DoD Expands Purchasing System Reviews to Include Cybersecurity Compliance

The Defense Department recently announced that it will be including contractor compliance with the DFARS (DoD FAR Supplement) rules regarding cybersecurity (DFARS 252.204-7012).

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and subcontractors to implement National Institute of Standards and Technology (NIST) standards for protecting controlled unclassified information in non-federal information systems and organizations, as a means to safeguard DoD's  controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's (or subcontractor's) internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve CUI.

The DFARS clause is lengthy but in general, it requires adequate security systems and protections (which are defined in detail), cyber incident reporting to DoD, procedures to follow when malicious software is discovered, media protection, cyber incident damage assessment, and more.

The Under Secretary of Defense for Acquisition and Sustainment has now given the task of assuring compliance with this regulation to DCMA (Defense Contract Management Agency) who will include compliance coverage within their regularly scheduled CPSRs (Contractor Procurement System Reviews). The intent of the review (or audit) is to

• Review contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their suppliers, and
• Review contractor procedures to assess compliance of the suppliers with the DFARS requirements.

DCMA has not yet revised its CPSR policies and procedures for this added coverage. When they do, we'll provide a link. In the meantime, contractors, subcontractors, and other supply-chain firms need to self-assess their level of compliance with the requirements and take whatever corrective action is necessary to ensure full compliance.

The full DoD announcement can be found here.

$2.75 Million Settlement for Gouging SBIR/STTR Programs

The Small Business Innovation Research (SBIR) and the Small Business Technology Transfer (STTR) programs are the nation's largest Government source of early stage/high risk funding for start-ups and small businesses. To be eligible, the small business must be Americna -owned, organized as a for-profit entity, and have less than 500 employees. There are eleven federal agencies that participate in SBIR programs and five that participate in STTR programs. The largest spender of SBIR/STTR funds is the Defense Department followed closely by HHS (Health and Human Services). Together, SBIR/STTR obligations exceed $2.5 billion each year.

The Justice Department reached a $2.75 million settlement with E.M. Photonics (EMP) to resolve allegations that the company falsified labor costs and duplicative work in order to maximize charges to SBIR contracts award by the Navy, DARPA, Air Force, Energy, and NASA.

According to the Government, EMP engaged in two different schemes to defraud the programs. First, the company (and its CEO) directed EMP employees to falsify their time cards to record hours to SBIR programs while working on other projects. These inflated time cards were then used as a source to submit billings (i.e. false invoices) to the Government or payment.

The second scheme involved obtaining SBIR/STTR funding for substantially equivalent work that was already performed and funded by another Government agency. EMD falsely certified that such work was, in fact, non-duplicative.

We do not know, and the Justice Department did not disclose how this fraud was first uncovered. Given the nature of the fraud however, our first guess would be that an internal whistleblower was involved in the initial disclosure and an investigation ensured. The over-billing schemes lasted five years from 2009 to 2014 and with the announcement this week, the investigation and settlement discussions must not have been a high priority for the Government.

You can read the full Justice Department press release here.

Labor Department Announces Settlement in Davis-Bacon Violations

The Labor Department's Wage and Hour Division (WHD) recently announced a settlement in a case involving violations of several labor laws.

An electrical contractor performing work for the Army Corps of Engineers has agreed to pay $83 thousand in back wages and fringe benefits to seventeen employees after a Labor Department investigation found that the employer had violated requirements of the Davis-Bacon and Related Acts (DBRA), the Contract Work Hours and Safety Standards Act (CWHSSA) and the Fair Labor Standards Act (FLSA).

Investigators found that the contractor had failed to pay some employees required prevailing wage and overtime rates on a project subject to DBRA requirements by inaccurately classifying those employees as laborers instead of electrician apprentices and subsequently failed to pay them the correct wages.

The investigation further disclosed that the contractor violated the DBRA fringe benefits requirements by claiming that it had made contributions to a 401(k) plan for the benefit of employees when it had not. Additionally, the contractor claimed credit for vacation benefits but failed to meet the criteria required for such credit. Finally, the investigation disclosed that the contractor had falsified "certified payroll" records by claiming contributions to the 401(k) plan that were never made.

This case was classified as an investigation rather than the result of a routine audit which most likely means that the Labor Department was tipped off on possible DBRA violations. You can read the full Labor Department press release here.

Section 809 Panel - Replace Single Deficiency with Tiered Approach to Better Describe Severity

Today we are continuing our discussion of the recently released Volume 3 report published by the Section 809 Panel. We have been focusing on recommendations 71 through 73 which sare the common theme of adopting a Professional Practice Guide (PPG) to assist oversight agencies and independent public accountants (IPAs) to better meet the needs of contracting officials who rely on oversight activities. Today we are covering Recommendation No. 73; replace the DFARS (DoD FAR Supplement) definition of "business system deficiency" with a tiered rating system to more closely align with generally accepted auditing standards (GAAS).

As most Defense contractors know, there are six business systems that the Government considers essential to protecting its interests and essential for contractors to ensure good internal control systems are in place. These are (i) accounting system (ii) purchasing system, (iii) estimating system (iv) property management, (v) material management and accounting system (MMAS), and (vi) earned value management system (EVMS). Various oversight agencies (usually DCAA and DCMA) will take the lead in reviewing internal controls for these systems and issue reports as to their conclusion on the adequacy of those controls. If the controls are found to be deficient, the Government will expect corrective action  plans and perform follow-up reviews to ensure those plans are in place and effective.

