On September 21, 2009, the Commission on Wartime Contracting (CWC) issued a special report on contractor business systems and it was that report which coined the phrase, “Contractor business systems and internal controls are the first line of defense against waste, fraud and abuse”. That phrase and the recommendations of the CWC live on within the DFARS Business Systems Rule, first issued as an interim rule on May 18, 2011, finalized on February 24, 2012, and very recently the subject of a proposed rule (July 15, 2014) which will potentially require contractors to self-certify compliance and also to obtain independent CPA audits relative to the contractor compliance with three of six DFARS business systems.
The six business systems include the following
The relatively new business system rule also includes a Business Systems Administration clause, DFARS 252.242-7005 which includes provisions for withholding contract payments in the event that a contracting officer determines a system to have one or more significant deficiencies, which is defined as “a shortcoming of the system that affects materially the ability of officials of the DoD to rely on information produced by the system that is needed for management purposes”. In application to the accounting system (252.242-7006) which has 18 criteria, failure to comply with 1 (or more) of the 18 criteria would be deemed a significant deficiency and the cognizant ACO would be required to disapprove the system. Noting that criterion 1 is “a sound internal control environment, accounting framework, and organizational structure”, it should be apparent that the criterion is anything but specific, objective criteria. Moreover, a significant deficiency is premised solely upon the risk of financial harm to the government; translated, there is no requirement for actual harm to justify system disapproval.
Although contractors with DoD contracts which include the business systems clauses have in many cases been required to be compliant with the system criteria since mid-2011, government oversight has been sporadic at best. In particular, DCAA, which is the agency responsible for evaluating contractor compliance with Accounting, Estimating and MMAS, has been unable to perform any full system audits which has led to the July 15, 2014 proposed rule which will potentially require contractor self-evaluations/certifications along with periodic independent CPA audits. DCAA (generically listed in the proposed rule as the “government auditor”) will assume the role of performing an overview of the contractor self-certifications and/or CPA audits. At least conceptually, many view this as a favorable “exchange” in the context of expending fewer resources for self-evaluations and CPA audits in comparison to the contractor resources to support an unending DCAA business systems audit. There will undoubtedly be initial “growing pains”, in particular can DCAA limit itself to the ill-defined role of performing an “overview”; however, once the concept of self-evaluations/certifications and independent audits is stabilized, it could be infinitely better than exposure to the highly unpredictable and almost perpetual DCAA attempts at DFARS business system audits.
Government contractors, beyond those covered by the DFARS Business Systems Rules, should not assume that they are clear of these or similar requirements. On April 1, 2014, the Federal Register included a proposed DOE (Department of Energy) rule which is modeled after the DoD rule and will likely become applicable to certain DOE contracts once the rule is final (presumably in 2014 or 2015). In fact, at least one of the DOE business systems, EVMS, has an explicit requirement for a contractor self-evaluation and certification (the self-evaluation actually requires an evaluation by entity independent from the contractor personnel assigned to the DOE projects). Additionally, DCAA has audit policies/programs which state that “the DFARS Business Systems Criteria is suitable criteria for determining the acceptability of any contractor’s system”. Hence, any accounting or other system touched by a DCAA audit is at risk for issues involving compliance with one or more the DFARS Business Systems Criteria.