Posts

5 Ways to Prep for the Audit While Preparing the Incurred Cost Proposal

5 Ways to Prep for the Audit While Preparing the Incurred Cost Proposal

Jennifer Rettelle, Director of Operations | Capital Edge Consulting, Inc.

The requirement to submit a final indirect cost rate proposal, more commonly referred to as the Incurred Cost Proposal or Incurred Cost Submission (ICS) is contained in FAR clause 52.216-7(d)(2)(i) – Allowable Cost and Payment which states: “The contractor shall submit an adequate final indirect cost rate proposal to the contracting officer (or cognizant federal agency official) and auditor within the 6-month period following the expiration of each of its fiscal years.”

Are you ready for your incurred cost audit? One of the major historical audit challenges is the delay, sometimes many years, between timely submission under FAR 52.216-7 and the actual audit. DCAA is now required to audit adequate final indirect cost rate proposals within one year, but only time will tell if they can meet that lofty goal. To help eliminate the future audit risk, Capital Edge has identified five ways to start preparing for the audit, while preparing the current annual incurred cost submission.

Document, Document, Document!

This point cannot be stressed enough. The backlog in incurred cost audits only further solidifies the likelihood that the people preparing the Incurred Cost Submission may not be available to support an audit or the data needed to support the audit is difficult to find. The likelihood of an ICS audit year occurring years after submission has historically been high. Be sure to document as much as possible in a way that someone unfamiliar with your organization will understand since you may be long gone by the time an auditor shows up.

  • While preparing the current ICS or in the course of performing your regular duties, you may receive information which impacts future incurred cost submissions.

For example:

  • Do you have new intermediate cost pools this year (i.e. new fringe, IT, facilities, etc.)?
  • Did the basis for the allocation of any of your cost pools change?
  • Are you aware of potential changes to home office allocations which could impact the current fiscal year or future years?
  • Is your company still able to track all data metrics needed for allocation (i.e. number of user licenses, headcount, square footage, etc.)?

We recommend keeping a list of these items so that the preparer of the next incurred cost submission has a head start. Maintaining such a record can also expedite the timeline for incorporating these changes into current or future submissions and provide some, if not all, of the information needed to document the change(s) in preparation for an audit. In addition, these changes may likely be considered a change in cost accounting practice, which has other compliance implications for CAS covered contracts that we won’t delve into here.

  • Did the purpose of a specific account change from the prior year? Are the costs previously accumulated in one account now captured in multiple accounts? Did the purpose of a particular cost center or department change? Be sure to keep clear notes on these changes year after year, as they may prove invaluable during an audit.
  • Save yourself the headache of scrambling to answer an auditor’s questions and be sure to keep all files used in the preparation of the ICS in a storage repository that is shared with multiple people and is routinely backed up. Keep the file structure simple and organized so that someone who is less familiar with the process can find documentation needed to support an audit.
  • Keep the original source data, including the trial balance, project ledgers, 941s, Statement of Indirect Expenses, contract list, invoices, and all other information used to populate and calculate the final rates in the ICS. Having a single and organized place to find this data will save time, effort, and sanity when the auditor is asking questions.
  • Were any assumptions, adjustments, or other information used to prepare the ICS? Be sure to document all of these including any applicable rationale that was used. This information can go a long way to support costs that are questioned by an auditor.

Spread the Knowledge Wealth

We recommend that contractors are careful to spread the wealth of knowledge of the inner workings of their Incurred Cost Submission and preparation methodology with others in the finance or accounting department. Such steps will reduce the risk of substantial knowledge loss in the event employees with major roles in the ICS preparation process move on to other positions before the audit occurs.

Prepare all the Supplemental Schedules

Although supplemental schedules are not required to be included with the ICS for adequacy determination purposes, they will likely be some of the first items requested at the beginning of an audit. The process to complete these schedules is more efficient when completed as part of the original ICS preparation and can help identify items which may be questioned by an auditor.

In addition, some of the supplemental schedules have other valuable uses to the company and to the ICS preparation process. For example, the set of Supplement Schedule A’s can be used to evaluate the year after year change in costs by account.

Large fluctuations in costs identified in these schedules can indicate a preparation error in the ICS or simply changes in company spending. These schedules can be used by management to see what is driving the change in rates for a deeper understanding of their business and they can also be used to identify areas where DCAA may focus their audits, especially if certain high-risk accounts such as travel, executive compensation, legal, consulting, etc. have increased significantly year after year.

