Keys to Successfully Answering the DCAA Knock at the Door!
by Craig Stetson, CPA, CGMA, MBA, Director and Terry Carlson, MBA, Managing Director
In the current government contract regulatory compliance environment, transparency of the contracting process has gained considerable importance and visibility. This transparency directly affects government contractors’ compliance programs and impacts multiple areas of the business, including:
- Cost accounting, allowability, and allocation practices;
- Estimating and pricing practices;
- Business systems documentation and internal controls
- Earned Value
- Material Management
- Procurement and supply chain administration and management;
- Financial and other reporting requirements to the government;
- Property accountability; and
- Potential mandatory disclosure obligations.
This renewed focus on contractor transparency requires contractors to maintain a high level of accountability and responsibility, which in turn forces them to adequately address the relevant government contract compliance requirements. The emphasis on transparency also introduces a new level of necessary diligence in support of related US Government audits. The Defense Contract Audit Agency (DCAA) is the primary entity that performs audits on behalf of the federal government in conjunction with contract awards. It is, and always has been, critical for contractors to adequately plan and prepare for these audits to reduce compliance and audit risk and to increase the likelihood of achieving a successful audit outcome.
This paper addresses several key factors or leading practices that:
- are critical to incorporate into the DCAA audit process;
- will mitigate associated risk; and
- will enhance the opportunity for a successful outcome.
Successful DCAA audits may be defined differently depending on the specific contractor objectives. However, traditional objectives of any “successful” audit should include:
- Receipt of a final written audit report that is accurate, objective and complete;
- Performance in an efficient manner with minimal disruption to the contractor’s daily operations;
- Frequent communication throughout the process with no significant items reported in the audit report that the contractor was not previously aware of; and
- Performance by the DCAA within the bounds of the corresponding audit scope.
Analysis of Key Factors
- Working Knowledge of Audit Objectives and Guidance (Pre Audit Activity) – The DCAA conducts many types of audits, including price proposal, forward pricing rate proposal, incurred cost proposal, business systems adequacy, post award (defective pricing), and Cost Accounting Standards compliance. It is very important to understand, prior to initiation of the audit, the applicable audit scope and related audit procedures that the DCAA will perform. Knowing these audit objectives will assist in the overall preparation process, identification of required functional personnel, and gathering of applicable supporting information and documentation. Equally important is knowledge regarding the standard audit protocols or “rules of engagement” the DCAA is supposed to follow.
There are several sources that the DCAA uses to obtain guidance and instruction to perform its audits. It is imperative that contractors review and gain familiarity with this information to confirm that the audit is being performed in accordance with the DCAA’s own internal guidance and requirements. Relevant information that is publicly available on the DCAA’s web site (www.dcaa.mil) includes:
- The DCAA Contract Audit Manual (DCAM) – a two-volume set issued twice a year;
- Memorandum for Regional Directors (MRD) – audit guidance issued periodically from DCAA headquarters to the regions;
- Standard Audit Programs – specific audit steps and procedures related to a variety of audit types;
- Adequacy Checklists – submitted in conjunction with various proposals; and
- Internal Control Matrix – control objectives, control activities, and audit steps related to specific business systems.
A working knowledge of, or at least familiarity with, the DCAA’s audit guidance is also very useful in addressing situations in which an auditor does not follow its own guidance during the performance of an audit. This occurs often, and when it does, knowledge of the guidance is a contractor’s most effective defense when responding to auditors and/or elevating the matter within the Agency, such as to the Supervisory Auditor or Branch Manager.
- Internal Assessment (Pre Audit Activity) – It is always advantageous to conduct an internal self-assessment regarding conformance with the particular audit objectives and scope to identify if deficiencies or potential findings exist. It is always better to know ahead of the audit if problems are foreseeable so corrective action or remediation efforts can be undertaken prior to the audit to avoid or mitigate adverse audit findings.
The nature of the audit may significantly determine the level of effort required to conduct the internal assessment. For example, an upcoming business system audit or Contractor Purchasing System Review (CPSR) will probably entail a significant amount of effort to perform an adequate gap analysis and risk assessment to identify system design or operating effectiveness issues. However, it is generally better to commit the resources in advance of the audit and fix any noted deficiencies rather than fail the audit and receive an inadequate business system determination by the government, which could lead to withholding of payments, the inability to propose on certain projects, or worse.
- Communication Protocols (Pre / In-Progress / Post Audit Activity) – Unfavorable or inaccurate audit conclusions are frequently the result of poor communication between the auditor and the contractor. To reduce the risk of this “lost in translation” scenario, it is highly recommended that established communication procedures and schedules (at least in a tentative sense) be developed that enable both parties to actively and effectively communicate audit objectives, challenges, progress and results. Participation in these communications and status briefings should be agreed upon up front and adhered to by both parties. The DCAA is required to conduct an entrance conference and is also encouraged to provide interim and exit conferences pursuant to its audit guidance (DCAM 4-300). If effective communication protocols are enacted, the likelihood of audit “surprise findings” should be greatly reduced or eliminated.
