of applicable supporting information and documentation. Further, an adequate and working level understanding of the audit process should enhance its efficiency and effectiveness, while mitigating contractors’ compliance risk, potential misunderstandings with the DCAA and incorrect or inaccurate audit conclusions.
2. Due Diligence and Self-Assessment (Pre-audit phase)
Contractors are strongly encouraged to perform due diligence procedures in advance of a DCAA business system audit. The due diligence is commonly performed as an audit readiness measure and in the form of a business system self-assessment. This frequently is the most important aspect of the entire audit.
A meaningful self-assessment (mock audit) of a contractor’s business system entails a detailed analysis of the DCAA audit objectives and related business system adequacy criteria compared to the contractor’s current business system structure and capabilities. This two-phase (Phase I – adequacy of business system design; Phase II – business system operating effectiveness) gap analysis is critical for contractors to understand and identify potential compliance risks and areas of audit findings due to deficiencies noted related to the adequacy of the business system design and/or its operating effectiveness. A risk assessment approach may also be used where known elements of potential compliance risk may receive additional focus during the self-assessment.
The self-assessment approach and procedures should closely align with the actual DCAA audit. Contractors should utilize the DCAA audit program as a starting point for purposes of identifying required written documentation and existing key internal controls that will be required during the course of the audit. Another useful tool during the self-assessment phase are the business system specific internal control matrices. The DCAA created these matrices years ago and they provide a thorough analysis of the business system control objectives and anticipated DCAA audit procedures. These matrices are no longer posted on the DCAA’s website; however, are still around and are very useful for purposes of mapping written policy and procedure documentation and internal controls to the corresponding business system requirements and related control objectives. The overall self-assessment process should be clearly documented with i) an audit trail of the written internal control and business process mappings to the business system requirements (Phase I); and, ii) the scope and results of detailed transaction test plans or file reviews (Phase II). Deficiencies noted during the self-assessment should be reported to management and corrected and required and missing written policy and procedure documentation developed to demonstrate to the government that the contractor maintains an effective monitoring process as required in all the business systems.
Contractors should invest in the resources required to adequately perform the self-assessment and use the completed and documented self-assessment for business system demonstration purposes to the government.
3. Business System Demonstration (Audit planning and risk assessment phase)
The business system demonstration phase is another critical element of the overall audit process as it provides contractors an opportunity to communicate to the government the adequacy and operating effectiveness of their business systems. A well conducted demonstration should leave the government with a sense of confidence regarding a contractor’s overall state of compliance around the business system. This, in turn, may result in reduced audit scope or the government’s decision not to perform the audit at all, if the government determines the contractor to be low risk from an audit perspective.
During the demonstration, contractors should present a thorough overview of the applicable business system capabilities, relevant written policy and procedure documentation, key internal controls and business process flows. Furthermore, contractors should demonstrate effective and ongoing monitoring of programs as well as employee training requirements and initiatives.
Effective documents used during the demonstration should include:
- An overview of the relevant business system written documentation; including policies, procedures, and process flows
- A complete mapping of the contractor’s written internal controls and business processes to the DFARS business system clause requirements and the corresponding DCAA standard audit program (frequently included in and presented through a well documented internal control matrix)
- Evidence of ongoing monitoring activities (transaction testing or file reviews) and corresponding corrective actions and reporting to management, as applicable
Contractors should invest in the time required to gather the critical documents to be used during the business system demonstration and allow adequate preparation to enhance the likelihood of an effective outcome.
4. Documentation and Access to Records (Audit fieldwork phase)
Sufficient documentation is the single most important factor for contractors to achieve an adequate business system determination from the government. Sufficient documentation comes in two forms – i) written internal controls and business processes (policies and procedures) and ii) audit evidence related to transaction testing or file reviews.
Use of electronic formats of original documents for record keeping and audit purposes is an acceptable procedure provided certain document imaging requirements are adhered to in accordance with Federal Acquisition Regulation (FAR) Part 4.
Contractors should maintain a complete list of requested and provided documents throughout the audit. This list should also describe, in adequate detail, the nature and content of what was requested and provided, who provided it, and when. Likely, this list would be maintained by the contractor’s designated internal point of contact. This procedure is important for obvious reasons, however, should during the course of the audit, the DCAA challenge the sufficiency or completeness of the documentation provided it will be helpful to review this list to demonstrate to the DCAA that the documentation was provided and is adequate. Additionally, a complete list of interviews or discussions between the government and contractor personnel should be maintained – again, likely by the internal point of contact.
Contractors should ensure during the due diligence and self-assessment phase that sufficient documentation exists to support an audit. Simple verbal acknowledgement during an audit that a procedure was performed, for example, likely will not be deemed as adequate to the DCAA and may result in adverse audit conclusions or noted deficiencies in the business system.
5. Communication Protocols (Pre-audit, audit, and post-audit phases)
A DCAA business system audit is frequently intense and of an extended duration. These audits may be active for a few months to more than one year. Effective communication is critical during these audits to minimize misunderstandings and inaccurate audit conclusions.
Unfavorable or inaccurate audit conclusions are frequently the result of poor communication between the DCAA and the contractor. To reduce the risk of information being “lost in translation”, it is highly recommended that communication procedures and schedules (at least in a tentative sense) be developed where both parties can actively and effectively communicate audit objectives, challenges, progress and results. Participation in these communications and status briefings should be agreed upon up front and adhered to by both parties. The DCAA is required to conduct an entrance conference and are also encouraged to provide interim and exit conferences pursuant to their audit guidance (DCAM 4-300). If effective communication protocols are enacted, the likelihood of audit “surprise findings” should be greatly reduced or become nonexistent.
- Entrance Conference – Contractors should insist on a thorough entrance conference to obtain an understanding of the audit objectives, scope and procedures; anticipated timeline; internal resources required; types of data and information required; and any foreseen challenges known at that time e.g., unavailable personnel, remote site access or visits, availability and retrieval of records, etc. The audit scope and focus areas should be clearly identified with discrete elements or items for which the DCAA will have access and the contractor responsibility to support.
- Interim Conferences – Interim conferences are also very important as they provide an exchange of information between the DCAA and the contractor regarding progress of the audit, problems or challenges encountered, findings and issues, open items, and remaining effort and completion requirements. The DCAA should provide initial audit findings and contractors should be privy to the DCAA’s rationale to allow internal assessment as to the merit of the findings.
- Exit Conference – Contractors should insist on a thorough exit conference to discuss and understand all audit findings. Contractor management and applicable functional personnel and the DCAA supervisor should attend the exit conference. Prior to the meeting, contractors should carefully review the draft report and seek clarifications or corrections as needed.
To reduce the risk of misunderstanding, misinterpretation, and memory loss it is very important to document all formal communications, status meetings, conferences, etc. This documentation should be developed by a single source within the contractor and summarized in a meeting minutes format and subsequently provided to all in attendance.