Keep a “Working Copy” and a “Final Submission” version of the ICS

We recommend maintaining two copies of the ICS when it is completed:

  • The “Working Copy” includes all links to supporting schedules and workpapers so that each value on every schedule is easily traceable. The details in the working copy will significantly reduce the time spent answering questions during an audit and will also help those new to preparing an ICS understand the source of the amounts claimed and how the rates are calculated.
  • The “Final Submission” version contains only the schedules required for submission and contains no supporting schedules or links to supporting schedules or source data. This is the file which is submitted to the government.

These two files should be marked as FINAL and WORKING COPY in the file name and stored in a properly labeled folder.

Understand Audit Expectations

Understanding the expectations of your auditor will help facilitate a working relationship during the course of the audit. An auditor is likely to expect a turnaround time of three days or less for documentation and answers to questions. It is critical to set a clear understanding with DCAA of when you will be able to provide data and set yourself up for success by under-promising and over-delivering. Additionally, be sure to take a look at the supporting data that DCAA typically reviews and be sure it can be available upon audit initiation.

For many contractors, the deadline for the next Incurred Cost Proposal is June 30th. We recommend getting started soon to be sure that you have adequate time to prepare the submission. Capital Edge has a wealth of resources available to support contractors with preparation and review of their ICS. Whether your organization is large, small, or somewhere in between, we can help take the stress out of this requirement.

The requirement to submit a final indirect cost rate proposal, more commonly referred to as the Incurred Cost Proposal or Incurred Cost Submission (ICS) is contained in FAR clause 52.216-7(d)(2)(i) – Allowable Cost and Payment which states: “The contractor shall submit an adequate final indirect cost rate proposal to the contracting officer (or cognizant federal agency official) and auditor within the 6-month period following the expiration of each of its fiscal years.”

Are you ready for your incurred cost audit? One of the major historical audit challenges is the delay, sometimes many years, between timely submission under FAR 52.216-7 and the actual audit. DCAA is now required to audit adequate final indirect cost rate proposals within one year, but only time will tell if they can meet that lofty goal. To help eliminate the future audit risk, Capital Edge has identified five ways to start preparing for the audit, while preparing the current annual incurred cost submission.

Download your copy of 5 Ways to Prep for the Audit While Preparing the Incurred Cost Proposal below:

 

GAO Release: Recommendation to monitor and ensure contractor business system reviews are conducted in a timely fashion.

CONTRACTOR BUSINESS SYSTEMS: DOD Needs Better Information to Monitor and Assess Review Process

GAO-19-212: Published: Feb 7, 2019. Publicly Released: Feb 7, 2019.

The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the “congressional watchdog,” GAO examines how taxpayer dollars are spent and provides Congress and federal agencies with objective, reliable information to help the government save money and work more efficiently.

We have written a few times recently on the matter of government contractor business systems.  The government’s (DCAA and DCMA) review of the six contractor business systems is expected to rise significantly in the near term based on information we have received from the DCAA and DCMA.  This GAO report released today adds further reality to this renewed focus on contractor business system reviews.

Contractors are encouraged to take the time and make the investment now to perform proper due diligence to ready themselves for these government reviews.

Fast Facts

The Department of Defense uses data from contractors’ business systems—e.g., accounting or purchasing systems—to guard against fraud, waste, and abuse in DOD contracts. For example, reviewing data from a contractor’s accounting system can help keep the contractor from overcharging.

DOD must review contractors’ business systems to ensure that the data from them can be used. We’ve previously found that it was years behind on some of these reviews.

DOD has an ambitious plan to catch up on these reviews in 3 years but has no way to measure its progress. We recommended that DOD monitor and assess whether it’s completing these reviews as planned.

GAO Findings

Since 2011, the Department of Defense (DOD) has implemented several changes to its processes for reviewing contractor business systems—which include systems such as accounting, estimating, and purchasing. Among other changes, DOD clarified the roles and responsibilities of the Defense Contract Management Agency (DCMA) and the Defense Contract Audit Agency (DCAA)—the two agencies that are responsible for conducting the reviews; clarified timeframes for business system reviews and established criteria for business systems; and withheld payments from contractors that were found to have significant deficiencies in their business systems.

DOD does not have a mechanism to monitor and ensure that these reviews are being conducted in a timely manner. For its part, DCAA has conducted few business system audits since 2013, as it focused its efforts on other types of audits. DCAA plans to significantly increase the number of business system audits over the next 4 years, but its success in doing so depends on its ability to shift resources from other audits; to use public accounting firms to conduct other, non-business system audits; and DCAA staff’s ability to execute new audit plans in a timely manner.

