business systems compliance redstone government consultingOn April 21, 2014, the DAR editor submitted a proposed new DFARS rule (DFARS Case 2012-042) for Business Systems Compliance to OMB’s Office of Information and Regulatory Affairs (OIRA).  Generally, this is the last step prior to the publication of the new rules.  The full body of the proposed rule has not been published; however, OIRA has published the following abstract on May 23, 2014 as part of its semiannual compilation of all pending federal regulations:

“DoD is proposing to amend the DFARS to require contractors to provide reports on their accounting systems, estimating systems and material management and accounting systems (MMAS) regarding the contractor's compliance with the applicable DFARS system criteria, as a result of findings in pilot system accounting system audits conducted by the Defense Contract Audit Agency. The objective of the rule is to ensure that contractor's assume appropriate responsibility for compliance with DFARS system criteria by requiring contractors to provide a report regarding compliance with the DFARS criteria based on a self-evaluation and an audit by an independent certified public accountant. The rule will apply to solicitations and contracts that are with large businesses for the purposes of reporting for estimating systems and material management and accounting systems. DoD estimates that this rule will have no impact on small businesses, since contracts and subcontracts with small businesses are exempt from Cost Accounting Standards (CAS) requirements.”

Obviously, this is still a proposed change and subject to significant modification before any final rule goes into effect.  However, if you are a contractor subject to the DFARS business system rules (i.e. CAS covered), you need to be prepared for the worst.  You can also count on some other organizations such as the Department of Energy to follow DoD’s lead.

It appears that this change is being driven by DCAA.  DCAA simply does not have the resources to timely complete all of the audits in its backlog including major business system audits.  While at DCAA, estimates for completion of audits of only the accounting and billing systems at the divisions of just one major contractor were well in excess of 100,000 hours.  Even if the hours were reduced by half, DCAA would not have, and is never going to get, the resources needed to timely complete those audits. Although there are lots of arguments, on both sides, about whether it should take so long to complete a business system audit, it doesn’t change the fact that DCAA is clearly unable to get this work accomplished in a timely manner.  Given pressure DCAA is under to get their backlog of incurred cost audits under control as well as provide more timely forward pricing support and the fact that there are no dollar savings they can tout with respect to business system reviews, it is no surprise that DCAA would like to offload this responsibility on to the contractor.  DCAA has pretty much suspended any business system review effort except for follow-up reviews on previously issued deficiency reports.  The fact that only the business systems audits that are primarily under DCAA’s responsibility are covered by this change further supports that it is DCAA driving this change.


Audit by Independent Certified Public Accountant

This change would require the contractor to hire an outside CPA firm to complete full audits of each business system similar to the audits currently conducted (when they are conducted) by DCAA.  While this requirement could result in more timely audits, the shift in burden for audit responsibility from DCAA to the contractor will clearly result in higher costs to the contractor.  Further, it is more difficult to recover these costs in the current environment where there is significant pressure to reduce indirect costs.  Finding a qualified CPA firm also presents significant challenges.  While there are thousands of CPA firms with the capability to conduct financial statement audits, relatively few have the government contracting experience needed to properly conduct the accounting system, estimating system, and MMAS audits for compliance with DFARS business system rules.  We have already seen significant negative effects at our clients that resulted from independent audits of incurred cost submissions performed by auditors who were clearly unfamiliar with government contracting and Generally Accepted Government Auditing Standards. Conducting these audits is not simply a matter of having your financial statement auditors add a few additional compliance steps.


The extent of the self-evaluation requirements is difficult to determine based on the abstract.  Presumably they will be similar to the Sarbanes-Oxley Section 404 requirements for a management assessment of internal controls and independent auditor attestation to the effectiveness of the controls. This would require contractors to self-assess their business system compliance, likely through either its internal auditors or an independent reviewer prior to having the independent audit conducted.  There may also be additional certification requirements related to these business systems.  The recently proposed change to Department of Energy Regulations (DEAR) issued in the Federal Register on April 1, 2014 also indicates a move toward self-assessment.  The proposed DOE business system rules require the contractor to submit documentation to the contracting officer that its accounting system meets the business system criteria within 60 days of the award.  This is something contractors should be considering now.  It is clearly better to ensure your system meets the requirements now than to face the penalties and other consequences should the independent auditor determine your system to be inadequate.

