Publications
10.24.11
"Contractor Business System - General Control"
This article has been featured in the March 2012 issue of Contract Management Magazine.
This article is the first in a series focused on the increasing oversight and scrutiny of Government contractors’ business systems. On May 18, 2011, the Department of Defense issued an interim rule amending the Defense Acquisition Regulation Supplement (DFARS) to address contractor business systems. The interim rule will change not only how business systems are audited by the Defense Contract Audit Agency but also how contracting officers will handle contractors with disapproved systems resulting from findings of significant deficiencies within the systems. The series will highlight audit issues that contractors will encounter during audits of their business systems.
The particular focus of this article is to discuss the importance of the general control environment, which in addition to being a critical criteria in an acceptable Accounting System, can impact other Government audits.
Since being issued in May of 2011, Government contractors have been trying to determine the impact that the Defense Federal Acquisition Regulation Supplement (DFARS) Business Systems—Definition and Administration interim rule will have on the way their systems and controls will be audited by the Government. While the interim rule identifies and defines six business systems, each with its own set of criteria for adequacy, contractors should be aware that their overall control environment, including business ethics, will also be a focus of the Defense Contract Audit Agency’s (DCAA) audits of business systems.
The six business systems defined by the interim rule are those systems, which have historically had a regulatory basis within either the Federal Acquisition Regulation or DFARS, as business systems subject to contracting officer determinations of adequacy. [See Table I]
Per the interim rule, contracts which include DFARS Clause 252.242-7005 Contractor Business Systems, will be subject to the application of withholds in situations where a contractor has one or more inadequate business systems.
|
Table I |
|
| Interim Rule “Business System” | Previously Existing Regulatory Requirement |
| Accounting System | FAR 16.301-3 Limitations |
| Estimating System |
DFARS 215.407-5 Estimating Systems DFARS 252.215-7002 Cost Estimating Systems |
| Purchasing System |
FAR Subpart 44.3 – Contractor Purchasing Systems Reviews FAR Clause 52.244-2 Subcontracts |
| Earned Value Management System |
DFARS Subpart 234.2 Earned Value Management Systems DFARS Clause 252.234-7002 Earned Value Management Systems |
| Material Management System |
DFARS Clause 242.242-7004 |
| Property Management System |
FAR Clause 52.245-1 Government Property Systems |
Prior to the changes to the DFARS to define business systems, the DCAA audited ten business systems at major contractors on a cyclical basis. These audits, which the DCAA referred to as Internal Control Audit Planning Summary (ICAPS) audits, included the audit of a contractor’s Control Environment and Overall Accounting System.
Similarly, under the interim rule, the DFARS identifies the Accounting System as one of the six business systems. The interim rule provides eighteen criteria necessary for the Accounting System to be deemed adequate. One of the eighteen criteria is the requirement that contractors have “a sound internal control environment, accounting framework and organizational structure” (DFARS Accounting System - Criteria 1).1
For many contractors who have gone through ICAPS audits in the past, the audit scope, document requests and testing procedures performed during an Accounting System audit under the interim rule will look familiar. The changes, which have been made to audit steps, relate primarily to the inclusion of controls from previous DCAA ICAPS audits related to systems that are not identified in the interim rule – most notably controls previously audited under the Billing System, Labor System and Indirect and Other Direct Cost System ICAPS reviews. The controls which have been introduced into the Accounting System as additional criteria are similar to the criteria used in pre-award surveys of contractors’ accounting systems.
Where contractors can expect to see a difference is how the assessment of corporate governance and the overall control environment will impact the DCAA’s audit approach and scope for all DFARS business systems. The level of testing (i.e., the combination of analytical procedures and detailed transaction testing) during business systems audits will be impacted by the assessed level of risk based on the auditor’s understanding and assessment of the overall control environment. As such, one of the first audits that contractors can expect to go through under the interim rule, will be one focused specifically on their overall control environment
The approach being taken by the DCAA for the Accounting System audit, as it relates to Criteria 1, provides an increased focus on a Government contractor’s overall approach to corporate governance. The approach assesses a contractor’s “tone at the top” to ensure it is one that instills ethics and controls throughout the organization.
Emphasizing the importance of strong corporate governance and related financial controls has been a focus of various Government regulatory agencies for almost a decade and is routinely reported to be one of the number one priorities of corporate board members. Corporate governance is commonly thought of as a set of processes, policies, regulations, rules, laws or other requirements that impacts how a company is managed and controlled. The focus on corporate governance is not new, but has received renewed interest and focus starting in 2001 as a result of a number of high profile corporate scandals, which resulted in increased Federal regulations and oversight.
