Yesterday we introduced the Section 803 provision in the 2018 NDAA (National Defense Authorization Act) that will require the Defense Department to begin farming out some of its incurred cost audit functions to commercial firms. Though the probable soon-to-be law does not specify a particular percentage or dollar value of audits to be shaved off of DCAA's (Defense Contract Audit Agency's) current workload, the general tenor of the provision sounds like the sharing will be substantial and on-going.
For example, yesterday we reported that the new provisions require that audits be completed within one year from submission of an adequate incurred cost proposal (for information on what constitutes an adequate incurred cost proposal, see Annual Incurred Cost Submissions - Adequacy or DCAA's Checklist for Determining Incurred Cost Proposal Adequacy). But what happens if the audit is not completed within a year? Section 803 contains a provision that states if audit findings are not issued within one year after the date of receipt of a qualified incurred cost submission, the audit shall be considered to be complete and no additional audit work shall be conducted. That would result in significant risk to the Government and will probably necessitate the transfer of a substantial number of audits from DCAA to commercial auditors - particularly since DCAA has not had much success in completing incurred cost audits in a year.
Another Section 803 provision that makes the number of commercialized audits substantial and on-going is the requirement that DoD maintain an appropriate mix of Government and private sector capacity to meet the current and future needs and to ensure that qualified private auditors perform incurred cost audits on an ongoing basis. Sounds to us like the program is to be set up for the long haul.
There are certain qualifications that commercial firms must meet in order to participate in the program. There can be no conflicts of interest, the auditors must be independent, they must sign non-disclosure agreements to protect proprietary or nonpublic data, they cannot use proprietary data for other purposes, and must protect it. Also, and significantly, the firms performing the audits must have a peer review with an "acceptable" rating ("acceptable" is as good as you can get in a peer review).
No comments:
Post a Comment