The definition of the term significant deficiency for contractor  business systems (based on Section 893 of the Fiscal Year 2011 NDAA (National Defense Authorization Act) and carried over into the DFARS (DoD FAR Supplement)) does not align with generally accepted auditing standards for evaluating and reporting on internal control deficiencies. This lack of consistency creates confusion regarding the identification, severity, meaning and resolution of deficiencies.

According to DFARS, a significant deficiency describes it as materially affecting DoD officials' and contractor's ability to rely on information produced by the business system that is needed for management purposes.

The term in GAAS for a weakness of this severity is a "material weakness. GAAS also uses the term "significant deficiency" but in a way to describe a deficiency that is less severe than a material weakness. The use of the same term to mean different levels of severity of a deficiency creates confusion about the meaning of significant deficiency among contractors, independent public accountants performing internal control audits, government auditors, and the acquisition community.

The Section 809 Panel believes that contractor business systems could have a number of deficiencies that range from trivial to severe. Reporting deficiencies by different levels of severity, and in a manner that aligns with established auditing standards, will allow contracting officers to make informed decisions on the acceptability of the business system.

• Material weakness: A deficiency, or combination of deficiencies, in internal control over risks related to Government contract compliance or other shortcomings in the system, such that there is a reasonable possibility that a material noncompliance will not be prevented, or detected and corrected, on a timely basis. A reasonable possibility exists when the likelihood of an event occurring is either reasonably possible, meaning the chance of the future event occurring is more than remote but less than likely, or is probable.
• Significant deficiency: A deficiency, or combination of deficiencies, in internal control over risks related to Government contract compliance or other shortcomings in the system that is less sever than a material weakness yet important enough to merit the attention of those charged with governance
• Other deficiency: A deficiency or combination of deficiencies, in internal control over Government contract compliance or other shortcomings in the system that have a clearly trivial or inconsequential effect on the ability of the business system to prevent or detect and correct, material noncompliances on a timely basis.

The "other deficiency" acknowledges the possibility that a business system deficiency, or combination of system deficiencies, may have a clearly trivial effect on the quality of information produced by the contractor's business systems. The Section 809 Panel believes that "other deficiencies" should not impact the audit opinion or be included in the audit report. Such deficiencies would be communicated to the contracting officer via email or other method of communication. It should be noted that trivial deficiencies sometimes turn into significant deficiencies if not corrected.

Section 809 Panel - Recommendations Concerning Accounting System Adequacy

We are continuing our discussion of the Section 809 Panel's recommendations focused on adopting private-sector practices when performing oversight responsibilities. In the Panel's Volume 3 report, these are enumerated as Recommendations 71 through 73. Previously, we covered Recommendation 71. Recommendation No. 72, then, calls for replacing the 18 system criteria from DFARS 252..242-7006, Accounting System Administration, with an internal control audit to assess the adequacy of contractors' accounting system based on seven system criteria.

The Panel concluded that DoD has not been obtaining timely assurance that internal controls for defense contractor accounting systems are properly designed and functioning. In their opinion (and we agree), ensuring effective internal controls is one of the most efficient ways to protect the Government's interest, reduce risk, and improve performance.

To do business with the Government, contractors (and prospective contractors) must demonstrate capability to meet the requirements outlined in the Standard Form 1408, Pre-Award Survey of a Prospective Contractor Accounting System. This pre-award system review should not be confused with the reviews required by the DFARS Business System rule that tests the design and capability of the system, as well as whether controls are in place and functioning properly although essentially the same attributes are being considered in both types of reviews. While the SF 1408 has a checklist format, the business system rules focuses on processes and related internal controls.

The Panel is recommending that the 18 system criteria found in DFARS be scrapped and replaced with an internal control audit framework to assess the adequacy of contractors' accounting systems. The envisioned internal control audits will focus on assessing the key controls that ensure government objectives are being met. Auditors' conclusions on the effectiveness of the key controls are essential information for contracting officers and contractors to evaluate whether the Government's interests are adequately protected.

Specifically, auditors will evaluate whether key internal controls are in place and operating to provide reasonable assurance of the following seven accounting system criteria:

1. Direct costs and indirect costs are classified in accordance with contract terms, FAR, CAS and other regulations, as applicable.
2. Direct costs are identified and accumulated by contract in accordance with contract terms, FAR, CAS, and other regulations, as applicable.
3. Methods are established to accumulate and allocate indirect costs to contracts in accordance with contract terms, FAR, CAS, and other regulations, as applicable.
4. General ledger control accounts accurately reflect all transactions recorded in subsidiary ledgers and/or other information systems that either integrate or interface wit the general ledger including, but not limited to, timekeeping, labor cost distribution, fixed assets, accounts payable, project costs, and inventory.
5. Adjustments to the general ledger, subsidiary ledgers, or other information systems bearing on the determination of contract costs (e.g. adjusting journal entries, reclassification journal entries, cost transfers, etc.) are done for reasons that do not violate contract terms, FAR, CAS, and other regulations, as applicable.
6. Identification and treatment of unallowable costs are accomplished in accordance with contract terms, FAR, CAS, and other regulations, as applicable.
7. Billings are prepared in accordance with contract terms, FAR, CAS and other regulations, as applicable.

Using a "framework" methodology is well-established in the private sector but it may take some time, training, and experience for Government auditors to become proficient in applying such a framework. For one, it requires auditors to exercise a lot more professional judgement than the methods traditionally applied to evaluating the adequacy of contractor accounting system.

Section 809 Panel - Recommendation to Enhance Risk Assessments

Yesterday we began a discussion on the recently released Volume 3 report published by the Section  809 Panel. For now, we are focusing on recommendations 71 through 73 which share the common theme of adopting a Professional Practice Guide (PPG) to assist oversight agencies and independent public accountants (IPAs) contracted to perform oversight activities, to better meet the needs of contracting officers who rely on oversight activities.

