Independent Audits of Contractor Business Systems - Part 6

We've been discussing DoD's recent proposal to require contractors to perform annual self-assessments of certain of their business systems and to have those systems audited by a CPA firm every three years. If you haven't been with us for the entire series, it would be a good idea to start at the beginning:

     Part 1
     Part 2
     Part 3
     Part 4

     Part 5

The proposed rule, according to DoD, will have no impact on small businesses. That's because the Department has set the applicability at a pretty high level. For estimating systems, the criteria applies to contractors that had negotiated contracts of $50 million or more in their previous fiscal year. That doesn't necessarily exclude small businesses as we've seen contracts awarded to small businesses that exceed that amount. But, that threshold would certainly exclude most small businesses. For MMAS (Material Management Accounting Systems), the annual assessment and audit requirements specifically excludes small businesses and applies to contractors with qualifying sales to the Government of $50 million or more and an affirmative determination by the ACO that an MMAS review is needed (based on various risk factors). For Accounting Systems, the requirement applies to CAS-covered contractors (Cost Accounting Standards). (For CAS coverage requirements, click here).

The system criteria for these business systems are not changed by this proposed regulation nor are the penalties (billing withholds) for having a system that does not comply with the stated criteria.

There are several aspects of this new regulation that we believe will become problematic during implementation.

• Cost - these self-assessments and independent audits will cost contractors dollars that they wouldn't have otherwise incurred.
• Cost allocation - the cost will need to be allocated somewhere. Contractors will make the case that since these costs are required by contract, they are allocable to those contracts and not to commercial work. The Government will probably try to make the case that these internal control systems benefit all the work of the contractor and should be allocated broadly.
• Timeliness - there doesn't seem to be any penalty for failing to meet the annual assessments or triennial audit requirements. 
• Timeliness of Government Involvement - The proposed regulations require that the Government be afforded the opportunity to review the CPA risk assessment and audit planning documents. The Government does not have a good track record of turning out responses in a timely manner. This could impede the efficient and effective accomplishment of the CPA's efforts.
• Resolving disagreements - while the proposed regulation contains processes to resolve deficiencies raised as a result of assessments and audits, it does not cover disagreements that might arise between the CPA and the auditor who will be overseeing the CPA effort. This could become a contentious area.

There is more to this proposal than we've covered in these blog posts. The proposal itself takes up nearly 14 Federal Register pages - a laborious read to say the least. Most likely, this will not be a case were the proposed rule is adopted as final, without change. A change of this magnitude will undergo significant revision before adoption - perhaps even a second draft for public comment.

If you care to provide comments to this proposed regulation, you have until September 15th to do so. You can submit those comments electronically to regulations.gov. So far, not too many comments have been submitted.

Click here to read Part 7 in this series.