Friday, July 8, 2016

Contractors May be Required to Have Third Party Audits Performed on their Business Systems

Yesterday we discussed DOE's decision to withdraw its proposed rules for ensuring contractor business systems are capable of providing timely, reliable information for the management of contracts and programs by contractors and the Department (see Department of Energy Withdraws its Proposed "Business System" Rules). The Department of Defense (DoD) has had similar rules in place through its FAR Supplement (DFARS) for a number of years and although the expectation by now was that DCMA (Defense Contract Management Agency) or DCAA (Defense Contract Audit Agency) would have reviewed or audited those systems for compliance with the standards laid out in the rules, not much has happened. A previous proposal that would require contractors to hire outside auditors to conduct those compliance reviews under the eyes and direction of DCAA were previously withdrawn as unworkable.

The Senate version of the 2017 National Defense Authorization Act (NDAA) contains a provision that would require DoD to develop a program to ensure contractor business systems are reviewed and comply with the standards established in DFARS. Key to this provision is that whatever program DoD comes up with, must result in reduced burden and price to the Government and the contractor. The program must meet five criteria:

  1. It must include system requirements for each type of contractor business system covered by the program. The system requirements already established in the DFARS should satisfy this goal.
  2. It must establish a process for reviewing contractor business systems and identifying significant deficiencies in such systems;
  3. It must identify officials of the DoD who are responsible for the approval or disapproval of contractor business systems.
  4. It must provide for the approval or conditional approval of any contractor business system that does not have a significant deficiency and
  5. It must provide for the disapproval of any contractor business system that has a significant deficiency and reduced reliance on, and enhanced and effective analysis of data, provided by a contractor business system that has been disapproved.

The draft NDAA provision contains an element that is bound to be problematic and controversial. In the event that a contractor business system is conditionally approved or disapproved, DoD will be available to work with the contractor to develop a corrective action plan defining specific actions to be taken to address the significant deficiencies identified in the system and a schedule for implementation of such actions ("Hi, we're from the Government and we're here to help). We can't imagine DCAA wanting to do this as it would undoubtedly impair auditor independence if it were to become involved in helping contractors implement corrective action plans. DCMA could "work with the contractor" perhaps but currently, the Agency does not have the CPA type skills that would give corrective action plans credibility, especially concerning deficiencies in contractor accounting systems where deficiencies are most likely to occur.

This new program will apply to contractors where its Government contracts (not just DoD contracts) are 30 percent or more of its commercial sales and having a cost-type contract accounting for one percent or more of its commercial sales. That seems like a very low bar for implementation.

Provide for the approval or conditional approval
.  that would require contractors to

Department of Energy Withdraws its Proposed "Business System" Rules


  1. I can't find this in the Senate Bill - can you share a link?

  2. See Section 891 beginning on page 605.