Contractor Business Systems Series: Part 9 – Navigating Review and Audit Findings

BRENDAN HALLORAN: Welcome to the Cherry Bekaert GovCon podcast, where we discuss current Government Contracting trends, compliance matters, and best practices to guide federal contractors forward.

I am Brendan Halloran, a Director with Cherry Bekaert Advisory. Joining me today is Jeffrey Anessa, a Senior Manager in Cherry Bekaert’s Government Contractor Services Group.

As part of our continuing series on contractor business systems, we are talking about navigating business system audit and review findings, corrective actions, and the ACO determination process. Thanks for joining me today, Jeff.

JEFFREY ANESSA: Thanks, Brendan. It is great to be here.

BRENDAN HALLORAN: We have covered each of the six contractor business systems during our podcast series, leading up to best practices for supporting an audit or functional review of your system.

To wrap up that series, we are going to cover audit findings and potential deficiencies identified as part of business systems reviews. We will also discuss how to navigate the corrective action process.

We want to provide background on the differences between deficiencies and the ramifications of a potential significant deficiency. We want clients to pass their audits and functional reviews with flying colors, but with the amount of activity we have seen, there are certainly plenty of findings out there.

As a reminder, two different agencies are involved in this. DCAA conducts audits of the accounting, estimating, and MMAS systems.

DCMA conducts functional reviews of the Earned Value Management System (EVMS), property, and purchasing. Most folks are familiar with the latter as part of a CPSR.

There are very defined processes for handling deficiencies within a contractor business system. DFARS spells out the obligations of the ACO and what they shall do.

A contractor's primary concern is a system disapproval. Not only can it result in payment withholds on applicable contracts, but it could also preclude you from receiving awards.

Accounting is perhaps the most critical system. A disapproval could preclude you from receiving follow-on cost-reimbursable contract awards.

It has a big impact and puts pressure on a business through cash flow and the inability to be awarded new contracts. Jeff, in the case of system audits that DCAA conducts, what are some indicators that an audit may be identifying findings or potential non-compliances?

JEFFREY ANESSA: Communication is key. Historically, DCAA is not always the best about informing you of a significant system deficiency until they have their draft audit report ready.

At that point, they submit a copy of the draft report to the contractor for review and response. Typically, they allow one to two weeks for a contractor to provide a formal response to the issues outlined in the report.

If DCAA is coming up against a deadline, they might not be as generous with that turnaround time. At some of the larger contractors, business system audits can take up to 12 months or longer.

If a significant deficiency is identified, they have a specific assignment they can create to "spike that one out" if it requires the immediate attention of an ACO while they continue the system audit.

I recommend asking questions throughout the audit. Do not be shy about asking DCAA for status updates.

You might not be able to get a response until something has been through supervisory review and management approval, but it is better to know about these things earlier rather than later.

System disapproval can bar you from obtaining additional cost-type contracts or bidding on new work. It is important to stay cognizant of what is going on during the audit.

Pay attention to what DCAA is asking for and whether they are digging into specific areas. I would also recommend keeping the ACO in the loop.

You can pull the ACO into discussions with the audit office to get their take. It is important to remember that DCAA has their opinion, as does DCMA or any other ACO, and they might not always be in line.

BRENDAN HALLORAN: That is great advice. Jeff, you spent many years with DCAA.

Did you see instances where the audit team flagged a potential issue, but the contractor was able to address it by providing additional information or explaining a process differently?

JEFFREY ANESSA: That actually happens pretty often. As part of the audit process, DCAA goes through a risk assessment.

With the accounting system, they send a questionnaire that can be quite robust. A contractor response could be anywhere from 80 to 100 pages.

From there, they identify areas that appear to have deficiencies and ask for system walkthroughs. The contractor then walks DCAA through their process, showing how controls apply and demonstrating transactions.

DCAA then creates a narrative of their understanding, called a Memorandum of Understanding, which they send back to the contractor for input. They do not always get it right the first time.

Making sure they have a clear understanding of how things are working is why you should stay in contact with them. If you feel they are going down the wrong path, you should point that out.

Steer them toward the specific criteria and audit steps they are trying to accomplish. This happens often enough that you can prevent them from going down a "rabbit hole."

When DCAA issues reports, a system report is issued in a format called a SOAR, which is an acronym for Statement of Conditions and Recommendations.

It outlines the report into two sections: the condition and the recommendation. The condition section includes the nature of the deficiency, the root cause, the criteria or legitimacy of the finding, and the effect.

DCAA recommendations are typically pretty general. For example, they might recommend that a contractor develop a detailed policy and procedure for timekeeping to address the issues identified.

They do not get into the specifics of exactly what you need to do to be compliant because of their independent nature. They cannot tell you how to do it and then audit it later. That is a discussion to have with the ACO to ensure you are complying.

BRENDAN HALLORAN: Regarding systems that DCMA reviews, such as purchasing, EVMS, and property, there is a functional review program for each. These can be tailored based on the nature of the contractor and the extent of their activity.

EVMS reviews are very specific to looking at a particular contract for compliance or surveillance. Purchasing reviews look at all procurement or subcontractor activity for the contractor.