One of the primary areas of focus that the Panel hopes to clarify is that of the concept of "materiality". The draft (or, proposed) PPG (professional practice guide) correctly notes that "materiality" is paramount when considering risk. The PPG then sets forth clear materiality guidelines that help oversight professionals (i.e. DCAA, DCMA, and IPA (independent public accountants) plan their work and provide the information contracting officers need in order to make reasonable business decisions. We will discuss those guidelines later. The reports itself states:

What may be material to a particular business decision will be influenced by a variety of qualitative and quantitative considerations, recognizing that the contracting officer's role is to manage DoD's risk, rather than avoid it. The cost of DoD's oversight including adverse effects on the timeliness of decision making, must be balanced with the expected benefits of that oversight.

One of the knocks against oversight agencies is the "in for a penny in for a pound" mentality where once an audit begins, it must adhere to the totality of professional auditing standards or else it is considered deficient. There is little room for the exercise of professional judgment when assessing risk and for reassessing risk during the course of audit. This ends up squandering a tremendous amount of resources that could be better spent on audits where risk is assessed higher.

The PPG provides a risk model that should be employed by DCAA. Although DCAA has historically used a risk-based approach to determine which contractors are subject to incurred cost audits, as part of the PPG working group, DCAA has embraced an expanded risk model to include additional risk factors that further refine and improve the process. We will be discussing the new risk model in a later posting but for now, just note that the model is intended to "incentivize" contractor compliance.

Section 809 Panel - Recommendation to Adopt an Audit Professional Practice Guide

This month, the Section 809 Panel released Volume 3 of its report on streamlining and codifying acquisition regulations. Volume 1 issued in January 2018 contained 24 recommendations (as well as many more sub-recommendations). Volume 2 issued in June 2018 contained an additional 10 recommendations. Volume 3, the Panel's final volume, contains 59 recommendations and more than 1,000 pages. We have written covered, what we think were highlights in Volumes 1 and 2 (search this blog for 'Section 809 Panel'). You can download all three volumes at the Section 809 Panel Website.

We are not going to attempt to digest all 59 recommendations on these pages but we will focus on a few recommendations that will be of interest to Government contractors and the potential for being subject to contract audit (namely audits by the Defense Contract Audit Agency (DCAA)).

Recommendations 71 through 73 share a common theme of adoption of an audit professional practice guide (PPG). Today we will cover Recommendation 71. Coverage of Recommendations 72 and 73 will come later.

The Section 809 Panel is recommending that DoD adopt a professional practice guide to support the contract audit practice of DoD and the independent public accountants DoD may use to meet its contract audit needs, and to establish a working group to maintain and update the guide. The Panel believes that existing audit guidance is too insular. It framed its concern like this:

Although professional standards are common in the auditing profession, none of them have been developed or interpreted for the unique purpose of federal government contract oversight. DCAA's Contract Audit Manual provides a good foundation, but it lacks the collaborative inputs, perspectives, and interpretations of knowledgeable professionals outside DCAA and the government. This point is important because IPAs (Independent Public Accountants) and other qualified professional services firms are playing an increasingly important role in the  government's oversight of federal government contracts.

According to the Panel, professional standards of importance that require a collaborative interpretation on how to apply the standards in the contract oversight environment include:

• materiality
• risk
• internal controls
• independence
• objectivity
• sufficient evidence
• reliance on the work of others

The Panel included a draft Professional Practice Guide for Audits and Oversight of Defense Contractor Costs and Internal Controls in its report. The team that developed the Guide consisted of representatives of the Section 809 Panel, DCAA, DCMA, GAO, AICPA and industry.

Tomorrow we will continue discussion of the draft PPG.

Revised Audit Guidance on Auditing Subcontract Costs

The Defense Contract Audit Agency (DCAA) has moved to resolve an inconsistency in its coverage of incurred costs by issuing new guidance on when subcontract audit coverage is necessary.

Until now, once a subcontract has been identified for audit, the resultant request for audit stays in effect for the duration of the subcontract. Under the new guidance, the need for a subcontract audit is to be determined each year, based on a variety of risk factors.

Say for example, Contractor with a $50 million contract awards a $20 million subcontract to Subcontractor. The auditor at the prime notifies the auditor of the subcontractor and requests audit coverage of the $20 million subcontract over the life of the subcontract - which may extend several years. In the meantime, the Contractor is placed in the low-risk pool which means its chances of being audited, barring some newly discovered risk factor, is reduced to nil. Meanwhile, the auditors at the subcontractor continue performing their incurred cost procedures of Subcontractor as if nothing changed. And even if there are audit findings at the subcontractor, the Government cannot recover because the incurred costs and rates at the prime contract have already been settled.

The prime contract auditor will no longer request assist audits for the life of the subcontract based on the total expected subcontract value at the time of award. Rather, the prime auditor, in coordination with the subcontractor auditor, will assess the risk and need for assist audit effort based on subcontract costs included in the prime contractor's annual incurred cost proposal.

Under the new contract audit guidance, auditors at both the prime and subcontractor have coordination requirements. The auditor at the prime contractor takes the lead.

• Prime auditor: prior to issuing a request for an assis audit, the prime auditor should communicate with subcontract auditors about audit history, prior issues, eligibility for the low risk sampling pool, reliability of the indirect rates/budgets, and other issues that affect audit risk.
• Subcontract auditor: whenever subcontract auditors become aware of significant subcontractor risks, they should initiate a discussion prior to hearing from the prime auditor.

