What is the Energy Department's "Cooperative Audit Strategy"

DOE (Department of Energy) contractors are subject to more audit oversight than the typical Government contractor and that includes DoD (Defense). And there is good reason for that - DOE awards massive cost-type contracts to operate its facilities and clean up its nuclear messes. To ensure that the taxpayers interests are protected, DOE has developed a "Cooperative Audit Strategy" with these guiding principles:

• The creation and maintenance of rigorous business, financial, and accounting systems by the contractor is crucial to ensuring the integrity and reliability of the cost data used by officials of the Office of the Chief Financial Officer, the Office of the Inspector General, and the office of the Director, Office of Acquisition Management
• To ensure the reliability of these systems the Department requires each contractor to maintain an internal audit activity to support the Office of the Inspector General as part of the Cooperative Audit Strategy. The internal audit activity is responsible for performing operational and financial audits (including allowable cost reviews) and assessing the adequacy of management control systems.

This strategy allows DOE augment its own staffing by relying on the work of contractor internal audit activities. Its not free to the Government however. The cost of these internal audit departments are fully reimbursed by DOE under the cost-type contracts.

Contracting officers, the DOE Inspector General and DOE's Chief Financial Officer provide oversight and review of contractor's internal audit plans including the design of the organization, the annual audit plan, the annual audit report, and the results of its review of incurred costs.

The "design" of the internal audit organization gets plenty of attention. Contractor's must submit a report that describes (i) the placement of the Internal Audit activity within the contractor's organization, (ii) its size and the experience and educational standards of the audit staff, (iii) its relationship to the corporate parent, (iv) the audit standards to be used (v) an overall audit strategy, (vi) the intended use of external audit resources, (vii) the plan for pre-award and post-award audit of subcontracts, and (viii) the schedule of peer review of the Internal Audit Activity.

After DOE approves the design of the internal audit department (and we don't want to understate the rigors of that process), the Internal Audit Departments are required to submit annual reports comparing what they stated would be accomplished with what was actually accomplished. This is more than a statistical summary of progress since it is required to include summaries of specific contractor practices that resulted in unallowable costs.

Most non-public Government contractors do not have internal audit departments. Those that do are often reluctant to share information with the Government because they are afraid that the information will be misused in some fashion. DOE contractors however are required by the terms of their contracts to provide unfettered access to their internal audit departments.

GAO Review of Access to Contractor Internal Audits

Long time readers of this blog will recall back in the 2012 and 2013 National Defense Authorization Acts (NDAAs), there was a lot of attention to whether the Government should or should not have access to contractor internal audit reports. There were provisions in early iterations of the 2012 NDAA bills that would have given the Government access to internal audit reports. Those were deleted in the final bill. In 2013, the issue came up again. Ultimately, there was no provision requiring contractors to furnish internal audit reports but there was a requirement for the Government (namely DCAA or Defense Contract Audit Agency) to document requests made to contractors for copies of those audit reports and report on contractors' responses to those requests every six months. Specifically, the 2013 NDAA required auditors to document that

1. access to company internal audit reports is necessary to an ongoing DCAA audit
2. a request to the contractor, and
3. the contractors' responses.

In the five month period ending December 1, 2013, DCAA made 163 requests for internal audits. In April of this year, the GAO (General Accountability Office) initiated a review to determine DCAA's level of compliance with these documentation requirements. The GAO randomly selected eight of the 163 requests to determine the level of DCAA compliance with the statute. They issued their report last month.

One aspect of GAO's review, perhaps the most important point, was verifying that DCAA's requests for access to internal audit reports contained a clear connection between DCAA's work and the audit and that it included narrative justifying how obtaining the audit would benefit DCAA's work. The drafters of the legislation were justifiably concerned that DCAA would simply go on a fishing expedition and request every audit, regardless of its relevance to the internal control systems that DCAA considered necessary to protect the Government's interests. So, the NDAA included specific requirements that DCAA establish a nexus between contractors' internal audits and their own audits.

Both DCAA and company internal auditors have responsibility for assessing the quality of company internal controls. Broadly speaking, internal controls refer to management processes designed to provide reasonable assurance about a company's ability to provide reliable financial reporting, promote effective and efficient operations, and comply with applicable laws, regulations, and contract provisions. While contractor internal audit departments have a very broad scope, the internal control audits performed by DCAA are limited to those systems that impact costs charged to Government contracts, e.g. estimating systems, accounting systems, and billing systems.

