Source: Deltek blog
A full DCAA Business System Audit can be the longest and one of the most difficult audits a government contractor can experience. To provide some perspective, at a recent audit of one of our clients, DCAA sent 15 auditors to perform the audit. In general, our experience is that these audits take 12 months to over 18 months for DCAA to perform.
Per DCAA’s Current Audit Program for These Audits:
“The compliance with DFARS 252.242.7006, Accounting System Administration requirements audit is conducted to examine contractor compliance with the system criteria as prescribed in section (c), System Criteria. As a part of the examination, auditors will:
- Obtain an understanding of the contractor’s compliance with DFARS 252.242-7006(c);
- Determine if the contractor is compliant with the accounting system criteria prescribed in DFARS 252.242-7006(c); and
- Report both significant deficiencies and less severe significant deficiencies in compliance with the DFARS criteria.”
Obtaining an understanding of the contractor’s compliance with DFARS 252.242-7006(c) is basically the risk assessment stage of the audit. In the first stage of the risk assessment, DCAA will request the contractor to complete a “Description of System and Controls Designed to Comply with DFARS 252.242-7006” form. The form is 20+ pages long before the contractor provides any information. It is broken into subsystems:
- System/IT Overview and Internal Audit
- Organizational Structure
- General Accounting
- Labor – Timekeeping & Payroll
- Indirect Costs
- Direct Material and Subcontracts & ODCs
Each of these subsystems is then broken down further into additional sub-areas that align with the above-mentioned subsystems, where DCAA requests the contractor to provide the below data for each sub-area:
- Summary Narrative on how the contractor is in compliance with specific system criteria
- ERP/Applications and Org Structure
- Key Process Flows
- Key Controls
- Key Policies, Procedures, and Desk Instructions (formal and informal)
- Key Personnel
The preparation of information required and completion of this form/request by DCAA is resource intensive and time consuming. By the time this form is completed, the final document to be delivered to DCAA can easily be 75 to 100 pages long. Once the form is received and reviewed by DCAA, the auditors will then expect a complete walkthrough of every area of the accounting system, as described in the request form.
Once the risk assessment is completed, DCAA will then review your policies, procedures, and practices and compare those to DCAA’s expectations for compliance with each of the 18 specific DFARS criteria for an adequate accounting system. This step will likely involve significant data requests and interviews/discussions with accounting and management personnel, and while DCAA will work with you to some extent on the timeline for receipt of requested information, they are not known for having significant concern about your day job and forget that everything requested for the audit requires effort over and above your normal activities. Also, the term “specific” regarding what constitutes compliance with the DFARS criteria is a bit of a misnomer. Most of the criteria is in relatively broad terms allowing DCAA to use significant judgement in the application of the criteria, so be proactive in understanding the criteria for yourself and provide substantive information that supports your interpretation and practices of compliance with the specific criteria.
The final phase of the audit is for the auditor to determine if there are significant deficiencies related to any of the criteria that require corrective action. Although DCAA will discuss the issues with you to some extent during the audit, nothing is final until it goes through DCAA supervision. You can’t just assume that because nothing was brought to your attention by the auditor during the detailed audit procedures that there won’t be significant findings. In addition, the term “significant” has a large judgmental component and DCAA’s definition may be quite different from your understanding of what is significant. Significant findings will result in significant withholdings on government contract payments to contractors until corrective action is taken.
If significant findings are identified in the report, a whole new phase of contractor effort will be required in responding to the finding, preparing corrective action plans, implementing corrective actions, and having DCAA back in to determine if the corrective actions were sufficient to correct the deficiency.
In addition to ensuring policies and procedures are adequate to address the DFARS criteria, we recommend our contractors consider self-performing or having a consulting firm perform a preliminary mock audit to identify significant risks and take any corrective actions before DCAA informs the contractor they will be performing the audit. Unfortunately, the withholding provisions related to significant deficiencies can significantly impact cash flow, so it is much less painful to take appropriate corrective action prior to the auditors coming in than to take those actions after the issues have been identified by DCAA.