Here's some advice for subcontractors. When a contract auditor tells you that he/she is initiating an incurred cost audit of one or more of your subcontracts, request the coordination documentation with the auditors at the prime contractor. You are entitled to know what risk factors have been identified and considered as justification for an audit.

The new audit guidance can be found here.

Man Charged in Yet Another "Rent-a-Vet" Scheme

In December 2017, the owner of United Medical Design Builders LLC, Mr. Joseph Dial Jr., a service-disabled, veteran, was charged by the Justice Department with fraudulently obtaining contracts intended for service-disabled veteran-owned businesses. It seems that he didn't really run the company but was just a figure-head for a co-conspirator, Troy Bechtel in a classic "rent-a-vet" scheme. Mr. Dial pleaded guilty for his part in the scheme in May 2018 and is set to be sentenced next week (January 28th).

Last week, the shoe dropped for Mr. Bechtel, the man who really ran the company. The Justice Department has charged him with two counts of major program fraud against the United States and two counts of lying to Federal investigators.

The threshold marking the difference between "fraud" against the United States and "major fraud" against the United States is $1 million. The distinction is important in the amount of fines that can be imposed for offenses against the Government. Under the "major fraud" provisions (18 USC 1031), maximum fines can be as high as $10 million, though its doubtful that maximum fines are often levied. 

The indictment alleges that from 2009 to 2013, Mr. Bechtel aided and abetted other persons unlawfully to obtain more than $12.7 million (some news articles reported $40 million) from Defense contracts. The indictment further alleges that Mr. Bechtel falsely represented that United Medical Design Builders (UMDB) was controlled by Mr. Dial, a disabled veteran. In fact, UMDB was a pass-through company that Mr. Dial did not control. Mr. Bechtel ran the daily operations and made project decisions without reporting to or consulting with Mr. Dial.

Witnesses in the Federal Grand Jury probe testified that Mr. Dial was rarely in the office during the four years they worked for UMDB and the few times he did show up, it was only for a few minutes. Witnesses also testified that Mr. Dial signed a blank sheet of paper that was scanned and used for official letters and correspondence.

Certificate of Competency - How it Works in Practice

Yesterday we discussed SBA's Certificate of Competency (COC) process which provides small businesses to receive a second look when a contracting officer has excluded them from consideration on a procurement because the company could not satisfy certain evaluation criteria to prove their capability to perform a Government contract. Today we want to illustrate how that works in practice by examining a recent GAO (Government Accountability Office) bid protest decision where a company was restored to "competency" as the result of the SBA review. If you missed yesterday's post, click here to read it.

In 2018, the EPA (Environmental Protection Agency) issued a solicitation for soil remediation at a Superfund site. The solicitation stated that award would be based on a lowest-priced, technically acceptable (LPTA) basis, based on two non-price factors: technical capability and past performance. The technical capability factor consisted of three sub-factors: corporate experience, key personnel, and project management plan. The corporate experience and key personnel sub-factors set forth various minimum requirements: five years of residential earth-moving experience and for project manager, at least five years experience as a project manager in environmental hazardous substance or hazardous waste.

The EPA received ten bids including one from Eagle Eye. However, an EPA technical evaluation panel found deficiencies in Eagle Eye's proposal under both the corporate experience and key personnel sub-factors. Specifically, the evaluators determined that Eagle Eye did not meet the minimum corporate experience requirements, and that its project manager and site superintendent did not meet the minimum key personnel experience requirements. Accordingly, the panel concluded that Eagle Eye's proposal was technically unacceptable.

Thereafter, the EPA referred its determination to the SBA under its COC procedures. The SBA didn't agree with the EPA and issued a COC for Eagle Eye, indicating that the firm was considered responsible to performed the proposed procurements. In its determination, the SBA found that Eagle Eye's COC application included information demonstrating that the offeror met the solicitations corporate experience and key personnel requirements, even if that information was not part of Eagle Eye's proposal.

After the COC determination, the EPA found Eagle Eye's proposal to be the lowest-price, technically acceptable offer and awarded the contract to Eagle Eye.

One of the other offeror's protested the award on the basis that the EPA should not have asked SBA for a competency determination. That protest was denied.

Read the full GAO protest decision here.

Certificate of Competency

Small businesses that have been excluded from consideration on a procurement because they did not meet certain specified evaluation criteria (such as past performance) may have be able to have the Government take a second look at a contracting officer's determination.

Under the Small Business Administration's (SBA) Certificate of Competency (COC) program, contracting officers must refer to the SBA a determination that a small business is not responsible, if that determination would preclude the small business from receiving an award (see FAR 19.6). Additionally, the SBA's regulations specifically require a contracting officer to refer a small business concern to SBA for a COC determination when the contracting officer has refused to consider a small business concern for award of a contract or order after evaluating the concern's offer on a non-comparative basis (e.g. pass/fail, go/no go, or acceptable/unacceptable) under one or more responsibility-type evaluation factors (such as experience of the company or key personnel or past performance).

Once the referral is made to the SBA by a contracting officer, SBA will notify the (prospective) vendor accordingly and offer them the opportunity to submit a COC application. If the vendor chooses to submit a COC application, SBA will perform an independent review of the application (including review of any additional information that was not requested but which the vendor considers pertinent to the determination) and make a determination.

The Small Business Act gives the SBA the conclusive authority to review a contracting officer's determination that a small business concern is not responsible. If the SBA refuses to issue a COC, it is unlikely that the GAO will review the SBA determination unless there is shown to be possible bad faith on the part of Government officials or that SBA failed to follow its own published regulations or failed to consider vital information bearing on the firm's responsibility due to the manner in which the information was presented to or withheld from the SBA by the contracting officer.