The GAO found that none of the eight sampled requests for access to contractor internal audits were adequately documented. None contained a full statement of the requested report's connection to DCAA's work and two did not cite any connection. The justifications were too broadly stated such as "we determined that we should view the audit report to support our assessment of the efficacy of internal controls". This kind of broad justification, according to the GAO, did not identify which aspects of internal controls were to be particularly addressed - it did not provide a detailed explanation of how the internal report was connected to the ongoing work of evaluating internal controls or risk assessment.

Contractors that are recipients of requests for internal audits could help DCAA by insisting that the Agency properly draw a connection between the requested documents and the objectives of the internal control audit being performed. That wouldn't necessarily commit a contractor to providing the internal report but it would be useful to know whether a particular report could contribute to the DCAA audit objectives, thereby reducing the level of testing required.

Auditor Access to Contractor Internal Audit Reporting

Its been some time since we've discussed the Government's access to contractor internal audit reports. It was a big deal about a year and a half ago during the legislative process leading up to the 2013 National Defense Authorization Act (NDAA). Ultimately, Congress did not give Government auditors unfettered access to internal audit reports. Not knowing whether this was an issue worthy of legislation, Congress asked for more information. Congress asked DCAA to begin compiling data on requests for access to defense contractor internal audit reports. That data includes

• Written determination that access is necessary to complete a required evaluation of one or more contractor business systems
• Copy of the request from DCAA to the contractor
• A record of the response received from the contractor including its rationale if access is denied.

Once there is a couple of years of history here, Congress will look at the matter again to see if there is a reason for further legislation.

There is nothing in the law that compels a contractor to provide access to internal audit reports though a contractor can certainly choose to voluntarily do so (and most do so when there is a legitimate nexus between the audit being performed by the Government and the subject of the internal audit).

With this background, we were reading recent DCAA guidance on access to contractor internal audit reports and we came across the following (see CAM 4-202.c):

The 2013 National Defense Authorization Act (NDAA) states that DCAA can use the internal audit reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems. The law not only allows the use of internal audits to assess the contractor’s business systems; it also allows the use of internal audits to understand the efficiency of the contractor’s internal control which we do as part of our risk assessment in every audit. However, it is important to remember that requests for internal audit reports will only occur when the auditor/supervisor can demonstrate how the report may support the risk assessment or audit procedures in a current, on-going audit (i.e., there must be a nexus to your current audit effort).

One might get the impression from the foregoing that the 2013 NDAA gives DCAA the right to access internal audit reports. That would be an inaccurate impression. The guidance should state something to the effect that if a contractor chooses to provide DCAA access to its internal audit reports, the 2013 NDAA limits the use of those reports for evaluating and testing the efficacy of contractor internal controls and the reliability of associated business systems.

Contractors should know that they are still free to withhold internal audit reports from Government auditors. We don't necessarily think that's a good idea but there could be compelling reasons for doing so. In theory, if DCAA can rely on the work performed by the contractor's internal audit staff, they, in turn, will be able to reduce the level of their own oversight. That would be a good thing for everyone.

New Audit Guidance on Access to Contractor Internal Audits

The National Defense Authorization Act (NDAA) of 2013, signed into law on January 3, 2013 included a provision related to DCAA's access to contractor internal audits. The Senate version of the NDAA, which did not survive, included a provision that would have required contractors to grant access to their internal audits or face potential billing withholds. The version that was signed into law was much more benign. It does not require contractors to grant the Government access to internal audits. It requires DCAA to document requests for access to defense contractor internal audit reports. The documentation must include

• Written determination that access to such reports is necessary to complete required evaluations of contractor business systems
• A copy of any request from DCAA to a contractor for access to such reports
• A record of response received from the contractor, including the contractor's rationale or justification if access to requested reports was not granted.

The NDAA also provides that DCAA shall set up procedures to ensure that contractor internal audit reports, when and if granted, cannot be used by DCAA for any purpose other than evaluating and testing the efficacy of contractor internal controls and the reliability of associated contractor business systems.

Finally, the NDAA requires the GAO to review DCAA's documentation after a year and submit to congressional defense committees a report on the results of the review, with findings and recommendations for improving the audit process of the DCAA.