GAO Chart Businss System Audit

DCMA relies on the three offices responsible for conducting DCMA-led reviews to manage the reviews, but DCMA does not formally monitor whether these reviews are being conducted consistent with policy nor does it monitor DCAA’s efforts to complete the audits for which it is responsible. DCMA is ultimately responsible for approving a contractor’s business systems. DCMA currently lacks a mechanism based on relevant and reliable information, such as the number of reviews that are outstanding and the resources available to conduct such reviews, to ensure reviews are being completed in a timely fashion. Such information could help inform more strategic oversight on whether the current review process is achieving its intended results, or whether additional changes to the timing of or criteria for conducting reviews are needed.

Why GAO Did This Study

Contractor business systems produce critical data that contracting officers use to help negotiate and manage defense contracts. These systems and their related internal controls act as important safeguards against fraud, waste, and abuse of federal funding. Federal and defense acquisition regulations and DOD policies require that DOD take steps to review the adequacy of certain business systems, but GAO and other oversight entities have raised questions about the sufficiency and consistency of DOD’s review process.

The National Defense Authorization Act for Fiscal Year 2018 contained a provision for GAO to evaluate how DOD implemented legislation intended to improve its business system review process. Among other things, this report examines (1) the changes DOD made to its review process and (2) the extent to which DOD is ensuring timely business system reviews.

GAO analyzed DOD acquisition regulations, policies, and procedures for conducting contractor business system reviews and analyzed data on reviews conducted between fiscal years 2013 and 2018.

Read more on this 

 

DCAA Audits of Government Contractor Business Systems

DCAA Audits of Government Contractor Business Systems – Key Risk Mitigation Strategies to Promote an Adequacy Determination

Craig Stetson, Partner | Capital Edge Consulting, Inc.

The Defense Contract Audit Agency (DCAA) recently indicated as a 2019 agency initiative a significant increase in their 2019 audit efforts around contractor business systems. The DCAA’s renewed focus on performing contractor business system audits, is largely the result of the DCAA’s recent reduction in its prior and long-standing backlog of incurred cost proposal audits. The DCAA is responsible for oversight of three of the six contractor business systems, including accounting, estimating, and material management and accounting. Under this 2019 initiative, the accounting system will be the primary focus with a planned audit activity of nearly 1,000 audits. Estimating and material management and accounting system audits also are planned to increase significantly from the 2018 activity, however, nothing near the planned accounting system amount noted prior.

The DCAA’s 2019 plan to significantly increase their audits of contractor business systems appears aggressive (considering the level of effort required to perform these audits and the level of available DCAA resources). Contractors should take seriously potential or pending business system audits by the DCAA as the consequences for a determination of inadequacy by the government may be significant and include – i) monetary withholds pursuant to DFARS clause 252.242-7005, ii) loss or delay of contract awards, iii) reduced proposal evaluation scores in accordance with solicitation evaluation criteria (for example, Request for Proposal Section M), iv) increased government oversight across multiple fronts, and v) government CPARS (Contractor Performance Assessment Reporting System) recording of detrimental past performance ratings.

The following five key strategies are critical risk mitigation measures to enhance the likelihood of the government determining contractors’ business systems adequate and reduce contractors’ related compliance risks.

 

1.Knowledge of Business System Requirements and DCAA Audit Objectives (Pre-audit phase)

The DCAA conducts business system audits utilizing specific standard audit programs and detailed audit guidance and procedures incorporated in their internal DCAA Contract Audit Manual (DCAM). The three business system specific standard audit programs and the DCAM are available for review on the DCAA website (www.dcaa.mil). The DCAA audit objectives, guidance, and corresponding procedures were developed for the purpose of a DCAA evaluation and corresponding audit opinion of a contractor’s compliance with the specific business system adequacy criteria incorporated in each of the applicable DFARS business system clauses – accounting (252.242-7006), estimating (252.215-7002), and material management and accounting (252.242-7004). A clean audit opinion will simply designate the contractor’s business system as adequate.

Contractors that do not perform under Department of Defense (DoD) contracts or do perform under DoD contracts not subject to the DFARS clauses noted above, are not contractually required to comply with the specific DFARS business system adequacy criteria. However, for business system audit purposes, the DCAA will nevertheless use these adequacy criteria as the baseline for their business system audit scope, objectives, and procedures. Simply stated, contractors are required to demonstrate and maintain compliance with the adequacy criteria and requirements of these clauses – whether or not the subject clauses actually are incorporated in contracts.

