Publications
09.07.10
The Perfect Storm - Discussion of Changes to DCAA Guidance Related to Internal Control Audits
by Cara Perrone and Sajeev Malaveetil
Over the past year and a half, the Defense Contract Audit Agency ("DCAA") has issued several guidance memoranda to its staff pertaining to business systems audits. Business systems include accounting systems, purchasing, estimating, billing and six other major areas. This guidance has resulted in a change in scope of DCAA audits, a change in direction related to internal control audits and an increased significance of limited scope audits. Collectively, the various guidance memos have resulted in a number of potential implications to Federal Government Contractors.
Concurrent to the DCAA's guidance memos, changes have been proposed to the Defense Federal Acquisition Regulation Supplement ("DFARS") that could potentially overhaul the business systems controls landscape. Contractors should be aware of the current audit environment related to business systems. This article summarizes these recent DCAA guidance memos related to business systems and the ramifications of the new audit guidance on Federal Government Contractors.
Background
Historically business systems have been audited by the DCAA and other Government audit agencies to assess risk and to determine the extent of substantive testing required during the audit of a Contractor’s incurred costs, invoices, and/or proposals. Traditionally, the DCAA has identified ten business systems that per DCAA policy, are to be audited at all major Contractors on a cyclical basis. In the past, the audit expectation was once every 3 years. In reality, many of these systems would go unaudited for a much longer period of time.
Many of the business systems, including Accounting Systems and Estimating Systems, have a regulatory basis for audit review either within the Federal Acquisition Regulation (“FAR”) or DFARS. Others, such as IT Controls and Labor Systems have no regulatory basis for audit, but have been audited based on the DCAA's requirements and responsibilities for obtaining and documenting an understanding of a Contractor's internal controls and for assessing control risk as a basis for planning related audits. 2
Contractors and Subcontractors are often required to provide status of the adequacy of their systems, as determined by the Government, as part of responding to a Government or Prime Contract solicitation. Contractors and Subcontractors lacking adequate system determinations would be considered high-risk and the Government or Prime Contractor would be expected to consider this increased risk during the source selection process.
Prior to December 2008, all DCAA business systems audits would result in a report with three possible audit determinations:
- The system is adequate;
- The system is inadequate; or
- The system is inadequate in part.
The inadequate in part finding would typically be associated with instances where a Contractor had relatively minor audit findings.
New DCAA Guidance – Internal Control Audits
Change in Audit Opinions
On December 19, 2008, the DCAA issued Audit Memorandum 08-PAS-043(R) to its auditors. The guidance represents a significant paradigm shift for DCAA business system audits. Per the guidance, the DCAA no longer issues “Inadequate In Part” audit opinions related to Contractors’ systems. Audit reports on Contractors’ internal controls systems that report any significant deficiency or material weaknesses now result in an opinion that the entire system is inadequate.
As currently defined, a significant control weakness/material weakness is an internal control deficiency that: (1) adversely affects the Contractor’s ability to initiate, authorize, record, process, or report Government contract costs in accordance with applicable Government contract laws and regulations; (2) results in a reasonable possibility that unallowable costs will be charged to the Government; and (3) provides for the potential unallowable cost to be material.
In its new guidance, the DCAA suggests that a Contractor’s failure to accomplish any internal control objective could ultimately result in cost mischarging or unallowable costs charging to Government contracts, even if the control objective does not have a direct relationship to cost charging under Government contracts. An example is the ethics and integrity control objective. While ethics and integrity are not directly related to charging costs to Government contracts, the Contractor’s failure to accomplish the control objective creates an environment that could ultimately result in mischarging to Government contracts. DCAA can issue “inadequate” finding, even if they cannot demonstrate actual questioned costs and thus a significant deficiency or material weakness.
When deficiencies are found, auditors have been advised that the audit report should identify any portions of the system affected by the deficiencies. The new guidance instructs auditors to recommend that the Contracting Officer disapprove the entire system and pursue suspension of a percentage of progress payments or reimbursement of costs in accordance with the procedures in DFARS. 3
The DCAA has not updated its audit plans to reflect the pass/fail audit approach; hence, a failure to meet a single control objective could result in an overall inadequate finding of the system and could potentially impact contract awards and/or trigger payment withholds.
Change in Direction for Internal Control Audits Related to Systems
On October 22, 2009, the DCAA issued memorandum 09-PAS-021(R), which provided new guidance relating to the relevance of system audit opinions and the DCAA’s audit priorities for 2010. Several months later, the DCAA issued memorandum 10-PAS-005(R), dated February 18, 2010, which established new guidance relating to the scope of follow-up audits. The shift in audit approach mandated by these two memorandums also has significant implications to Contractors.
Per the DCAA’s October 2009 memorandum, each relevant accounting or management system that has a significant impact on Government contract costs continues to require audits on a cyclical basis. Under the new guidance, the DCAA stated policy is to audit the systems every two to four years, based on assessed risk, but no less frequently than every four years.
Even if a Contractor has a current system audit opinion, the guidance directs DCAA auditors not to rely on those opinions when a Contractor significantly changes the system to which the audit opinion relates. The memorandum also indicates that the DCAA’s system audits for the fiscal year 2010 will be limited to audits of Contractor’s accounting and billing systems.