Labor Department Compliance Audits

The Department of Labor's Wage and Hour Division (WHD) investigators have been pretty busy lately, investigating contractor violations of certain labor related regulations. For contractors subject to the minimum wage and reporting requirements of Davis-Bacon (DB) and the Service Contracting Act (SCA), the probability of being audited for compliance is actually quite high and the consequences for failing to comply can be significant. The Labor Department recently sent out press releases concerning the outcome of two such investigations.

In the first case, a roofing contractor out of Tuscaloosa Alabama agreed to pay $57 thousand in back wages, overtime and fringe benefits to 41 employees after the Labor Department investigation found the company (employer) violated requirements of the Davis-Bacon Act (DBA), the Contract Work Hours and Safety Standards Act (CWHSSA) and the Fair Labor Standards Act (FLSA). The company failed to pay one employee for overtime hours on a DBA project and several employees for overtime when they worked more than 40 hours on a commercial project. Additionally, the roofing company failed to submit accurate certified payroll records and maintain accurate daily records of the number of hours employees worked.

In the second case, a Texas-based contractor paid $24 thousand in back wages to ten employees after investigators found the company had inaccurately classified several employees as exempt from the overtime requirements of the FLSA when none met the requirements for exemption. The company paid the affected employees flat weekly salaries regardless of the number of hours they worked, resulting in overtime violations when they worked more than 40 hours per week without overtime payment.

These two cases almost sound like "honest mistakes" where very small contractors did not have the internal resources to know all the rules and regulations that applied. We see honest mistakes happen frequently in our consulting business. However, when it comes to labor law, employees are often more informed about such matters than their employers and with the abundance of hotlines and other avenues for whistleblowing, the , it only takes a phone call to have investigators show up on your doorstep.

Subcontract Pricing Considerations - Prime Contractors Must Demonstrate Reasonableness of Proposed Subcontract Costs

Earlier this month, we highlighted a revised audit policy from the Defense Contract Audit Agency (DCAA) concerning the evaluation of subcontract costs included in forward pricing proposals. FAR 15.404-3(3)(b) requires prime contractors to perform whatever cost/price analysis is necessary to determine the reasonableness of proposed prices. Sometimes they don't do that so historically, DCAA has considered them unsupported and perhaps identified the omission as an estimating deficiency. That policy did nothing to advance contract negotiations nor help procurement offices to negotiate fair and reasonable prices. Under the new guidance, DCAA is to provide whatever information it has available or conduct additional analytical work (i.e. develop decrement factors) to assist in any way it can. See "Revised Audit Policy for Reviewing Subcontractor Costs" for more information on the new policy.

Contractors need to be cautioned however that DCAA's performance of alternative procedures (or requesting an assist audit) does not relieve prime contractors or upper-tier contractors from their responsibility to perform cost or price analyses of subcontract proposals.

Whatever analytical work the auditors might perform, the procurement regulations stand. FAR 15.404-3(3)(b), Subcontract pricing considerations, unequivocally requires prime contractors and higher-tier subcontractors to conduct appropriate cost or price analyses to establish the reasonableness of proposed subcontract prices. It also requires the prime or higher-tie contract to include the results of these analyses in its price proposal.

When auditors encounter situations where contractors or higher-tier subcontractors have not met the regulatory requirement to prove the reasonableness of proposed subcontract prices, they will include that omission as a material noncompliance with FAR 15.404-3(b) in the audit report. What are the consequences of an inadequate estimating system? Well, it could be significant. It could result in additional auditing, additional oversight, the necessity of getting contracting officer consent to subcontract (with all the additional documentation that requires), and loss of future contracting opportunities.

Cash Flow Shortages Caused by Partial Government Shutdown

The partial Government shutdown is having financial ripple effects on, not only the furloughed Government employees, but on Government contractors. For contractors and subcontractors, the disruption of Government payments for work performed makes it difficult for some contractors (and subcontractors) to meet their own financial obligations.

Some contractors are contemplating borrowing money to tide them over. That is certainly one strategy to keep funds flowing but keep in mind that the interest on those borrowing is unallowable (see FAR 31.205-20, Interest and Other Financial Costs). There is no "wiggle room" in that cost principle to make interest costs allowable - not even if the cash shortage was caused by a Government shutdown.

Another strategy is to defer payments to vendors and subcontractors. This strategy has some potential risks. Many vendor invoices come with fees and interest for late payment. Such fees and interest would, of course, be unallowable. Ultimately however, vendor and subcontractor need to be paid prior to invoicing the Government for those goods and services (or accrued and paid in the normal course of business - usually 30 days - for small businesses). This could create audit issues with DCAA (Defense Contract Audit Agency) or other contract auditors who perform "testing of paid vouchers" audits.

"Testing of paid vouchers" are conducted at every contractor. For non-major contractors, testing is performed on at least one voucher per year - more often if problems are identified and the auditors will specifically focus on payment timeliness.

One of the audit steps reads:

• Verify that the contractor is not delinquent in the payment of cost incurred in the performance of the contract in the ordinary course of business. 
• Review the contractor’s aging of accounts payable schedule. Discuss any significant amounts over 30 days old with the contractor. 
• Based on the risk assessment, select a minimum number of items (e.g., five items) charged direct to the contract and trace the amounts from voucher(s) to evidence of payment. 
• If the contractor is delinquent in paying costs in the ordinary course of business, the costs are not reimbursable in accordance with FAR 52.216-7(b) Reimbursing costs. 