Entrance Conference – Insist on a thorough entrance conference to obtain an understanding of the audit objectives, scope and procedures; anticipated timeline; internal resources required; types of data and information required; and any challenges known at that time, such as unavailable personnel, remote site access or visits, and availability and retrieval of records. The audit scope and focus areas should be clearly identified with discrete elements or items for which the auditor will have access and the contractor responsibility to support. If there are data access challenges due to the age of the data, the entrance conference is the appropriate time to address this issue and offer mitigation plans.
Interim Conferences – The interim conferences are as or more important than the entrance conference because they provide an exchange of information between the auditor and the contractor regarding progress of the audit, problems or challenges encountered, findings and issues, open items, and remaining effort and completion requirements. The auditor should provide initial audit findings and the contractor should be privy to the auditor’s rationale to allow the contractor to fully assess the findings. These discussions also give the contractor an opportunity to manage the audit process to ensure the auditor is not exceeding the overall scope and objectives (as outlined in the entrance conference described above).
Exit Conference – Insist on a thorough exit conference to discuss and understand all audit findings. Contractor management and applicable functional personnel and the DCAA supervisor should attend the exit conference. Prior to the meeting, carefully review the draft report and seek clarifications as needed. The draft audit report should be reviewed internally at all applicable levels by contractor personnel who were involved in the audit. Lastly, ensure the findings are accurate and clearly articulated and request that your responses to the specific audit findings be incorporated in the final audit report.
Depending on the nature of the audit, significance of the findings and / or inabilities to reach agreement or understanding with the auditor, it may be appropriate to request that the DCAA local management (Supervisory Auditor, Branch Manager, Resident Auditor) attend the exit conference.
Internal Communication – In addition to communication with the government, it is important to communicate effectively internally to ensure audit objectives are understood by the team, appropriate resources are identified and committed to support the audit, specific responsibilities are defined and carried out, and management is aware of the overall internal plan to perform and complete the audit.
To reduce the risk of misunderstanding, misinterpretation and memory loss, it is very important to document all formal communications, status meetings, conferences and other activities. This documentation should be developed by a single source within the contractor’s organization, summarized in a meeting minutes’ format, and provided to all in attendance. This procedure will minimize the risk of significant or unknown items finding their way into the final audit report without the contractors’ prior knowledge (one of the objectives to achieve a “successful” audit).
- Point of Contact and Management Team (Pre Audit Activity) – To maintain effective communication protocols and efficiently support the audit process, it is critical to engage the appropriate contractor personnel early. These resources should become better defined at the conclusion of the entrance conference as audit scope, objectives and requirements are better understood.
Designated Point of Contact – An internal point of contact should be established to liaise or coordinate with the auditor. A single source acting as the conduit between the auditor and the contractor will streamline and improve the efficiency of the overall process. This will, in turn, improve responsiveness, which is always important. This is an important role, with responsibilities that typically include:
- Receiving and documenting requests from the auditor;
- Delegating these requests appropriately within the organization;
- Coordinating internally on progress and turnaround;
- Communicating with the auditor; and
- Facilitating the entire audit process.
The person selected for this role should have adequate knowledge of the contractor’s operations, understand which internal resources are best suited to address audit requests within the organization in order to gather timely responses, and maintain an overall awareness of the DCAA and its objectives and procedures.
Management and Supporting Team – Upon conclusion of the entrance conference, the contractor should determine which functional disciplines and / or specific personnel will be required to support the audit. Management should assemble the team, contact applicable personnel, brief them on the upcoming audit and tell them what their specific purpose and responsibilities will be. It should be stressed that responsiveness is important (three days is currently the DCAA’s expectation) and that all communications should be conducted in a professional manner.
- Documentation and Access to Records (During Audit Activity) – A complete list of requested and provided documents should be maintained throughout the audit. This list should also describe, in adequate detail, the nature and content of what was requested and provided, who provided it, and when. This list is typically maintained by the designated internal point of contact. This procedure is important for obvious reasons. However, if during the course of the audit the DCAA challenges the sufficiency or completeness of the documentation provided, it will be helpful to review this list to demonstrate to the auditor that the documentation was provided and is adequate.
Additionally, a complete list of interviews or discussions between the auditor and contractor personnel should be maintained – again, most likely by the internal point of contact.
Federal Acquisition Regulation (FAR) Part 4 should be reviewed to determine which records are required to be retained by a contractor and for what period of time. Because the retention period is not the same for all types of records, if a particular record is requested by the auditor for which there is not regulatory or internal company policy to provide, the auditor should be informed accordingly.
Finally, use of electronic formats of original documents for record keeping and audit purposes is an acceptable procedure, provided certain document imaging requirements are adhered to in accordance with FAR Part 4.
Government contractors have long had to deal with DCAA audits and are required to grant the government access to records under the terms of applicable contracts or solicitations. The keys to achieving a successful audit center on adequate knowledge of the DCAA objectives and procedures, effective communication procedures throughout the process, detailed and effective record retention practices, and coordination of all relevant personnel in support of the audit.
For the current state of DCAA, audits and general updates regarding compliance, please follow us.
Keys to Successfully Answering the DCAA Knock at the Door Webinar- Date to be announced!