What to do now?

Even without the specific language of the proposed change, it is clear that the burden on the contractor to demonstrate that their business systems comply with the DFARS business rules will continue to increase.  Given the devastating impact that a determination of an inadequate business system can have on past performance ratings, cash flow, and the ability to win contracts, we recommend, at a minimum, contractors:

  • Perform a risk assessment of their current business system policies and procedures; and,
  • Consider having a detailed internal or external review of policies and procedures where warranted by the risk assessment.

The goal is to get ahead of the curve and ensure you have the policies and procedures in place now to support an audit of your business systems and avoid, to the extent possible, the potential for a negative audit result.

At Redstone GCI, we have over 160 years of combined DCAA agency experience specifically related to performing, teaching, and managing accounting, estimating, and MMAS audits.  We have the knowledge, experience, and tools needed to help you mitigate your risk and ensure your systems are fully compliant with DFARS business system rules.  We enjoy hearing from our clients and the government contractor community about where they stand with regard to preparation for this major shift in audit responsibility, as well as discussing cost-effective solutions we have available to assist with this process.


Contact Redstone Government Consulting

Written by Robert Eldridge

Robert Eldridge Robert (Bob) Eldridge is a Director with Redstone Government Consulting Inc. He provides Government Contract Consulting services to our Government contractors primarily related to compliance with Federal Acquisition Regulations and Cost Accounting Standards, equitable adjustment claims, and business systems. Prior to joining Redstone Government Consulting, Bob served in a number of capacities with DCAA for over 32 years. Upon his retirement, Bob was a Regional Audit Manager with DCAA. Bob began his DCAA career in 1981 as an auditor-trainee with the Pratt & Whitney Resident Office in West Palm Beach, Florida. Bob served two three year tours at the Defense Contract Audit Institute teaching multiple contract audit courses including “Auditing Internal Controls”, “Technical Management of Audits”, and “Advanced Cost Accounting Standards” and writing Agency courses on Cost Accounting Standards and Equitable Adjustment Claims. He returned to the Eastern Region in 1999, holding various audit positions before ultimately becoming a Regional Audit Manager in February 2007. As Chief of the Eastern Region Quality Assurance Division, Bob was heavily involved in developing DCAA guidance related to auditor consideration of internal controls and risk assessment preparation. In 2012, Bob was assigned to the U.S. Senate Committee for Homeland Security and Governmental Affairs, serving as a subject matter expert on a wide range of federal contract and grant matters for Senator Susan Collins. During Bob’s tenure with DCAA, he had overall management responsibility for audits performed by over 200 employees. He was directly involved in conducting or managing a wide variety of compliance audits, including: forward pricing proposals, incurred cost submissions, business system internal controls, Cost Accounting Standards, claims, and defective pricing. Bob was also directly involved in complex quantitative methods applications, particularly regression analysis and improvement curve applications. Bob currently specializes in assisting clients with more complex DCAA audit issues related to business system internal controls and Disclosure Statements and with developing and maintaining government compliant accounting and estimating systems. Bob also provides expert advice on compliance with FAR cost principles and Cost Accounting Standards and assists with the more complex forward pricing proposals and equitable adjustment claims.

About Redstone GCI

Redstone Government Consultants are a team of the most senior industry veterans and the brightest new talent in the industry. Many have held senior government positions including leadership roles in the DCAA. Our new talents bring significant accounting and software experience along with fresh perspectives, inspiration and energy to our team. Through our leadership and combined experience, we provide a unique perspective, bringing both government and contractor proficiencies to bear and ensuring rock-solid government compliance for our clients.

Topics: Business Systems Review, Compliant Accounting Infrastructure, Small Business Compliance, Government Compliance Training, DCAA Audit Support