It is very important to understand the applicable audit scope, objectives and procedures that the DCAA will use to conduct their audit. Further, it is equally or more important for contractors to clearly identify and articulate their specific key internal controls that satisfy the corresponding audit objectives and procedures. Understanding the overall audit expectations and responsibilities, as well as existing internal business process capabilities will greatly assist with critical audit preparation, identification of required functional personnel, and gathering of applicable supporting information and documentation. Further, an adequate and working level understanding of the audit process should enhance its efficiency and effectiveness, while mitigating contractors’ compliance risk, potential misunderstandings with the DCAA and incorrect or inaccurate audit conclusions.

2. Due Diligence and Self-Assessment (Pre-audit phase)

Contractors are strongly encouraged to perform due diligence procedures in advance of a DCAA business system audit. The due diligence is commonly performed as an audit readiness measure and in the form of a business system self-assessment. This frequently is the most important aspect of the entire audit.

A meaningful self-assessment (mock audit) of a contractor’s business system entails a detailed analysis of the DCAA audit objectives and related business system adequacy criteria compared to the contractor’s current business system structure and capabilities. This two-phase (Phase I – adequacy of business system design; Phase II – business system operating effectiveness) gap analysis is critical for contractors to understand and identify potential compliance risks and areas of audit findings due to deficiencies noted related to the adequacy of the business system design and/or its operating effectiveness. A risk assessment approach may also be used where known elements of potential compliance risk may receive additional focus during the self-assessment.

The self-assessment approach and procedures should closely align with the actual DCAA audit. Contractors should utilize the DCAA audit program as a starting point for purposes of identifying required written documentation and existing key internal controls that will be required during the course of the audit. Another useful tool during the self-assessment phase are the business system specific internal control matrices. The DCAA created these matrices years ago and they provide a thorough analysis of the business system control objectives and anticipated DCAA audit procedures. These matrices are no longer posted on the DCAA’s website; however, are still around and are very useful for purposes of mapping written policy and procedure documentation and internal controls to the corresponding business system requirements and related control objectives. The overall self-assessment process should be clearly documented with i) an audit trail of the written internal control and business process mappings to the business system requirements (Phase I); and, ii) the scope and results of detailed transaction test plans or file reviews (Phase II). Deficiencies noted during the self-assessment should be reported to management and corrected and required and missing written policy and procedure documentation developed to demonstrate to the government that the contractor maintains an effective monitoring process as required in all the business systems.

Contractors should invest in the resources required to adequately perform the self-assessment and use the completed and documented self-assessment for business system demonstration purposes to the government.

3. Business System Demonstration (Audit planning and risk assessment phase)

The business system demonstration phase is another critical element of the overall audit process as it provides contractors an opportunity to communicate to the government the adequacy and operating effectiveness of their business systems. A well conducted demonstration should leave the government with a sense of confidence regarding a contractor’s overall state of compliance around the business system. This, in turn, may result in reduced audit scope or the government’s decision not to perform the audit at all, if the government determines the contractor to be low risk from an audit perspective.

During the demonstration, contractors should present a thorough overview of the applicable business system capabilities, relevant written policy and procedure documentation, key internal controls and business process flows. Furthermore, contractors should demonstrate effective and ongoing monitoring of programs as well as employee training requirements and initiatives.

Effective documents used during the demonstration should include:

  • An overview of the relevant business system written documentation; including policies, procedures, and process flows
  • A complete mapping of the contractor’s written internal controls and business processes to the DFARS business system clause requirements and the corresponding DCAA standard audit program (frequently included in and presented through a well documented internal control matrix)
  • Evidence of ongoing monitoring activities (transaction testing or file reviews) and corresponding corrective actions and reporting to management, as applicable

Contractors should invest in the time required to gather the critical documents to be used during the business system demonstration and allow adequate preparation to enhance the likelihood of an effective outcome.

4. Documentation and Access to Records (Audit fieldwork phase)

Sufficient documentation is the single most important factor for contractors to achieve an adequate business system determination from the government. Sufficient documentation comes in two forms – i) written internal controls and business processes (policies and procedures) and ii) audit evidence related to transaction testing or file reviews.