We don't see anything in this law that requires contractors to provide DCAA access to its internal audits. Its still voluntary on the contractor's part. If it were not voluntary, the original wording would have been retained and there would be no need for DCAA to document contractor rationale or justification when access was not granted.

DCAA recently issued guidance to its audit staff on access to contractor internal audit reports and made corresponding changes to its Contract Audit Manual (CAM). Most of the guidance mirrors the NDAA provisions but there is one troubling aspect to both the guidance and the revised CAM. DCAA guidance now implies that contractors must turn over their internal audits. DCAA states that "... the Law not only allows us to use the internal audits to assess the contractor's business systems; it allows us to use the internal audits to understand the efficiency of the contractor's internal controls..".  What DCAA should have stated in their guidance is that there is no requirement that contractors provide copies of their audit reports but if they voluntarily decide to do so, DCAA can only use those reports in limited circumstances.

Just saying.

(Cost Type) Contractors Must "Audit" Their (Cost Type) Subcontracts

The Government employs hundreds of contractors that perform essential mission work under cost reimbursable contracts. To achieve their missions, these contractors often utilize the services of subcontractors, often on a cost-reimbursable basis.

When subcontracts are structured as cost-type, including T&M (Time and Materials) and cost-reimbursable subcontracts, prime contractors are contractually required to ensure that associated costs incurred are audited to provide assurance that the costs are allowable, allocable to the subcontract, and reasonable.

Prime contractors can use their internal audit staff to conduct these audits, engage outside auditors, or, in some cases, utilize the services of the Defense Contract Audit Agency (DCAA), especially where that Agency already has a presence at the particular subcontractor.

One of the problems that has surfaced recently is that prime contractors are not doing a very good job of auditing their subcontractors. That deficiency lies not with the work that DCAA or another contracted audit organization performs but with work performed by internal staff. Audits must comply with professional standards, e.g. Generally Accepted Government Auditing Standards (GAGAS), or standards promulgated by the Institute of Internal Auditors (IIA), to name two. Reviews by various Inspector General organizations have disclosed serious deficiencies in the conduct of these audits - to the extent that these prime contractors have no idea as to whether their subcontract costs are allowable.

Not everyone in the Government is on board with this concept however. A number of years ago while we were still working for DCAA, we conducted a review to determine how well a large Government contractor managed its subcontractors. DCAA, more than any other organization in the Government, has a pretty good idea of what it takes to evaluate incurred costs. They do it for a living. Applying these same standards to contractor reviews of subcontract costs, we found many areas for improvement. However, the contracting officer (DCMA) did not agree. He thought the contractor had done a bang-up job of reviewing subcontract costs and didn't think that internal contractor staff should be held to professional auditing standards.

While that attitude may persist in some organizations, the various agency IGs are working to change attitudes, ensure compliance, and preserve the integrity of costs charged to Government contracts.

Farewell, Kinder/Gentler DCAA

DCAA (Defense Contract Audit Agency) recently revised its CAM guidance (Contract Audit Manual) dealing with access to contractor internal audits.

Previously, the guidance in CAM Section 4-202 (Relationships with Contractor Internal and External Auditors) focused on coordinated audit planning. Coordinated audit planning is a voluntary process wherein DCAA and the contractor's internal and external auditors consider each other's work in determining the nature, timing and extent of auditing procedures. One benefit of coordinated audit planning is that, in theory, it promotes contractor self-governance , enabling organizations to better develop and maintain strong systems of internal controls. Coordinated audit planning also helps identify and eliminate duplicative audit effort, thus saving resources for all parties. Contractors were encouraged to participate in coordinated audit planning activities but it was strictly voluntary.

The previous guidance made no demands for internal audits. It simply stated that where internal audits were provided, auditors should review them to see if there was any items that impact planned or in-process audits. Also, the previous audit guidance provided that where coordinated audit planning was practiced, the contractor's internal and external auditors were authorized to review and reproduce DCAA working papers to the extent needed to document their own working papers.

Gone now is the warm and fuzzy lets get along mentality. The revised CAM Section 4-202 guidance (now re titled: Access to Contractor Internal and External Audits) sets forth a very different and perhaps confrontational approach to reviewing internal audit reports and working papers.

