Well, besides being the first thing your friendly DCAA auditor will ask you for, they should be something your employees use and rely on daily. The last thing you want is one of your employees telling an auditor they have never seen or read the company’s policies and procedures. The joy that will come across the auditor’s face will be truly shocking, and the sadness that will come across your face when the Business System Deficiency Reports start to arrive, requiring endless responses and corrective action plans, will be just as shocking. This fairytale has no happy ending, at least not for you and your company, just a drain on your resources and more audit oversight.
Policies vs. Procedures
Before we get too far into this subject, we will discuss the difference between a policy and a procedure.
Policy
A policy is usually a higher-level document that outlines specific expectations – dare I say, internal controls (yes, the rules)? For example, an Accounts Payable Policy should require a three-way match before a vendor invoice is paid. Matching the invoice received from the vendor to the purchase order from the procurement department, then to the receiving documentation from the receiving department.
There should be a structured process for reviewing and updating policies, including management approval. This is because the policy's critical controls allow management to rely on data in its systems and ensure company operations are performed as expected.
Procedure
A procedure is likely to be more task-specific regarding how an employee accomplishes a function supporting the controls within a policy. For example, the receiving department would have a procedure requiring that all items that come across the receiving dock be opened, inspected, counted, and verified against the vendor’s packing documents, and then entered into the receiving system before moving the items to inventory.
When it comes to reviewing and updating procedures, that should be left to the department responsible for the tasks and functions outlined in the procedures, with only departmental management approval needed to make a change. Allowing the department the freedom to change procedures fosters creativity and increases efficiency and effectiveness. Procedures often become outdated and are not relied on daily when the department lacks the authority to maintain them.
The DCAA Viewpoint
Without a written set of rules, no system of internal controls can possibly function. Besides, almost every DCAA audit program includes at least one preliminary step to review the contractor’s policies and procedures. An auditor is required to understand the contractor’s systems and controls to appropriately develop audit procedures to arrive at an opinion on the subject matter of the audit, whether that be a price proposal, incurred cost submission, or business system. DCAA has historically struggled with this requirement, but that is a problem for DCAA to resolve. In my opinion, much of the struggle comes down to DCAA auditors with little to no general business knowledge. That said, if your policies and procedures are sufficiently detailed, it should benefit both you and DCAA.
Why Should Policies and Procedures Be Important to You?
Besides the potential benefits of getting through an audit, let’s see.
Have you ever had a new employee join your team? Having a good set of procedures outlining the tasks and functions the employee will perform will go a long way toward helping them become fully functional in their new position. Of course, on-the-job training and your mentorship will still be necessary. However, a good set of procedures should significantly reduce the number and frequency of questions.
Have you ever had to justify your department's staffing level? Having policies that tie to contract compliance requirements (e.g., an adequate accounting system for supporting cost-type contracts) will likely make this a more accessible and productive discussion for you.
At the end of the day, all companies need to have a control structure in place, regardless of whether it is required under their government contracts. Policies and procedures are the backbone of your control structure, providing the established expectations (i.e., internal controls) to ensure the company operates efficiently and effectively.
Why Policies and Procedures Matter for Small Businesses
A one-person band does not need policies and procedures, right? While critical controls like segregation of duties are complicated, if not impossible, to demonstrate, it is still essential to have a minimum set of policies outlining the compliance requirements of your government contracts. This gives the poor band leader a clear understanding of everything that must be accomplished, even if it will be overwhelming. A small business getting its first cost-type government contract needs to know the requirements and look for opportunities to outsource essential requirements, until it is appropriate to grow its internal staff.
Our Takeaway
The benefits of policies and procedures far outweigh the cost of implementing and maintaining them. Policies and procedures should not sit in a file until an audit begins. They should give employees clear direction, help management monitor critical controls, and provide a practical record of how the company meets its government contract requirements. When they are reviewed and updated regularly, they can reduce confusion, support stronger internal controls, and help government contractors respond more effectively when questions arise from DCAA or other government agencies.
Keeping Policies and Procedures Aligned with Contract Requirements
Redstone GCI helps government contractors develop, review, and maintain policies and procedures that support DCAA audit expectations, internal control requirements, and contract compliance obligations. We work with government contractors to evaluate existing documentation, identify gaps against FAR, DFARS, and contract clause requirements, align purchasing and accounting procedures with daily practices, prepare written support for business system reviews, and train employees on the controls they are expected to follow. For small businesses and growing government contractors, our team can also provide operational support in accounting, contract administration, and human resources so policies and procedures remain current, practical, and connected to how the work is actually performed.
John is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to the DFARS business systems, CAS Disclosure Statements, and DCAA/DCMA compliance preparation, advisory, and defense. Prior to joining Redstone Government Consulting, John served in a number of capacities with DCAA/DCMA for more than 30 years. Upon his retirement, he was based in Texas as an SES-level Corporate Audit Director for DCAA, managing a staff of 300 auditors at one of the largest DOD programs. Professional Experience John began his career in the late 80s working in the Clearwater, FL audit office and over the next three decades he progressed through a number of positions within both DCAA and DCMA with career highlights as DCAA Program Manager at Ft. Belvoir, Chief of Technical Programs Division, Deputy Assistant Director-Policy, Director of the DCMA Cost and Pricing Center, the SES-level Lockheed Martin Corporate Audit Director, and Director of Integrity and Quality Assurance. John’s three decades of experience in performing and leading DCAA auditors and DCMA reviewers provides a wealth of expertise to our clients. John’s role, not only in the performance of audits, but also in the development of audit policy affords him unique insights into the defense of audit findings and the linkage of audit program steps to the underlying regulatory framework. He is an expert in FAR, DFARS, and other agency acquisition regulation, as well as a subject matter expert in the Cost Accounting Standards having reviewed and provided audit feedback on many of the largest and most complex cost accounting practices during his tenure with the DCAA. John’s tenure with DCAA and DCMA came at a critical time during each agency’s history where a number of changes were occurring such as the response to the ICS backlog, development of audit approaches to the DFARS Business Systems and implementation of new audit initiatives as a result of Congressional oversight through the NDAA process. John’s leadership at the DCMA Cost & Pricing center saw oversight of all major DOD pricing actions, leadership of should cost review teams, the Commercial Pricing group and many other areas of strategic value to our clients. His involvement in these and other Agency initiatives is of great value to our clients due to his in depth understanding of DCAA and DCMA’s internal policy directives. Education John holds a Master of Business Administration and a B.A. in Accounting from the University of South Florida. Certifications Certified Information Systems Auditor State of Alabama Certified Public Accountant