The Department of Defense is mulling a proposed rule that would shift responsibility for obtaining audits of certain business systems away from the government and into the hands of the federal contractors themselves, reducing some compliance headaches while creating others.

On July 15, the Defense Department issued a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to allow federal contractors that earn more than $50 million annually in government contracts to use third-party certified public accountants to audit accounting systems; estimating systems; and separate material management and accounting systems.

According to the Defense Department, contractor business systems and internal controls are essential to the government, because they are the first line of defense against waste, fraud, and abuse. “Weak control systems increase the risk of unallowable and unreasonable costs on government contracts,” the department wrote.

Currently, these three business systems—accounting, estimating, and material management and accounting systems—are audited by the Defense Contract Audit Agency (DCAA). A serious backlog of audits, however, is preventing the DCAA from effectively meeting their audit obligations, according to a November 2011 report by the Government Accountability Office, which ultimately spurred the new proposal.

Nicole Owren-Wiest, a partner with law firm Wiley Rein, says that, from a practical standpoint, the rule will, “increase the burden on many contractors and also potential increase risk.” Contractors may have to perform more internal reviews and audits on their business systems, she says.

Self-Reporting Requirement

Under the proposed rule, contractors would be required to annually self-certify that their business systems are up to snuff and obtain a CPA audit every three years. The rule also would require contractors to self-report any deficiencies they find. Government auditors and contracting officers then review these self-evaluations and CPA audits at the contracting officers’ discretion.

“Any time you have to certify something to the government, it always comes with risk,” says Susan Cassidy, a partner with Covington & Burling. Contractors who self-certify that their business systems are in compliance must provide to third-party auditors their internal audit work papers and related materials produced in connection with the self-certifications, whereas the production of those same papers would not be required in a DCAA review. “Anything they tell that CPA, ultimately, they’re telling the government,” Cassidy says.

Nicole Mitchell, a partner with accounting firm Aronson, agrees that the rule is “going to be a huge shift” for government contractors, because they’re going to have to conduct timely audits, hire external auditors, and may need to put new internal control reviews in place, if they don’t have them already.

“Once we get through that initial pulling off of the band aid,” the rule may create “a much more efficient process in the long run,” Mitchell says.

More Control

The silver lining of the proposed rule is that it effectively gives contractors greater control over how and when reviews are completed. “When DCAA was doing these audits, you would hear horror stories of contractors that had a two-year long accounting system review, and it was because DCAA would start it and get pulled away because of other priorities,” Mitchell says.

Thus, for contractors who have been waiting on the government to conduct audits and approve their business systems in order to be awarded government contracts, the proposed rule is a welcome development. “For contractors that haven’t had their systems reviewed either at all, or for many years, and are on a wait list for DCAA to do their system reviews, this could be a benefit for them,” Owren-Wiest says.

Whether the rule simplifies the auditing process in practice remains to be seen. “A big question is whether the rule is going to end up duplicating efforts, as opposed to streamlining and making things more efficient,” Kayleigh Scalzo, an associate with law firm Covington & Burling, says. “Certainly, the latter is the goal.”

When DCAA was doing these audits, you would hear horror stories of contractors that had a two-year long accounting system review, and it was because DCAA would start it and get pulled away because of other priorities.
Nicole Mitchell, Partner, Aronson

Where the potential for trouble arises, however, is that the DCAA auditor still would perform its own review and may not necessarily be inclined to rubber stamp the findings of the third-party auditor. “Then, it sort of defeats the purpose,” Owren-Wiest says. Those are the sort of details that will have to be worked out through the comment process, she says.

The other potential risk when a DCAA auditor performs a business systems review is that it’s possible they could find the contractor “not eligible to compete if you have inadequate systems,” Cassidy says. In addition, the Defense Department may withhold payments if it finds a significant deficiency in one or more of the contractor’s business systems.  

That withholding can have a substantial effect on contractor cash flow, particularly given that the contracting officer may impose the withholding on multiple contracts, Cassidy says. Moreover, the withholding of payments doesn’t limit the other remedies that the contracting officer may seek against a contractor because of harm caused by a deficient business system, she says.


Below is an excerpt from the proposed rule on the Defense Federal Acquisition Regulation Supplement, providing background information.
I. Background
Contractor business systems and  internal controls are the first line of  defense against waste, fraud, and abuse. Weak control systems increase the risk  of unallowable and unreasonable costs  on Government contracts. In response to  a U.S. Government Accountability  Office report (GAO–12–83) issued on  November 3, 2011,  Defense Contract Management Agency: Amid Ongoing  Efforts to Rebuild Capacity, Several  Factors Present Challenges in Meeting Its Mission,  DoD agreed to consider alternative approaches to audit  contractor business systems.
II. Discussion and Analysis
To improve the efficiency and effectiveness of auditing contractor business systems, DoD is proposing to amend the DFARS to entrust contractors with the capability to demonstrate compliance with DFARS system criteria for contractors’ accounting systems, estimating systems, and material management and accounting systems, based on contractors’ self-evaluations and audits by independent Certified Public Accountants (CPAs) of their choosing. Government auditors will perform overviews of the results of contractor self-evaluations and CPA audits.
Source: Federal Register.

The disclosure of a deficiency in an accounting system, for example, could lead the government to seek recovery of overcharges that resulted from those deficiencies, or take a harder look at a contractor’s pricing data if the contractor discloses a significant deficiency in its estimating system, Cassidy says.

In addition, if an audit uncovers information that puts a company at legal risk, the audit will not have been conducted under a privileged review. “That’s a reasonable concern,” Owren-Wiest says.

“There may be a way to maintain privilege over issues that might pop up in the course of such a review, without necessarily losing the benefit of any legal privilege to those issues,” Owren-Wiest adds. Contractors certainly can work through those concerns by, “doing some upfront compliance planning and engaging the legal department,” she says.

Comments on the proposed rule are due by Sept. 15. The Defense Department will also hold a public meeting on Aug. 18 and says it is particularly interested in feedback concerning its estimation of the cost and time required to comply with the rule; ways to enhance the quality and clarity of information collected; and how to make the collection of information less burdensome on contractors through the use of technology while still ensuring the quality of self-reporting.