Under the revised guidance, auditors must establish a process and a central point of contact to obtain and monitor access to and use of internal audit reports. The process must include a method for tracking requests for internal auditor reports and working papers and the contractor's disposition of these requests.

The guidance fully expects contractors to provide access to internal audit reports and working papers. Once received, the audit is instructed to review the internal audit reports and determine if sufficient information is contained in the report for use in identifying risk in audit assignments. In order for the internal audit report to be useful in audit planning, the auditor needs to understand the scope of the review, the reported deficiencies and any recommended corrective actions. If sufficient information is not included in the report, the auditor is instructed to request access to the working papers.

If contractors choose not to provide access to internal audits, things could turn confrontational. The new guidance instructs the auditor to report the denial as an "access to records" issue, which means, it will be quickly elevated right to the top of DCAA's food chain. One possible outcome from an "access to records" charge is billing withholds until the issue is resolved.

Finally, there is no mention the revised guidance authorizing contractor personnel to review DCAA working papers.

___________________________________

Thanks to a reader who alerted us to this policy change.

Access to Internal Audits - What's the Big Deal?

DCAA (Defense Contract Audit Agency) has, for some time, been seeking unfettered access to internal audits conducted by contractors' internal audit organizations. The Agency found an ally in the GAO (General Accountability Office) who reported that access to these internal audits would make DCAA more effective. The Senate included a provision in the 2013 National Defense Authorization Act (NDAA) that would have required contractors to grant access to their internal audits or face potential billing withholds. That provision did not survive the final bill. Instead, the NDAA passed into law only directs DCAA to request internal audits it would like to review, document the request, and document the contractor's response to the request. If the contractor denies access, there are no ramifications.

If the contractor provides access, the internal audit reports can only be used by DCAA to help evaluate the efficacy of contractor internal controls and the reliability of associated contractor business systems. Those reports cannot be used as the sole basis for determining whether contractors have sound internal control systems.

Why is this important? What is the big deal with gaining access to internal audits? It all has to do with audit efficiency. At the end of the day, an audit report provides reasonable (not absolute) assurance that a contractor's representations, be they financial statements, incurred costs, TINA (Truth in Negotiations Act) representations, are fairly presented. Auditors, not just DCAA but any audit organization or audit firm, must test the propriety of transactions. How many transactions? It depends on the level, adequacy, and compliance with internal controls.

The adequacy of contractor internal control structure is an important factor in determining audit scope. Adequate controls, sound policies, and the effective implementation of prescribed policies and procedures contribute to the reliance that the auditor can place on contractor cost representations, and permit reduction of the extent of verification which might otherwise be required.

More formalized systems, such as the accounting, estimating, and purchasing , with strong self-controls built into those systems can reduce the audit effort required to satisfy the audit objective once the system has been evaluated and determined to be adequate. Poorly defined or nonexistent systems, or those which rely on external controls only, increase the risk for cost mischarging or misallocation and could correspondingly result in an increase to the audit scope.

Additionally, the internal control structure may affect the audit scope. If there is little separation of duties and responsibilities or if the separation is not conducive to adequate internal controls, there is greater risk for costs to be mischarged or misallocated. The control environment may be such that the same management has responsibility for and control over multiple contracts and can manipulate the allocation of costs to those contracts to the Government's detriment. Also, if the internal control structure changes frequently, the audit scope must be expanded to assure that the change(s) have not adversely affected contract costs.

DCAA Access to Contractor Internal Audit Reports

Yesterday we wrote about how the conference committee eliminated a provision in the Senate's version of the 2013 National Defense Authorization Act (NDAA) that would limit the reimbursement of compensation paid to contractor employees to that of the US Vice President. Today we want to highlight another change the conference committee made to the NDAA. This one involves access to contractor internal audit reports.

Under the Senate's version of the 2013 NDAA, contractors would have been required to grant access to internal audit reports and failure to do so, could render a particular business system deficient and subject the contractor to billing withholds.

Under the conference committee's version (expected to pass), the requirement to provide internal audits has been eliminated. Instead, the Act will require that if DCAA needs internal audits, it will request them, document the request, and document the contractors' response to the request. That's it. End of story. If the contractor denies access, there are no ramifications.