Use of electronic formats of original documents for record keeping and audit purposes is an acceptable procedure provided certain document imaging requirements are adhered to in accordance with Federal Acquisition Regulation (FAR) Part 4.

Contractors should maintain a complete list of requested and provided documents throughout the audit. This list should also describe, in adequate detail, the nature and content of what was requested and provided, who provided it, and when. Likely, this list would be maintained by the contractor’s designated internal point of contact. This procedure is important for obvious reasons, however, should during the course of the audit, the DCAA challenge the sufficiency or completeness of the documentation provided it will be helpful to review this list to demonstrate to the DCAA that the documentation was provided and is adequate. Additionally, a complete list of interviews or discussions between the government and contractor personnel should be maintained – again, likely by the internal point of contact.

Contractors should ensure during the due diligence and self-assessment phase that sufficient documentation exists to support an audit. Simple verbal acknowledgement during an audit that a procedure was performed, for example, likely will not be deemed as adequate to the DCAA and may result in adverse audit conclusions or noted deficiencies in the business system.

5. Communication Protocols (Pre-audit, audit, and post-audit phases)

A DCAA business system audit is frequently intense and of an extended duration. These audits may be active for a few months to more than one year. Effective communication is critical during these audits to minimize misunderstandings and inaccurate audit conclusions.

Unfavorable or inaccurate audit conclusions are frequently the result of poor communication between the DCAA and the contractor. To reduce the risk of information being  “lost in translation”, it is highly recommended that communication procedures and schedules (at least in a tentative sense) be developed where both parties can actively and effectively communicate audit objectives, challenges, progress and results. Participation in these communications and status briefings should be agreed upon up front and adhered to by both parties. The DCAA is required to conduct an entrance conference and are also encouraged to provide interim and exit conferences pursuant to their audit guidance (DCAM 4-300). If effective communication protocols are enacted, the likelihood of audit “surprise findings” should be greatly reduced or become nonexistent.

  • Entrance Conference – Contractors should insist on a thorough entrance conference to obtain an understanding of the audit objectives, scope and procedures; anticipated timeline; internal resources required; types of data and information required; and any foreseen challenges known at that time e.g., unavailable personnel, remote site access or visits, availability and retrieval of records, etc. The audit scope and focus areas should be clearly identified with discrete elements or items for which the DCAA will have access and the contractor responsibility to support.
  • Interim Conferences – Interim conferences are also very important as they provide an exchange of information between the DCAA and the contractor regarding progress of the audit, problems or challenges encountered, findings and issues, open items, and remaining effort and completion requirements. The DCAA should provide initial audit findings and contractors should be privy to the DCAA’s rationale to allow internal assessment as to the merit of the findings.
  • Exit Conference – Contractors should insist on a thorough exit conference to discuss and understand all audit findings. Contractor management and applicable functional personnel and the DCAA supervisor should attend the exit conference. Prior to the meeting, contractors should carefully review the draft report and seek clarifications or corrections as needed.

To reduce the risk of misunderstanding, misinterpretation, and memory loss it is very important to document all formal communications, status meetings, conferences, etc. This documentation should be developed by a single source within the contractor and summarized in a meeting minutes format and subsequently provided to all in attendance.

Download your copy of Key Risk Mitigation Strategies to Promote an Adequacy Determination below:

 

Business Systems Compliance for 2019

Business Systems Compliance Update for 2019 – the DCAA indicated recently a current initiative to significantly increase their audit efforts in 2019 of contractor business systems (accounting, estimating and MMAS).

2018 Reports showed the following data for Business Systems Audits:

  • Accounting Systems: 447
  • MMAS: 7
  • Estimating: 11

2019 Planned Business Systems Audits:

  • Accounting Systems: 995
  • MMAS: 19
  • Estimating: 40

Connect with our experts to learn more about due diligence, self-assessments and gap analyses to ready for these potential audits.

COMPLIANCE UPDATE: New DCAA audit program for accounting system audits under DFARS 252.242-7006.

New DCAA audit program for accounting system audits under DFARS 252.242-7006

This new audit program appears a mix of prior accounting system subsystem audit programs (e.g., billing, labor, direct and indirect costs, etc.), the SF 1408 and the 18 specific DFARS criteria. The compensation system (one of the six subsystems) is not fully addressed in this new audit program Also of note, the DCAA will use the 18 DFARS criteria as their audit baseline notwithstanding the absence in contracts of the applicable.

Click-to-See Master Document- Audit Program

Need more information or help with compliance- Contact us