Our advice to contractors facing cash flow shortages caused by the partial Government shutdown is to engage your contracting officer early on to document the issues and the ultimate resolution plan. If possible, obtain an advance agreement (see FAR 31.109) to avoid future disagreements.

Once You've Graduated, You Cannot Go Back

Graduation day is a good thing. Why would someone want to keep hanging around the old haunts after graduation? Wouldn't that be a little weird?

That's what Miracorp wants to do. Back in July of last year, DOE (Energy) issued a solicitation for administrative support services. The solicitation was set aside for companies in SBA's 8(a) program. Miracorp was the incumbent contractor but had graduated from the 8(a) program the prior February. After DOE eliminated Miracorp from competition because it was no longer an 8(a) contractor, the company appealed to the GAO  (Government Accountability Office).

GAO denied the protest on the grounds that Miracorp was not an "interested party" because it was not a member of the 8(a) program. Miracorp acknowledged that although it had graduated, it retained its 8(a) status because it was an 8(a) company when the original multiple-award contract was awarded.

GAO (and SBA) didn't agree. The agencies explained that to be an eligible 8(a) concern, the firm must be a current 8(a) participant as of the date specified for receipt of offers contained in the request for quotations for the order. Miracorp was not an 8(a) participant on the dated specified in the RFQ for receipt of quotations and therefore not eligible to receive the order.

The purpose of the 8(a) program is not to encourage entities to feed from the public trough forever. Companies get up to nine years to bid on contracts restricted to small disadvantaged businesses during which time the experience and seed money should be sufficient to give them a chance for success without the Government incentives.

You can read the full GAO decision here.

Justice Department Recovered $2.8 Billion under the False Claims Act in Fiscal Year 2018

Late last month, the Justice Department issued its annual report on recoveries under False Claims Act (FCA) cases during fiscal year 2018.  The amount of recoveries was impressive (nearly $2.8 billion) but no where near the $6.1 billion recovered in fiscal year 2014.

The preponderance of the recoveries (87 percent) related to what we can generically refer to as Health Care fraud. The largest of these recoveries came from the drug and medical device industry. For example, the Department recovered $625 million from a company that circumvented safeguards intended to preserve the integrity of the nation's drug supply by repackaging drugs supplied to cancer-stricken patients. In another case, a medical device manufacturer paid $33 million for selling a materially unreliable testing device that was intended to aid clinicians in the diagnosis of drug overdoses and other serious conditions.

Recoveries for procurement fraud paled in relation to health care fraud. The Department recovered only $107 million (only?). The most significant recovery was $66 million from a company selling defective fiber used in bullet proof vests. Another $20 million came from a company that over-billed the Navy by overstating the quantity of goods and services it delivered. The Department recovered $12 million from a company that misrepresented its status as a small business. We previously reported on these cases and many others on these pages.

Interestingly, most of the recoveries were the result of whistleblower actions (a.k.a. Qui Tam). Of that $2.9 billion recovered, $2.1 billion was the result of lawsuits filed by whistleblowers. The whistleblower payouts during the year totaled $301 million. We don't know how much of the payout went to whistleblowers and how much to their attorneys. We know of one case, years ago, where the attorneys took the preponderance of a whistleblower's payout.

The Justice Department report stated:

Whistleblowers have played a vital role in unmasking fraudulent schemes that might otherwise evade detection. The taxpayers owe a debt of gratitude to those who often put much on the line to expose such schemes.

You can read more about the Annual report and download related statistics here.

"War Hazard" Premium Payments

Contractors operating in unusually dangerous situations find they must offer hazardous duty payments to attract employees willing to work under those conditions. Probably everyone at some point has been regaled with accounts by a relative, friend, neighbor, or acquaintance about the bucket loads of money they accumulated by taking a contract gig in Iraq or Kuwait, or Afghanistan. Unfortunately, more than 1,600 of those contractor employees did not make it back alive and that's why war hazard pay becomes necessary.

Incentives vary among contractors and usually reflect differences in individual circumstances and reasonableness must be established on a case by case basis. Sometimes contract solicitations will provide guidance. Among contractors operating in hostile areas, there are standards and unwritten rules. The State Department may also be a source of premium amounts applicable to specific locations.

Contractors proposing (and paying) premium pay will, at some point, be asked to justify the reasonableness of the premium pay amounts. This could get a little tricky because it involves a high level of judgment in evaluating factors such as:

1. Country and city where assigned
2. Distance of work site from actual battle lines and surrounding areas of imminent danger
3. War hazard differentials being offered by other defense contractors in the same location
4. Employee response to any lower war hazard differential pay offers made by the contractor
5. Availability of alternate workers at appropriate skill level, and
6. Other compensation offered, such as bonuses and insurance coverage.

Because these premiums can be subjective and to avoid disputes down the road, we recommend that any contractor (or subcontractor) pursuing work where war hazard pay is necessary to enter into an advance agreement with their cognizant contracting officer over the amount and breadth of such payments.

Procurement Related Legislation Introduced in the New Congress

The new Congress has been in session only a few days and already have introduced a number of procurement related bills. At this point, they've only been introduced and no action has been taken except for referral to a committee (or two). It's a fact that most introduced bills never make it to passage. And perhaps none of these will either. Or, they may be folded into another bill like the NDAA (National Defense Authorization Act), as sometimes happens.

Anyway, here's a few of the bills just introduced.