If the contractor does provide access, the internal audit reports can only be used by DCAA to evaluate the efficacy of contractor internal controls and the reliability of associated contractor business systems. A determination by DCAA that a contractor has a sound system of internal controls shall provide the basis for increased reliance on contractor business systems or a reduced level of testing with regard to specific audits, as appropriate. Internal audit reports provided by a contractor pursuant to this section may be considered in determining whether or not a contractor has a sound system of internal controls, but shall not be the sole basis for such a determination. This also means that the reports cannot be used as a basis for withholding billings.

Contractor's can breathe easier, for awhile. They will not be required to turn over internal audits if they so choose.

Access to Internal Audit Reports

Yesterday, we informed you that the Senate unanimously (98-0) passed the fiscal year 2013 National Defense Authorization Act that included caps on employee compensation. That same bill included a provision that will require defense contractors to provide not only their internal audit reports but also the supporting working papers to Government auditors.

Specifically, Section 843 will ensure that the Defense Contract Audit Agency has sufficient access to contractor internal audit reports and supporting materials in order to

1. evaluate and test the efficacy of contractor internal controls and the reliability of associated contractor business systems, and
2. assess the amount of risk and level of testing required in connection with specific audits to be conducted by the Agency.

Contractors who fail to provide access, risk having one or more of their business systems determined to be inadequate (or disapproved) and would result in billing withholds.

Last August, we wrote a three-part series on internal audits and their value in reducing the amount of audit testing by DCAA (hint: not much). You can read those postings here: Part I, Part II, and Part III. But, the GAO thinks it is important and DCAA cited the general lack of access as one of the issues causing inefficiencies in its audits.

The Senate bill must be reconciled with the House version. It is unknown whether this provision will survive the conference committee.

Government Access to Internal Audits - Part III

Last Friday, we wrote that the Government (namely DCAA) had formulated a new policy on requesting internal audits and associated working papers from Government contractors. We also noted, based on our experience, that contractor internal audits were not all that useful in reducing the amount of work necessary by Government auditors when evaluating the various business systems that are important for ensuring the propriety of costs charged to Government contracts.

Yesterday, we discussed the impetus behind the new policy, the GAO report that to some extent, disagreed with our experience, namely that there was a lot of useful information in internal audits that could be useful to a Government auditor. We remain unconvinced. If there was such good information in these reports, if DCAA could really use them to reduce the level of their own oversight, the Agency would have been much more aggressive over the years in obtaining them.

Today we will conclude this short series with a recap of the new policy. First of all, everyone acknowledges that DCAA cannot request unlimited access to all internal audits - there must be something there that is relevant to its audit responsibilities. The GAO found that, for the most part, DCAA didn't even know what was even out there, making it difficult to assess whether a report was or was not relevant to the audit mission. So, the first step is to set up focal points to monitor contractor internal audit activity, make requests for copies of the reports and working papers, and track these requests to ensure contractor responsiveness.

Auditors and supervisors are now required to review the listing of internal audits to determine whether any apply to their specific audit assignment. If so, the established point of contract will obtain and provide the auditor copies of the report and possibly the working papers. The auditor is to review the report and determine if sufficient information is contained in the report for use in identifying risk in audit assignments. In order to make such a determination, the auditor will need to understand the scope of the internal audit, the reported deficiencies and any recommended corrective actions. If that information is not in the report, the auditor will ask to review the working papers.

If contractors refuse to provide requested audits, the new guidance requires that the auditor elevate the denial as an "Access to Records" issue. At the conclusion of the audit, the auditor is required to provide feedback to the point of contact regarding the usefulness of the internal audit.

Government Access to Internal Audits - Part II

Last Friday, we reported on DCAA's recently revised audit guidance related to accessing contractor internal audit reports and related working papers. Essentially, the revised guidance was a result of a GAO report from last December (see GAO-12-88 dated December 8, 2011). GAO looked at seven defense contractors to assess their compliance with standards for internal audits, the extent to which those companies' internal audit reports address defense contract management internal controls, and DCAA's ability to examine internal audits and use information from those audits.

GAO found that the internal audit departments did a pretty good job of adhering or complying with professional standards and that those audits covered a broad spectrum of policies, business systems, and programs that are relevant to DCAA audits. GAO discovered however, that those seven contractors had widely varying policies for providing DCAA access to those reports. Some provided access on a case-by-case basis, some upon request and one, not at all.

