DFARS 252.242-7006(c)(8) specifically requires management reviews or internal audits of the system to ensure compliance with the contractor’s established policies, procedures.
One of the first things a DCAA auditor looks at when auditing a contractor’s accounting system is its policies and procedures. Policies and procedures represent control activities that are essential for an adequate system of internal controls. Good policies and procedures help ensure consistent operations in accordance with management objectives. DCAA cites policy and procedure inadequacies or the failure to comply with policies and procedures in virtually every deficiency report it issues related to internal controls.
Unfortunately, DCAA does not apply this same standard to itself!
Ask any DCAA auditor where guidance for audits can be found, and almost invariably they will cite the CAM (Contract Audit Manual). However, DCAA has completely stopped updating the CAM. So what is the auditor to do?
The Current Process is Undocumented (Typical DCAA), but Appears to be Comprised of the Following:
Step 1:
The expectation appears to be that the auditor start with the CAM guidance. If the guidance is current, the auditor is held responsible for complying with it; however, the auditor can’t assume the guidance is current.
Step 2:
Check to see if any MRDs (Memorandum for Regional Directors) have been issued that changed the guidance. The list of MRDs is only supposed to be the MRDs that are still open. Some of the MRDs go back to 2004. If an MRD is found, the auditor is still expected to continue the search because there may have been an even earlier MRD that changed the guidance and the most recent MRD may not have changed all of that guidance.
Step 3:
Rather than MRDs, a significant amount of guidance comes in the form of presentations delivered by the agency quality staff. There is no index for this guidance. DCAA apparently believes that all of the auditors will either memorize all of this guidance, have the location of the guidance in the multiple presentations they receive each year memorized or search through all of the presentations to find the guidance.
Step 4:
Check the “audit guides” that DCAA management said they were going to issue because they just can’t manage to update the CAM. Oh sorry, that was a year ago but none have been issued (at least nothing is showing up on: www.dcaa.mil).
Step 5:
Get guidance from the supervisor, manager, region, or headquarters. This of course assumes the auditor realizes guidance changed and that they “know what they don’t know.” You can also imagine how much time it will take an auditor to actually get an answer.
If the auditors are really following this kind of decision making process, is it any surprise they can’t complete a timely audit?
Want to know why different auditors give you different answers and what was acceptable one year is not acceptable the next? You need look no farther than this lack of internal controls.
Imagine the deficiency report a contractor would receive if it had this kind of a system!
A basic tenet of any internal control system is that, at some level, management can override internal controls. The lack of written guidance provides DCAA management with “plausible deniability”. It makes it easier for management to blame errors and inconsistencies on poor auditor judgment or auditor misinterpretations and avoid responsibility.
Contractors want to comply with government contract requirements and auditor expectations. Unfortunately, the lack of published guidance and poor DCAA internal controls makes it very difficult to determine exactly what those expectations are. The predictable result is unnecessary compliance costs and inefficiencies for both the contractor and the auditor.
Don’t blame the DCAA auditor because this is clearly a DCAA management problem. This issue is at the root of many of DCAA’s problems. Sadly, with all of the scrutiny DCAA has received from the DoD-IG and GAO over the past several years, this major issue seems to have been completely overlooked.