Business Systems Audits – When the other shoe drops…

Capital Edge Consulting – Late Winter Newsletter

Norman McCord, CPA, MSA
Director, Capital Edge Consulting
Sign up for the CEC Newsletter Series

Background and Status

The Department of Defense recently withdrew its proposed amendments to the Business Systems rules related to Estimating, Accounting and Material Management and Accounting Systems.  The proposed amendments would have required annual contractor self-assessment and certification, and triennial CPA firm reviews to determine system adequacy.  The reason for the proposed amendments was DCMA’s challenge in meeting its mission objectives to monitor Business Systems, in part because DCAA has been unable to perform Business Systems audits.  The DOD referenced a 2011 GAO report (GAO-12-83), wherein it was reported that DCAA’s inability to provide timely audit services was a significant contributing factor in DCMA’s dilemma.  It probably still is.  The GAO report stated that “DCAA has lagged in completing a number of such audits and is currently focusing on other high priority areas.”  That hasn’t changed, even though they (in lock-step with DCMA) are “risking” and “whisking” away the still significant Incurred Cost Submission (ICS) backlog.  For example, recently DCAA elevated the risk associated with public vouchers (Interim payments); and as a result increased the audit resources to be absorbed by these reviews.  Previously, and for a significant period of time, public vouchers were the subject of pre-payment administrative review, and then processing…at times performed by administrative staff.  Going forward, a significant number of vouchers will be subject to a prepayment review by an auditor, AND a post payment review, which includes detailed on-site verification and reconciliation steps…and Business Systems reviews, for the most part, are still not being started; and they are back in DCAA’s queue.

So when will DCAA engage?  There is no sure way of knowing at present; however, there are a number of lingering and new challenges.  For example, they have been in an aggressive endeavor to increase staffing over the last couple of years to help eliminate the ICS backlog.  However, our sources indicate that effort hit a major pot-hole recently; a hiring freeze driven by budget concerns.  Staffing and ICS backlog challenges have resulted in a growing backlog of other audit responsibilities (Business Systems).  However, something will have to break soon.  The GAO report to which we previously referred, indicated that systems for many major contractors had not been audited within the cycle times set by DCAA (every three years); and that GAO report is 4 years old.  We think contractors will begin to see some audit activity soon, and we recommend contractors consider the following actions to be prepared:

We believe the most effective defense against potentially detrimental business system audit outcomes (especially during the initial roll-out of the new systems audits) is to prepare for the audit, to be proactive rather than reactive.  This objective is admittedly more simply stated than accomplished; however, it is within reach and adequate preparation can have very positive outcomes.  Preparation includes at least the following:

Understand the criteria the auditor will apply.  In addition to the criteria articulated in the Business Systems rules, DCAA’s view of the significance of each of the criteria, and the approach the auditors will apply, can be found in audit programs and matrices on DCAA’s web site (www.dcaa.mil).  Reviewing and understanding the criteria are a critical place to begin.

Perform a Risk Assessment.  Evaluate whether your systems meet the Government’s expectations using the sources we referenced in the preceding paragraph.  Identify key controls that address corresponding control objectives and clearly map the two.  Do not simply provide a “manual” to the auditors and expect that they will find the relevant controls.  Where there are gaps in compliance initiate corrective action.

Alternately, Capital Edge Consulting can provide you with a comprehensive business system risk assessment, corrective action planning, and implementation.  We have successfully provided these services to our clients, and we are well prepared to provide them to your company.

Dialog with the auditor before, during, and after the audit.  Current DCAA guidance to its auditors, and the GAGAS, emphasize communicating with the contractor “to gain a full understanding of the contractor’s submission, or other areas subject to audit.”  Prior to the start of the audit, contractors should provide a thorough “walk-thru” of their business system to ensure the auditor fully understands how the system satisfies the business system criteria.  We recommend the walk-thru be structured to address each of the control objectives and control activities on which the auditor will focus during the audit.  During the audit, we recommend each question presented by the auditor be addressed thoroughly, and the response documented.  In the unfortunate circumstance where the auditor discloses at the exit conference that the audit report will include negative conclusions about a business system’s acceptability, we recommend the contractor’s response (which will be published with the audit report) be well researched and articulated.  The response should be formal and should address each condition reported by the auditor in detail, and with supporting examples, regulatory citations, and references to DCAA’s own internal guidance, and GAGAS, as appropriate.

In conclusion, DCAA frequently operates in a “reactive” way to criticism.  A “full court press” regarding Business Systems audits is likely just around the corner.  We recommend contractors begin preparations for the audit experience.

Sign up for the CEC Newsletter Series

Learn more about Capital Edge Consulting – visit us online www.capitaledgeconsulting.com