Property reviews occur where government-furnished property is present, often facility by facility. A difference between DCMA functional reviews and DCAA audits is how they identify non-compliance.

During a CPSR, if there are findings, the procurement analyst or team captain can issue Level II CARs to the contractor very quickly. This comes with a 30-day requirement to respond.

With a CPSR, you should try to respond even more quickly. Previously, all findings or deficiencies would be called out in the report that goes to the ACO.

Now, this added step allows the functional specialist to resolve issues before elevating them as potential significant deficiencies for the ACO's consideration. At Level II, the functional specialist or procurement analyst is enabled to resolve the findings.

You can submit your response directly to the CPSR team. They will review if you have identified the right root cause and if your corrective action is adequate and implemented.

They can actually resolve those before the report goes to the ACO. This has alleviated many things from being elevated to a Level III CAR.

DCMA also rolled out a pilot program to allow contractors additional time to address deficiencies before they are moved to a Level III status. This selective implementation has allowed some systems to avoid escalating to a high level of concern.

Do not wait for a final report to come out. Work on any remediation or corrective action concurrently with the review as much as possible.

JEFFREY ANESSA: Those are great points. The ultimate goal for the DOD and for government contractors is to ensure there is a compliant system that can be relied on to make management decisions.

BRENDAN HALLORAN: Promoting a culture of communication with government auditors or specialists is critical. The ACO process and requirements are based on a very programmed timeline.

Within DCMA, this is tracked specifically from the issuance of an audit or functional report. The ACO has 10 days to evaluate the report and determine if any findings are, in fact, significant deficiencies.

They issue an initial determination in 10 days. If deficiencies are noted, they include a draft Level III CAR.

This gives the contractor a heads-up that things are progressing to a potentially severe junction. The contractor then has 30 days to respond to that initial determination.

Typically, these responses include a corrective action plan. The response should show that you have identified the root cause of the issue.

You may disagree that a finding is material or significant, but you must lay out evidence of why that is the case or what you have done to correct it. Thirty days to develop and implement a corrective action is a very short turnaround.

The ACO then has 30 days to respond to the contractor with a final determination. That final determination will result in either an approved system or a disapproved system if significant deficiencies remain.

They will formalize the Level III CAR, which is when things move toward payment withholds on applicable contracts. It is a very big deal for both the government and the contractor.

Jeff, what are some of the audit terms and levels of findings? Specifically, what constitutes something as significant versus non-significant?

JEFFREY ANESSA: This comes up quite a bit. DCMA uses terminology found in the DFARS, which identifies a significant deficiency as a shortcoming in the system that materially affects the ability of the DOD to rely upon information produced by the system.

DCAA uses different terminology because they follow GAGAS, the Generally Accepted Government Auditing Standards. Within GAGAS, there are three identifiers for levels of deficiencies.

The first is a significant deficiency, which is the same definition used by DCMA. This typically warrants an adverse opinion and can result in system disapproval and withholds.

The second is a "less severe" significant deficiency. This often causes confusion because it contains the word "significant," but it generally results in a qualified audit opinion.

This means the system complies in all aspects except for specific items. It is material in nature but does not rise to the level of a DFARS significant deficiency, so it should not result in withholds or disapproval.

The third is a "less than material non-compliance" that warrants the attention of the contracting officer. GAGAS requires DCAA to notify the contracting officer of these in writing, but they are not material weaknesses.

We stress the importance of communication with both DCAA and the ACO to ensure everyone is on the same page regarding the significance of findings. In the end, contractors just need to show that the information coming out of their system can be relied upon.

BRENDAN HALLORAN: The ACO needs to develop a relationship at the onset of the audit and stay involved. Waiting for an audit report to come out is too late to understand the depth of the issues.

The ACO must ultimately determine if there is an impact and risk to the government. They have the warrant authority to make the determination of what is significant or not.

In some cases, an ACO may push back if a finding is not material or needs further review. They also need to know they can rely on DCAA or functional specialists for follow-up verification.

Jeff, in your experience with DCAA doing follow-up on corrective actions, how does that process work?

JEFFREY ANESSA: DCAA can review corrective actions if requested by the ACO or during scheduled business system follow-ups. They like to allow sufficient time for contractors to put corrective actions in place to determine if they have made an impact.

This is usually around six months, but it can be sooner if the contractor can show there are sufficient transactions available to test the effectiveness. The scope of any business system follow-up should be tailored specifically to those previously reported deficiencies.

DCAA should not be performing another full audit. Contractors should begin corrective actions as early as possible, especially for significant deficiencies.

Implementing corrective actions prior to the audit report issuance is viewed favorably by the ACO and DCAA. It shows a willingness to set things right and understand the root cause of the issue.

BRENDAN HALLORAN: Once you get into that process, there are a lot of moving parts and requirements. The more a contractor can do to facilitate that review and understanding, the better.

We have covered quite a bit of territory in terms of what contractors can expect and the initial actions they should take. Jeff, thanks very much for the conversation and input.

To everyone listening, thanks for joining us. If you have any questions, feel free to email Jeff at jeffrey.anessa@cb.com or myself at brendan.halloran@cb.com. Please join us again for our next podcast.