• H.R. 246 - Requires senior procurement executives, procurement center representatives, and the Office of Small and Disadvantaged Business Utilization to assis small business concerns participating in the Small Business Innovation Research Program and the Small Business Technology Transfer Program. We're not so sure that this will accomplish anything. We have yet to encounter anyone in the Government that can answer specific questions that small businesses have when entering the Government contracting arena. Questions like: What accounting software should I use? How should I set up my chart of accounts? What timekeeping software should I use? How do I establish an indirect rate structure?
• H.R. 190 - Eliminates the inclusion of option years in the award price for sole source contracts. We're sure that contracting officers relish the idea of coming back to the negotiating table every year instead of every five years. We're sure that contractors will want to do the same. Any idea of what this will cost contractors or the Government?
• H.R. 206 - Encouraging small business innovation act. This bill would include testing and evaluation in the definition of research and development, include small business investment companies in SBIR and STTR program limited to 33 percent of ownership, allow points in past-performance ratings for businesses that serve as mentors under the mentor-protege program, and a few other provisions.
• H.R. 227 - specifies what credit is given for certain subcontractors and to provide a dispute process for non-payment to subcontractors. There must be subcontractors out there that are not being paid by their primes or are not being paid in a timely manner.

We'll keep you informed and provide more details if any of these progress beyond the committee stage.

DCMA Stands-up Its Commercial Item Determination Group

The Defense Contract Management Agency (DCMA) established a Commercial Item Group (CIG) in response to Congressional direction to DoD to establish a cadre of experts to leverage the use of commercial items and emerging technologies.

DoD has now approved DCMA CIG contracting officers to serve as determining officials for commercial items. DCMA CIGs have been trained and have developed "expertise" in a multitude of commodity groups spread across six geographical locations:

• Boston - maintenance, repair, and overhaul (MRO) services, chemicals and materials
• Philadelphia - naval transport and equipment, troop supply
• Phoenix - heavy machinery, missiles
• Indianapolis - automotive, aeronautics, aircraft engines
• Denver - space, C41, unmanned aerial systems
• St. Petersburg - vehicles, weapons, ammo

Effective now, DCMA CIG contracting officers will serve as determining officials for all commercial item review requests submitted to DCMA. Such determinations will relieve buying activity PCO's (Procurement Contracting Officers) from duplicating effort such as trying to determine wether the item being offered meets the definition of commercial item as well as provide consistency in the commerciality review process.

Determinations made by the DCMA CIG will be contained in the commercial item database available for all DoD contracting officers to rely upon for future purchases of the same item or service. 

Contractors who sell commercial items to the Government should ensure that information entered into the DoD wide commercial item database accurately reflects their products and services.

Revised Audit Policy for Reviewing Subcontractor Costs

DCAA (Defense Contract Audit Agency) recently announced a significant policy change in the way it reports on deficient (i.e. incomplete or inadequate) prime contractor cost or price analyses of subcontractor proposals.

Until now, whenever a prime or higher-tier contractor had not competed the required subcontractor cost or price analysis at the time it submitted its own proposal, auditors would simply classify the costs as unsupported. This policy, while technically accurate, added no value to the procurement process and in some cases, delayed contract negotiations.

Under the new policy, auditors are now required to perform alternative procedures to establish a reasonable basis for the audit opinion. Depending on the overall risk and materiality, the auditors can consider a variety of procedures including, but not limited to, the following:

• Create a decrement based on purchase order history
• Create a decrement based on other relevant information (e.g. comparisons of prior subcontract proposals to historical cost or price analyses or negotiated amounts); and/or
• Coordinate with the subcontract audit team and request a DCAA assist audit based on the prime/higher-tier audit team's risk assessment.

This doesn't relieve the prime/higher-tier subcontractor from the requirements of FAR 15.404-3(b), Subcontract pricing considerations which requires the prime contractor or higher-tier contractor to conduct appropriate cost or price analyses to establish the reasonableness of proposed subcontract prices and to include the results of these analyses as part of its proposal o the Government. Contractor failure to do that will result in a material estimating deficiency report and could result in some form of adverse action such as increased audit coverage.

Decrement factors have been used in pricing forever. Many contractors develop decrement factors because they know that ultimate purchase prices will be lower than initial quotations. Contractors who do not prepare their own decrement factors often find that auditors (and sometimes cost/price analysts) will do it for them. Its better to be pro-active otherwise, contractors find themselves in a defensive posture trying to explain the inaccuracies in the auditors' analyses.

The new DCAA policy can be found here.

Waivers of Penalties for Unallowable Costs

Expressly unallowable costs are particular items or types of costs which under the express provisions of an applicable law, regulation, or contract, is specifically named and stated to be unallowable (FAR 31.001). Contractors who include expressly unallowable costs in their final indirect cost rate proposals are subject to penalty equal to the amount of the expressly unallowable costs (FAR 42.709-1). We have written extensively about expressly unallowable costs in past years and how DCAA (Defense Contract Audit Agency) continuously tries to expand the definition to make almost any cost exception an "expressly unallowable" costs with the ASBCA countering their push by narrowing the definition and throwing out the Agency's charges. For a recap of these issues, see "Expressly Unallowable Costs - ASBCA Narrows the Definition" and follow the various links.

The distinction between "unallowable costs" and "expressly unallowable costs" is significant. The latter carries penalties while the former classification does not. The broad purpose of the penalty provisions was to ensure that contractors, rather than the Government, bear the burden of assuring that contractor submissions for reimbursement of costs on Government contracts do not include unallowable costs. Congress was concerned with ending the "cat-and-mouse game", namely, "a game in which the cost of an item is submitted regardless of whether it's allowable, and the burden is placed on the Government auditors to identify and disallow the item(s).

