RGCI - Where You Can Get Into Trouble in a Contractor Purchasing System Review

So, you have a Contractor Purchasing System Review (CPSR) in the pipeline. Whether your first CPSR review or Defense Contract Management Agency (DCMA) is returning to perform a comprehensive review, you should make sure your house is in order.

DFARS 252.244-7001 Contractor Purchasing System Administration Criteria contains 24 system criteria that a contractor’s purchasing system should meet in order to have an adequate purchasing system, although DCMA has realigned them into 30 different areas for their review (see DCMA’s CPSR Guidebook dated September 10, 2021).

Where You Can Get Into Trouble

It is important to understand some of the common deficiencies that DCMA identifies in a purchasing system in order to understand where you can get into trouble. The following list of common issues will assist you in revisiting your policies and practices to ensure compliance with the CPSR criteria.

Inadequate Policies and Procedures

Policies and procedures should address the requirements in the DFARS criteria. Even if a criteria is not applicable, your purchasing manual should have a section on the criteria stating something such as, “XYZ LLC is a small business and therefore not required to have policies and procedures addressing small business subcontracting plans.” Make things as easy as possible for the DCMA reviewer. Policies and procedures should not simply refer the buyer to the FAR cites for requirements, as they should also include procedures informing how the buyer will comply with the requirements. DCMA’s expectation is that the policy contains procedures as well as FAR/DFAR references on how to perform the requirement.

Actual Practices Do Not Comply With Written Policies and Procedures

DCMA selects a sample of subcontracts/purchase orders to ensure the documentation complies with FAR/DFARS as well as a contractor’s policy. A contractor can have well written policies and procedures that comply with the FAR/DFARs criteria, but if the company is not following them, DCMA will cite this as a finding. Contractor policies should not be so detailed as this could set contractors up for failure (i.e., too complex to implement or leaves no flexibility for the buyer). One example is a contractor’s policy stating a negotiation memorandum will be prepared for any purchase over $10K. DCMA would expect to see a negotiation memorandum for each purchase over $10K; however, if you used competition, a negotiation memorandum is not necessary, as either lowest price or best value establishes a fair and reasonable price and negotiation is not required. Ensure your policies do not include stricter requirements than are required by the FAR/DFARS.

Inadequate Sole Source Justifications

DCMA will request as part of the universe of subcontracts and purchase orders that you identify whether they are competitive and sole source. If there is an overwhelming amount of sole source subcontracts, not only will DCMA include a higher percentage in the sample selection, but they will scrutinize the sole source justifications to ensure they are adequately documented, supported with market research, and contain approvals. Documentation of the justification such as “directed by the government” should have support from the government that it is a directed source. If there is an estimated savings by using sole source (e.g., no tooling or qualification costs of a new supplier), the justification should include a dollar amount associated with the savings.

Debarment Not Verified at Time of Award

Contractors are required to document that a supplier/subcontractor is not debarred, suspended, or proposed to be debarred. The common practice is to check sam.gov prior to sending a Request for Proposal (RFP) and have the subcontractor sign a Representations/Certifications indicating they are not debarred. However, sometimes these two procedures are performed well in advance of award of the subcontract. FAR 52.209-6 requires the subcontractor to disclose in writing at the time of award that the subcontractor or its principals are not debarred, suspended, or proposed for debarment. While it is a good practice to check sam.gov and have the supplier sign the reps and certs in advance to ensure your vendor is not debarred, it seems the DCMA CPSR team’s expectation is that the debarment language is included on the face of the PO. This meets the requirement as the subcontractor is signing the PO (date of award) which includes the language confirming they are not debarred.

Inadequate Price or Cost Analysis

Some of the common issues identified in a price analysis are:

  • The use of historical prices without documentation that the prior price was determined to be fair and reasonable,
  • Using GSA pricing as the sole price justification, or
  • Not performing/documenting market research for pricing commercial products/services.

For a cost analysis, the common issues include:

  • All the cost elements including evaluation of profit/fee were not addressed,
  • No documentation of requesting and following up on a request for government audit when a subcontractor denies access to the entire proposal or specific cost elements, and
  • No documentation of any review the contractor was able to perform (e.g., independent estimate by the contractor technical personnel).