The February 2010 DCAA guidance memo discusses the scope of follow up audits. The guidance suggests that follow up audits should be performed to verify the Contractor’s correction of previously reported internal control deficiencies. This is not a significant departure from prior DCAA practices. However, follow up audits will no longer carry an opinion on the adequacy of a Contractor’s system. Instead, follow up audits are to be limited to determining if the Contractor corrected previously reported deficiencies. If the follow up report opinion indicates that previously reported deficiencies have not been corrected, the guidance directs DCAA auditors to recommend that the Contracting Officer pursue or continue the suspension of the percentage of progress payments or reimbursement of costs and, if applicable, disapprove the affected portions of the system. If the DCAA determines the deficiencies have been corrected, the previous inadequate audit opinion will be deemed not current. The inference is that a full system internal control audit would be required to ultimately deem a system adequate. Also, under the new guidance, Contractors who previously had their systems determined to be inadequate and who subsequently correct the audit deficiencies face the potential of having no documented adequacy determinations.
It appears it is now the Administrative Contracting Officer’s (“ACO”) responsibility to issue a separate adequacy determination based on interpretation of two independent audit reports – neither of which will declare the system adequate. It is unclear at this point whether the Defense Contract Management Agency (“DCMA”) or ACO’s have begun doing this. Accordingly, in responding to Government requests for proposals or Prime Contractor requests related to the adequacy of its systems, Contractors will face the risk of no longer being able to state that their system is adequate.
As an alternative, ACOs could request the DCAA perform follow-up audits. However, because the DCAA has limited its’ audit priorities to the aforementioned systems (accounting and billing), the risk exists that Contractors with dated audit opinions will not have the audits performed in a timely manner. This could as well impact the potential awards of new contracts and subcontracts.
Limited Scope Audits
On December 19, 2008, the DCAA also issued memorandum 08-PAS-041(R), which addresses circumstances where internal control deficiencies are identified in audits other than full internal control audits. The guidance has the effect of greatly increasing the importance of limited scope audits. Additionally, the guidance potentially increases Contractors’ exposure to having their systems deemed inadequate.
Under memorandum 08-PAS-041(R), DCAA auditors have now been directed to issue a flash report, which is a report providing highlights of key information, to the principal cognizant ACO and Procurement Contracting Officer (“PCO”), when internal control deficiencies are identified in circumstances other than internal control audits. This has the effect of bringing any deficiencies realized to the Contracting Officer’s attention much sooner than waiting to note a deficiency in a full audit report.
The Contractor will have seven days to comment on the flash report and if they fail to do so, the flash report would be issued without Contractor comments, noting in the report that the Contractor failed to respond within the time provided.
In addition to a flash report, the guidance dictates that a separate limited scope audit assignment be established to review the Contractor’s control activities related to the applicable control objective under question. A limited scope audit is limited in its nature and is not as comprehensive as a full audit. The guidance dictates that limited scope audits will still use standard audit program steps, but that these steps will be tailored to the specific control objective being tested.
Limited scope audits are a significant aspect of the new DCAA guidance for the following reasons:
- Auditors will not wait to perform full or follow-up system audit to change the opinion on the Contractor’s system when deficiencies are identified in other audits;
- Auditors will use a limited scope audit to review control activities related to the applicable control objective;
- The limited scope audit report will render an opinion of a system inadequacy if the Contractor fails to accomplish a single control objective; and
- The Field Audit Office (“FAO”) may now have sufficient evidence, based on flash reports and additional testing, to determine that a control objective is not being accomplished and to report that the entire system is inadequate through a limited scope audit.
Because of the increased significance placed by DCAA on the flash reports, there is additional risk for system inadequacies being discovered in something other than a business systems audit. Where before a full internal control audit would need to be conducted to render an opinion on a system, the flash reports now have the power to change the audit opinion on a business system.
Conclusion
Overall, the DCAA’s guidance discussed in this article has placed Contractors in a precarious situation – together creating “the Perfect Storm” for system audit issues. The Pass/Fail approach to systems audits has increased the potential for systems to be found inadequate. In light of the DCAA direction to its auditors to recommend suspension of a percentage of progress payments or reimbursement of costs for inadequate systems, Contractors could face a significant impact on their cash flow.
Furthermore, Contractors with inadequate opinions or “dated” adequate opinions will face a tough road to gain an opinion of system adequacy and have difficulty supporting the adequacy of their systems when inquiries are made by the Government or a prime Contractor during the source selection process. To stay competitive and responsive, Contractors can expect to increase efforts in the area of internal controls, both for internal audit preparation and to support DCAA audits.
As the DCAA has issued new guidance and makes changes to the ICAPS standards, there are questions about the consistency of application of these changes. Contractors are already concerned that DCAA auditors are not consistently applying existing audit standards. As the DCAA continues to change its audit approach, those concerns are sure to grow. In many instances, the DCAA is not performing any new systems audits until proposed rule changes are finalized, resulting in more dated audit opinions for Contractors.
The changes in the DCAA’s audit approach summarized in this article are significant and have increased the burdens Contractors face to maintain compliant systems. Because of the potential impacts to cash flows and competition, Contractors should be audit aware of all implications of the changes the DCAA has implemented. Until the DCAA revises its work plans, it is more critical than ever that Contractors strive to meet all control objectives of auditable accounting and management systems. Contractors should be aware of these control objectives and have clear documentation that the objectives are met. Contractors should coordinate finance, internal audit and compliance efforts to ensure comprehensive consideration is given to meeting all applicable system control objectives.
1 See article “Proposed Business Systems Rule Changes” by Ben Ostrander and Michael LaCorte of Argy, Wiltse & Robinson, P.C. for an overview of the proposed rule changes.
2 See Defense Contract Audit Manual (“DCAM”) Section 5.100 – Obtaining an Understanding of a Contractor’s Internal Controls and Assessing Control Risk.
3 The aforementioned proposed DFARS rule changes would significantly impact Contractor cash flows by making withholding of payments a regulatory requirement in circumstances where systems are deemed inadequate.
© 2012 Argy, Wiltse & Robinson, P.C., All Rights Reserved