On April 21, 2014, the DAR editor submitted a proposed new DFARS rule (DFARS Case 2012-042) for Business Systems Compliance to OMB’s Office of Information and Regulatory Affairs (OIRA). Generally, this is the last step prior to the publication of the new rules. The full body of the proposed rule has not been published; however, OIRA has published the following abstract on May 23, 2014 as part of its semiannual compilation of all pending federal regulations:
“DoD is proposing to amend the DFARS to require contractors to provide reports on their accounting systems, estimating systems and material management and accounting systems (MMAS) regarding the contractor's compliance with the applicable DFARS system criteria, as a result of findings in pilot system accounting system audits conducted by the Defense Contract Audit Agency. The objective of the rule is to ensure that contractor's assume appropriate responsibility for compliance with DFARS system criteria by requiring contractors to provide a report regarding compliance with the DFARS criteria based on a self-evaluation and an audit by an independent certified public accountant. The rule will apply to solicitations and contracts that are with large businesses for the purposes of reporting for estimating systems and material management and accounting systems. DoD estimates that this rule will have no impact on small businesses, since contracts and subcontracts with small businesses are exempt from Cost Accounting Standards (CAS) requirements.”
Obviously, this is still a proposed change and subject to significant modification before any final rule goes into effect. However, if you are a contractor subject to the DFARS business system rules (i.e. CAS covered), you need to be prepared for the worst. You can also count on some other organizations such as the Department of Energy to follow DoD’s lead.
It appears that this change is being driven by DCAA. DCAA simply does not have the resources to timely complete all of the audits in its backlog including major business system audits. While at DCAA, estimates for completion of audits of only the accounting and billing systems at the divisions of just one major contractor were well in excess of 100,000 hours. Even if the hours were reduced by half, DCAA would not have, and is never going to get, the resources needed to timely complete those audits. Although there are lots of arguments, on both sides, about whether it should take so long to complete a business system audit, it doesn’t change the fact that DCAA is clearly unable to get this work accomplished in a timely manner. Given pressure DCAA is under to get their backlog of incurred cost audits under control as well as provide more timely forward pricing support and the fact that there are no dollar savings they can tout with respect to business system reviews, it is no surprise that DCAA would like to offload this responsibility on to the contractor. DCAA has pretty much suspended any business system review effort except for follow-up reviews on previously issued deficiency reports. The fact that only the business systems audits that are primarily under DCAA’s responsibility are covered by this change further supports that it is DCAA driving this change.
Audit by Independent Certified Public Accountant
This change would require the contractor to hire an outside CPA firm to complete full audits of each business system similar to the audits currently conducted (when they are conducted) by DCAA. While this requirement could result in more timely audits, the shift in burden for audit responsibility from DCAA to the contractor will clearly result in higher costs to the contractor. Further, it is more difficult to recover these costs in the current environment where there is significant pressure to reduce indirect costs. Finding a qualified CPA firm also presents significant challenges. While there are thousands of CPA firms with the capability to conduct financial statement audits, relatively few have the government contracting experience needed to properly conduct the accounting system, estimating system, and MMAS audits for compliance with DFARS business system rules. We have already seen significant negative effects at our clients that resulted from independent audits of incurred cost submissions performed by auditors who were clearly unfamiliar with government contracting and Generally Accepted Government Auditing Standards. Conducting these audits is not simply a matter of having your financial statement auditors add a few additional compliance steps.
The extent of the self-evaluation requirements is difficult to determine based on the abstract. Presumably they will be similar to the Sarbanes-Oxley Section 404 requirements for a management assessment of internal controls and independent auditor attestation to the effectiveness of the controls. This would require contractors to self-assess their business system compliance, likely through either its internal auditors or an independent reviewer prior to having the independent audit conducted. There may also be additional certification requirements related to these business systems. The recently proposed change to Department of Energy Regulations (DEAR) issued in the Federal Register on April 1, 2014 also indicates a move toward self-assessment. The proposed DOE business system rules require the contractor to submit documentation to the contracting officer that its accounting system meets the business system criteria within 60 days of the award. This is something contractors should be considering now. It is clearly better to ensure your system meets the requirements now than to face the penalties and other consequences should the independent auditor determine your system to be inadequate.
What to do now?
Even without the specific language of the proposed change, it is clear that the burden on the contractor to demonstrate that their business systems comply with the DFARS business rules will continue to increase. Given the devastating impact that a determination of an inadequate business system can have on past performance ratings, cash flow, and the ability to win contracts, we recommend, at a minimum, contractors:
- Perform a risk assessment of their current business system policies and procedures; and,
- Consider having a detailed internal or external review of policies and procedures where warranted by the risk assessment.
The goal is to get ahead of the curve and ensure you have the policies and procedures in place now to support an audit of your business systems and avoid, to the extent possible, the potential for a negative audit result.
At Redstone GCI, we have over 160 years of combined DCAA agency experience specifically related to performing, teaching, and managing accounting, estimating, and MMAS audits. We have the knowledge, experience, and tools needed to help you mitigate your risk and ensure your systems are fully compliant with DFARS business system rules. We enjoy hearing from our clients and the government contractor community about where they stand with regard to preparation for this major shift in audit responsibility, as well as discussing cost-effective solutions we have available to assist with this process.