Inadequate Commercial Product/Service Determinations

Contractors prepare commercial determinations, but they don’t always include market research or have the determination signed and approved by management. DCMA expects the commercial determination to include market research supporting the commerciality of the product or service as well as management approval.

Untimely Reporting of First Tier Subcontractors in Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) System

FAR 52.204-10 requires contractors to report executive compensation for first tier subcontractors as well as input the first-tier subcontract information into the fsrs.gov website in a timely manner. Contractors generally provide a representation/certification to first-tier subcontractors to determine if they are required to and did report executive compensation. However, the second requirement in the clause requires the contractor to upload the first-tier subcontractor information into the fsrs.gov website by the end of the month following the month of the subcontract award. We have found that contractors are not uploading the subcontractor information at all, or it is not being uploaded in a timely manner. Once the upload is performed, it is a best practice to maintain a copy of the upload to the website in the procurement file, supporting compliance.

Flowing Down All Clauses

We have seen instances where contractors have flowed down all the clauses from the prime contract to a subcontract and indicate they are self-deleting. This is not a good practice. We have seen where contractors have flowed down clauses from an incentive prime contract to a firm fixed price (FFP) subcontract and even flowed down clauses for cost reimbursable contracts to a FFP subcontract. DCMA expects contractors to have a procedure in place to ensure only the appropriate clauses are flowed down to the subcontract.

Lack of Documentation

The most common deficiency is the lack of documentation in the procurement file. We find that the buyer performed the necessary requirements, but for some reason the related documents (e.g., signed purchase order, requestions, request for proposals, etc.) are not in the procurement file. While the work has been done, it needs to be filed in the purchase order file.

Lack of Internal Audit/Assessments

Contractors are not always performing internal audits, self-assessments or peer reviews of files. DFARS requires contractors to perform internal audits or management reviews, complete training, and maintain policies and procedures. While most companies may not have an internal audit department, these reviews can be as simple as pulling some purchase order files to ensure the buyers are following the policies and procedures and documentation is clear and included in the files. It is important to have periodic training just to address issues that come up, changes in regulations, etc.

New Area - Not Confirming Subcontractor Actions Related to Cyber Security Requirements

The government is taking a hard look at contractor’s cyber security controls. While we are not sure if the CPSR team is addressing it during a review, we are recommending contractors add a certification to its Reps and Certs to address the requirements under the various clauses DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements. When a prime contractor flows the DFARS 252.204-7012 to a subcontractor and the subcontract includes covered defense information, the subcontractor is required to notify the prime if they requested a variance from the NIST SP 800-171 security requirement with the Contracting Officer and if there is a cyber incident, report the cyber incident number to the prime. In addition, when DFARS clause 252.204-7020 NIST SP 800-171 DoD Assessment Requirements is flowed down, it states the prime contractor shall not award a subcontract that is subject to the NIST requirements in accordance with DFARS 252.204-7012 unless the subcontractor has completed a basic self-assessment within the last three years and uploaded it into the Supplier Performance Risk System (SPRS). Contractors should protect themselves by requiring subcontractors certify that they have completed the self-assessment, uploaded it to SPRS, and are aware of the cyber security reporting requirements to the prime.


We recommend companies revisit their policies and procedures to make sure they are current or modify if them if necessary. Take a look at your process for flowing down clauses. Ensure the appropriate approvals for sole source justifications and commercial determinations are made. Consider adding a cyber security section to your reps and certs. Make sure you have a checklist or other controlling document to ensure all the documents are placed in the file. DCMA pulls a sample of subcontracts and purchase orders for the previous year, so it is good to get a head start on ensuring your files are up to date.

Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to assist you with questions and concerns on your purchasing system. Our staff is able to assist with reviewing or drafting policies and procedures, performing mock CPSR reviews, or maybe just sampling procurement files to assist our clients in the contracting industry.

Contact Us for a Consultation

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: Contractor Purchasing System Review (CPSR)