As we outlined in Applicability of DFARS Business System Rules to Small Businesses, small businesses are exempt from Cost Accounting Standards and therefore are not subject to the business system rules, based on the requirements for inclusion in the Business System Clauses as set out in DFARS. DFARS Case 2009-D038 – Defense Federal Acquisition Regulation Supplement; Business Systems-Definition and Administration, final rule issue February 24, 2013 in the Federal Register specifically stated:
“DoD does not expect this rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because contracts and subcontracts with small businesses are exempt from Cost Accounting Standards (CAS) requirements.”
Is DCAA Talking Out of Both Sides of its Mouth?
Apparently disregarding this, the DCAA audit program “Post Award Accounting System Audit at Nonmajor Contractors” clearly states that its purpose and scope is to determine if the contractor is compliant with the accounting system criteria prescribed in DFARS 252.242-7006(c). The audit program has a section titled “Contracts that Do Not have the DFARS 252.242-7006 Clause” which instructs auditors to apply the DFARS Clause to contractors with no DoD contracts and makes no mention about DoD expectation that small businesses will not be significantly impacted. Seeing as this can be a self-initiated audit (i.e., no request from the ACO needed) and many of DCAA’s branch offices appear to be looking for work now that the incurred cost back log has been cleared, we believe this will be a new focus area for branch auditors.
Are DCAA Auditors Repeating Contractor Steps?
Now back to the topic at hand. DCAA’s new Accounting System audit program titled “Compliance with DFARS 252.242-7006 Accounting System Administration Requirements Audit,” for major contractors and non-major contractors with complex accounting systems, has some huge expectations for contractors. The initial planning meeting with the auditor comes with the delivery of 10 to 12-page fill-in the blank template. Once the contractor completes all the sections, we have seen these documents exceed 100 pages. While auditing standards require auditors to document their understanding of internal controls material to the audit they are performing, having the contractor take its knowledge of its own control environment/accounting system and put it into a different format may not accomplish this objective. Now that the contractor has invested significant time and resources to complete the template, the auditor still has an audit step to get a demonstration – more time and resources. The audit program also makes it clear that inquiry alone is not enough to obtain an understanding of internal controls, so the auditor is going to perform these additional procedures:
- inquiries of contractor personnel;
- observing the application of specific controls;
- inspecting documents and reports; and
- performing walk-throughs of the system (including tracing transactions through the various processing steps).
The Control Environment Section
Now the actual detailed fieldwork effort begins covering these major subsections of the control environment section of the audit program:
- Communication and Enforcement of Integrity and Ethical Values.
- Management’s philosophy and operating style, commitment to competence, and human resource policies and procedures.
- Commitment to Competence and Human Resource Policies and Procedures.
- Organizational Structure/Assignment of Authority and Responsibility.
- Participation of those charged with governance.
We are optimistic that, if a contractor must go down this road, DCAA will invest the necessary resources to accomplish the audits in a timely fashion. Hopefully history will not repeat itself and these audits will not languish taking years and require retesting to support a current audit opinion.
Reducing Time & Effort in Auditing
Auditors cannot simply rely on the work of others (i.e. internal and external auditors) and must form their own opinion on system controls. However, based on risk, the DCAA auditors should be able to use the procedures of other auditors and technical specialists (e.g. IT, External Consultants, et al.) to focus and limit the procedures the DCAA auditors will have to perform. A huge problem with historical DCAA approaches to systems audits has been the repetitive, over-testing of system controls and procedures that the contractor themselves has already invested significant time and effort to evaluating for their own purposes.
In the end, if the audit gets completed, the contractor and Government should have a common understanding of the systems and processes in place to demonstrate the contractor is responsible and data developed by the system can be relied on. This common understanding of an approved accounting system will hopefully be the basis for future reductions in audit oversight and the foundation of recurring system audits that do not require a complete bottoms-up audit.
Redstone’s DCAA Audit Training & Consulting
Redstone GCI assists contractors throughout the U.S. and internationally with developing policies and procedures designed to withstand audit scrutiny, performing systems assessments, and providing support during business systems audits performed by the Government. Additionally, we can augment internal risk assessments, internal audit and self-reviews you are performing to enhance compliance with your contractual obligations.