“A sound internal control environment, accounting framework, and organizational structure” is criteria number one in DFARS 252.242-7006 Accounting Systems. In fact, all six of the business systems identified in DFARS 252.242-7005 Contractor Business Systems, or commonly known as the “DFARS Business Systems Rule”, references adequate internal controls and the reliability of data. Even more far-reaching than DFARS is that FAR, adhered to by most, if not all US Federal Government agencies, requires adequate contractor internal controls over financial data relied upon for acquisitions. For the purposes of this blog, we shall focus primarily on the DFARS Business Systems Rule as it applies to defense contractors because of the activities of DCAA.
DCAA considers the automated aspects of contractors’ business systems includable in reviews of internal controls even though they are not specifically spelled out in the DFARS Business Systems Rule. Long before this rule, DCAA considered audits of Automated Data Processing (ADP), Electronic Data Processing (EDP), Information Technology (IT), Information Systems (IS), or whatever the times may call for of audits of these aspects of internal control fundamentals to study a contractor’s internal controls. In fact, for the almost two decades prior to the May 18, 2011, formal promulgation of the Business Systems Rule, DCAA identified audits of EDP GIC (General Internal Controls) as one of the ten ICAPS (Internal Control Audit Planning Summary) audits necessary for internal control adequacy determinations. For years, even before the advent of ICAPS in the early 1990s, DCAA had individuals and teams of auditors whose primary responsibility was audits of automated internal controls.
Several factors dictated whether or not these audits were performed: funding, available resources, audit management interests, etc. Regardless of the emphasis on these audits, they have always been in DCAA’s inventory of potential audits. For the past several years and for the most part, due to its incurred cost backlog and purported manpower shortages, DCAA has forgotten these audits. Increasing inquiries from Redstone clients makes it appear that DCAA is again taking an interest in these “EDP” audits. Why the interest now? Who knows? It could be decreasing incurred cost backlog which was bound to happen because of the focus over the past few years. It could be all the hacking stories to other government agencies causing concern with contractor computer systems. Perhaps, the reason is merely an anomaly due to a few persons’ love of all things computers.It doesn’t really matter why DCAA has renewed its interest in this area. The important thing is for contractors to be prepared. If not prepared and DCAA performs one of these types of audits on a standalone basis or as part of another business system audit, a contractor could have its system reported as having a “significant deficiency” as defined in DFARS 252.242-7005. At the very least, being ill-prepared for a DCAA audit will result in a very awkward entrance conference because your walk-through of your system compliance will unlikely map to or address DCAA expectations. In all likelihood, two potential outcomes may emerge. DCAA will truncate the audit (having enough to cite one or more deficiencies based upon initial inquiries), or DCAA will continue the audit to add to its “hit-list”. Ultimately, all kinds of nasty things could happen, such as withholds, the prevention of future contract awards, i.e., inadequate accounting system and other “punishments” deemed appropriate by a contracting officer.
We reiterate that the important thing is for contractors to be prepared. Perform a critical and honest self-assessment and/or engage with a firm like Redstone to execute an independent review of your automated internal controls. At the very least, peruse DCAA’s EDP GIC (General Internal Controls) audit program and Contract Audit Manual found on its website to familiarize yourself with the auditor’s expectations as well as identifying and addressing any issues you may discover. In the alternative, I was prone to say, or, at least, thought of saying, to my auditors and supervisors during my days as a DCAA Manager, “DO SOMETHING.”