The Sarbanes Oxley Act, specifically Sections 404 and 406, require public registrants to place an emphasis on ethics and internal controls. In much the same way that Sarbanes Oxley influenced the focus of financial statement auditors to testing of controls, the testing of Criteria 1 under the interim rule Accounting System is expected to shift the audit focus for the DCAA from detailed transactional testing to risk-based control testing.
The DCAA has historically emphasized a focus on controls; however, in practice, most of the work performed by the DCAA was heavily focused on substantive testing of costs. In the past, to the extent that the DCAA audited controls, it was primarily through testing for the existence of policies, procedures and controls and not necessarily testing the implementation and effectiveness of the policies and procedures throughout a contractor’s organization.
In 2007, with the implementation of FAR Clause 52.203-13 Contractor Code of Business Ethics and Conduct, the impetus existed for testing controls, particularly those related to the overall control environment, framework and organization at a higher level.
FAR Clause 52.203-13 included several new regulatory requirements. In addition to requiring that most contractors implement a code of business ethics and conduct, the clause also required that the same contractors maintain internal control systems to facilitate timely discovery of improper conduct in connection with Government contracts and to ensure prompt corrective actions of any findings. The clause required contractors to perform periodic reviews of their business practices, procedures, policies, and internal controls for compliance with their respective code of business ethics and conduct as well as compliance with “special” requirements of Government contracting.2 As a result of the Business Ethics and Conduct clause, contractors now had a regulatory requirement for an overall control environment that included an oversight of controls, which previously did not exist.
The increased focus on corporate governance resulting from the interim rule will test compliance not only with the business systems requirements but also compliance with the requirements of FAR 52.203-13. This will require that contractors be prepared to demonstrate, during a DCAA audit, various elements of their control environment as summarized in Table II.
|
Table II |
|
| Control Area | Control Objectives |
| Business Ethics |
Existence of a contractor’s code of business ethics and conduct including communication and enforcement of ethics requirements; the existence of a functioning ethics compliance program; policies and procedures related to ethical conduct and disciplinary actions for improper conduct as well as training programs related to business ethics. Compliance with the requirements of FAR Clause 52.203-13, Contractor Code of Business Ethics and Conduct and FAR Clause 52.203-14, Display of Hotline Poster(s). |
| Management’s Philosophy and Operating Style |
Written description of management’s philosophy and operating style (e.g., policies and procedures, narratives, and flow charts). Human resources policies and practices for hiring, retaining, training, classifying and promoting qualified, competent and adequately trained employees. |
| Organizational Structure & Assignment of Authority and Responsibility |
Entity-wide organizational charts. Policies and procedures related to delegation of authority and segregation of duties and responsibilities for the accounting organization – particularly related to matters such as goals, objectives, regulatory requirements, accounting functions and authorization for changes. |
| Governance & Oversight |
Board of Director and Audit Committee Charters. Internal Audit charter, mission statement, or similar directive from management, to provide oversight of compliance with regulatory requirements and associates processes and controls to promote compliance. Internal Audit organizational chart that identifies an adequately staffed oversight function, which is independent from the financial accounting and reporting function, and reports to a high enough level within the organization to ensure that appropriate governance exists. |
Government contractors will be required to demonstrate that the policies, procedures and controls described above are operating effectively within their organization. This may require demonstrating the effectiveness of a contractors’ business ethics and conduct of conduct, the independence, planning and reporting of an organization’s internal audit function and the overall governance and oversight provided by a contractor’s Board of Directors, Audit Committee or similar functions.
In summary, in moving forward with the interim Business System rule, the Government is continuing a trend in corporate governance that has been in place for several years. The elements of corporate governance, though not different than what contractors are accustomed to, will be viewed with an increased level of scrutiny for policies, procedures and controls related to the overall internal control environment, both at a business systems level and an organizational level.
By assessing a contractor under Criteria 1 of the Accounting System, it can be expected that the DCAA will not only audit for the existence of the controls but also for evidence of the implementation and effectiveness of the controls throughout the organization. A deficiency related to a contractor’s internal control environment, accounting framework and/or organizational structure will not only result in a determination of an inadequate Accounting System, it will also result in increased testing and scrutiny of all other applicable business systems as well as increased testing during other audits of the contractor that are not related to business systems, most notably audits of incurred costs, forward pricing rates and proposals.
As such, it is recommended that contractors consider an assessment of their overall control environment as one of their first priorities in preparing for business systems audits.
1 DFARS 252.242-7006(c)(1)
2 FAR Clause 52.203-13(c)(2)
© 2012 Argy, Wiltse & Robinson, P.C., All Rights Reserved