The contracting officer can (and must) waive penalties in certain situations. The contracting officer must waive any penalties if the contractor withdraws the proposal before the Government formally initiates an audit, the amount of the unallowable costs which are subject to the penalty is less than $10 thousand, or the contractor demonstrates, to the contracting officer's satisfaction, that (i) it has established policies and personnel training and an internal control and review system that provides assurance that unallowable costs subject to penalties are precluded from being included in the contractor's final indirect cost rate proposal and (ii) the unallowable costs subject to the penalty were inadvertently incorporated into the proposal (i.e. their inclusion resulted from an unintentional error, notwithstanding the exercise of due care (see FAR 42.709-5).

In a recent ASBCA (Armed Services Board of Contracts Appeals) decision (Energy Matter Conversion Corporation (EMC2), ASBCA No. 61583), a contractor attempted to avoid penalties with other rationale.

EMC2 argued that the Government failed to inform EMC2 that it was disallowing legal costs for 2010/2011 until after it submitted its 2012/2013 incurred cost submissions. The Board was not persuaded stating that EMC2 cannot avoid the penalty by placing the burden of identifying and disallowing legal costs on the Government.

EMC2 further asserted that it had updated its accounting policies in 2017 but provided no evidence to support the assertion. Even if it had, that would not be a basis for a penalty waiver because those policies would have had to have been in place at the time it submitted its erroneous incurred cost proposal in 2016.

Thirdly, EMC2 argued that it had underbilled the Government. The Board found no evidence that EMC2 underbilled but also noted that underbilling was not one of the enumerated bases for penalty waiver.

Fourth, EMC2 pointed to the fact that the contracting officer waived the penalty in prior years. The Board stated that a contracting officer's decision is not binding in any subsequent proceeding.

Finally, EMC2 areued that it should be liable for only 55 percent of the penalty reflecting an apportionment of legal costs attributable to its "success" in the investigation. The Board noted that FAR 42.709-5 does not authorize such apportionment and added that the Court of Appeals has rejected apportionment arguments in similar circumstances.

There is one aspect to the penalty provision that seems very unfair to contractors - the idea that there is no waiver if the expressly unallowable costs did not result in increased costs to the Government. Say for example, a contractor spent $2 million on an SBIR contract for $750 thousand. Because the amount incurred was so far in excess of the contract amount, the contractor did not perform adequate screening of unallowable costs. The contract auditor audited the full $2 million and found expressly unallowable costs of $20 thousand - not nearly enough to bring the $2 million incurred below the $750 thousand contract amount. The contract auditor recommended penalties be assessed but thankfully in this real case, the contracting officer exercised its discretion not to assess penalties. But the contracting officer was certainly with his rights to do so.

Comparative and Trend Analyses in Risk Assessments

Happy New Year everyone and welcome to our first blog post of 2019. As we begin this new year, the Government is in the midst of a partial shutdown. However, Defense, Energy, Education, VA, Labor, and Health and Human Services remain fully funded, open and are conducting business as usual. Agencies affected by the shutdown include Justice, Agriculture, Treasury, State, Interior, Transportation, Commerce, and HUD. Companies with contracts with those agencies might be feeling an impact, or soon will. No one is yet predicting how long the partial shutdown will last. If this one is like previous shutdowns however, all those furloughed Government employees will receive their full pay - they just get, what amounts to extra paid vacation.

But since contract auditors are, for the most part, open for business, this is not a time to sit back and let your policies, procedures, practices, and internal controls take a furlough. Those things are important - past, present, and future. They are important for supporting incurred costs, for supporting estimates of future costs, and used by auditors for trend analyses and comparative analyses. How do contract auditors employ trend/comparative analyses in their work and what are the results of those analyses used for? To answer those questions, we'll take a look at a standard audit program for evaluating labor costs using employee interviews. How do auditors decide who from hundreds or thousands of employees to interview? Their's is not a haphazard selection. Auditor's expend a lot of effort into a risk assessment, the results of which lead the auditor to select specific persons (or groups of persons) they need to check on. One of the steps in performing the risk assessment is the trend analysis/comparative analyses steps.

Auditors are free to and expected to exercise their professional judgment as to what kinds of comparative and trend analyses need to be performed. But there are two specific analyses called for in the standard audit program: ratio of direct to indirect labor and trend lines of sensitive accounts.

1. Ratio of direct to indirect. Auditors will perform trend analyses to disclose any significant increases in the ratio of direct to indirect labor accounts. If disclosed, contractors will be requested to explain those fluctuations. If there is no apparent (or satisfactory) explanation, auditors are instructed to further evaluate those fluctuations.

There was a not-so-famous case years ago - back when there were caps on IR&D/B&P expenditures - where such an analysis showed that indirect costs increased significantly in the last couple of months of the fiscal year. Further investigation disclosed that this increase coincided with the contractor reaching its maximum IR&D expenditures. A criminal investigation and subsequent settlement disclosed that employees were instructed to mischarge their time once the IR&D budget was exhausted. The contractor ended up sending a lot of money back to the Government.

2. Comparative analysis of sensitive labor accounts. Auditors are instructed to perform comparative analyses of sensitive labor accounts. What are sensitive labor accounts?  That's not stated but probably includes any labor accounts that are charged directly or indirectly to Government contracts - especially cost-type (or reimbursable) contracts. Again, contractors will need to be able to explain significant fluctuations. Auditors are looking for situations where labor is being excluded from an indirect allocation base or mischarged from the direct labor base to the indirect cost pool. By omitting a project or product line from the indirect allocation base, the resulting rate will be increased and the Government overcharged.