GAO found that the number of internal audits requested by DCAA is very small relative to the number of internal audits that GAO identified as relevant to the Government contracting oversight process. In explaining why so few reports were requested, auditors noted that there was uncertainty as to how useful those reports could be to their own oversight (a point we made earlier).

GAO recommended that DCAA take steps to facilitate access oto internal audits and assess periodically whether other actions aqre needed. DCAA generally agreed to implement GAO's recommendations but expressed skepticism that these recommendations alone would fully ensure access to internal audits.

In a related matter, Sec 843 of the National Defense Authorization Act of 2013, if enacted, will put some statutory teeth to accessing internal audits. The proposed legislation will (i) require that assessments of contractor business systems take into account the "efficacy of contractor internal controls, including contractor internal audit reports and supporting materials that are relevant to such assessment and (ii) provide that the refusal of a contractor to permit access to contractor internal audit reports and supporting materials that are relevant to such an assessment is a basis for disapproving the contract business system to which such materials are relevant. Disapproved business systems will result in billing withhold and cash flow disruptions.

Tomorrow, we will discuss some of the specifics of DCAA's new policy on accessing internal audits.

Government Access to Internal Audits - Part I

DCAA significantly revised its audit procedures for accessing internal audit reports and associated working papers of contractor internal audit departments. The latest guidance can be found in the Contract Audit Manual at 4-200. While acknowledging that internal (and external) auditors' final audit objectives are not the same as DCAA's the information contained in their reports may be useful to DCAA in the course of its audits. DCAA further stated that auditors should be aware of the potential for increased opportunities in reviewing these audits as part of their audit responsibilities (whatever that means).

The theory is good. Internal audit departments, like Governmental audit activities, are concerned about the effectiveness of internal control systems. To the extent that DCAA or other Governmental audit organizations can rely on the work performed, they can reduce the level of their own oversight. The problem is that there is a big gap between theory and reality. As we've stated here before, we have a lot of experience reviewing internal audit plans and reports and there just wasn't much there that was of any use in helping us reduce the scope of our own audit activity. The control objectives most important to contractors are not the control objectives most important to Government auditors.

When we were auditors, access was not usually an issue. We would sit down with the internal auditors annually, review their plans, look at a few reports that, on the surface, sounded like something we might be interested in. But this was all more of an intellectual exercise rather than one that proved useful. This didn't change when Sarbanes-Oxley came along either. The notable exception came one year when both the contractor's internal audit department and DCAA planned to review the purchasing system. We consolidated audit programs and divided up the procedures and consolidated the results into one report when finished. In retrospect, that worked pretty well but in today's environment, with acute emphasis on independence, the practice is no longer acceptable.

Congress Moving to Require Access to Internal Audits

Government contractors have always played a little cat-and-mouse game with providing the Government access to their internal audits and  associated work product. When we were auditors, we always wanted to see them. After all, there might be information in them that we could rely upon thereby reducing the audit steps we had to perform. Why do the same thing twice? We sincerely thought that it was a win-win for both the contractor and the Government. Our position has not changed. We still think that contractors should provide access to routine internal audits to DCAA and other Government contract auditors.

Contractors are sometimes wary of providing the Government access to their internal audits. They ask such questions as why do you want them and what are you going to do with them? If those audits disclose an internal weakness or two in a control activity, contractors are concerned that the reports might might somehow be used against them.

As a practical matter, the ability to rely on contractor internal audits to reduce the amount of effort that Government auditors need to perform seems overrated. In our experience, there typically is not much savings to be achieved. Contractor internal audit and Government audit objectives rarely overlap. But internal audit reports are nevertheless useful to the extent that they demonstrate contractor commitment to maintaining good internal controls and for ensuring that any recommendations are followed up with corrective action plans.

Section 843 of the Senate Version of the Fiscal Year 2013 National Defense Authorization Act contains a provision that will require contractors to disclose their internal audit reports as an element of maintaining adequate "business systems". Specifically, the recently enacted "business system" rules will soon be modified to require the following:

1. ensure that any assessment of the adequacy of contractor business systems takes into account the efficacy of contractor internal controls, including contractor internal audit reports and supporting materials, that are relevant to such assessment; and
2. provide that the refusal of a contractor to permit access to contractor internal audit reports and supporting materials that are relevant to such assessment is a basis for disapproving the contractor business system or systems to which such materials are relevant and taking the remedial actions (i.e. billing withholds).