Redstone_-_Hacking_Is_Not_the_Only_Concern_for_a_Contractors_Computer_Systems

“A sound internal control environment, accounting framework, and organizational structure” is criteria number one in DFARS 252.242-7006 Accounting Systems. In fact, all six of the business systems identified in DFARS 252.242-7005 Contractor Business Systems, or commonly known as the “DFARS Business Systems Rule”, references adequate internal controls and the reliability of data. Even more far-reaching than DFARS is that FAR, adhered to by most, if not all US Federal Government agencies, requires adequate contractor internal controls over financial data relied upon for acquisitions. For the purposes of this blog, we shall focus primarily on the DFARS Business Systems Rule as it applies to defense contractors because of the activities of DCAA.

DCAA considers the automated aspects of contractors’ business systems includable in reviews of internal controls even though they are not specifically spelled out in the DFARS Business Systems Rule. Long before this rule, DCAA considered audits of Automated Data Processing (ADP), Electronic Data Processing (EDP), Information Technology (IT), Information Systems (IS), or whatever the times may call for of audits of these aspects of internal control fundamentals to study a contractor’s internal controls. In fact, for the almost two decades prior to the May 18, 2011, formal promulgation of the Business Systems Rule, DCAA identified audits of EDP GIC (General Internal Controls) as one of the ten ICAPS (Internal Control Audit Planning Summary) audits necessary for internal control adequacy determinations. For years, even before the advent of ICAPS in the early 1990s, DCAA had individuals and teams of auditors whose primary responsibility was audits of automated internal controls.

Several factors dictated whether or not these audits were performed: funding, available resources, audit management interests, etc. Regardless of the emphasis on these audits, they have always been in DCAA’s inventory of potential audits. For the past several years and for the most part, due to its incurred cost backlog and purported manpower shortages, DCAA has forgotten these audits. Increasing inquiries from Redstone clients makes it appear that DCAA is again taking an interest in these “EDP” audits. Why the interest now? Who knows? It could be decreasing incurred cost backlog which was bound to happen because of the focus over the past few years. It could be all the hacking stories to other government agencies causing concern with contractor computer systems. Perhaps, the reason is merely an anomaly due to a few persons’ love of all things computers.  

It doesn’t really matter why DCAA has renewed its interest in this area. The important thing is for contractors to be prepared. If not prepared and DCAA performs one of these types of audits on a standalone basis or as part of another business system audit, a contractor could have its system reported as having a “significant deficiency” as defined in DFARS 252.242-7005. At the very least, being ill-prepared for a DCAA audit will result in a very awkward entrance conference because your walk-through of your system compliance will unlikely map to or address DCAA expectations.   In all likelihood, two potential outcomes may emerge. DCAA will truncate the audit (having enough to cite one or more deficiencies based upon initial inquiries), or DCAA will continue the audit to add to its “hit-list”. Ultimately, all kinds of nasty things could happen, such as withholds, the prevention of future contract awards, i.e., inadequate accounting system and other “punishments” deemed appropriate by a contracting officer.

We reiterate that the important thing is for contractors to be prepared. Perform a critical and honest self-assessment and/or engage with a firm like Redstone to execute an independent review of your automated internal controls. At the very least, peruse DCAA’s EDP GIC (General Internal Controls) audit program and Contract Audit Manual found on its website to familiarize yourself with the auditor’s expectations as well as identifying and addressing any issues you may discover. In the alternative, I was prone to say, or, at least, thought of saying, to my auditors and supervisors during my days as a DCAA Manager, “DO SOMETHING.”

Whitepaper: DFARS Business Systems Download Now

 

Written by Wayne Murdock

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: Small Business Compliance, DFARS Business Systems, DCAA Audit Support