DOD Issues Proposed Amendment to DFARS Contractor Business System Rules to Require Contractors to Perform “Self-Evaluations” and Engage Independent Third-Party Auditors for Triennial Business System Reviews
On July 15, the Department of Defense (DOD) issued a notice of proposed rulemaking to amend the DOD Federal Acquisition Regulation Supplement (DFARS) rules relating to contractor business systems (DFARS 215.407-5-70, DFARS subpart 242.70, and related clauses). 79 Fed. Reg. 41172 (July 15, 2014). The purpose of the proposed rule is to “entrust contractors with the capability to demonstrate compliance with DFARS system criteria for contractors’ accounting systems, estimating systems, and material management and accounting systems [MMAS], based on contractors’ self-evaluations and audits by independent Certified Public Accountants (CPAs) of their choosing.” Government auditors (i.e. , the Defense Contract Audit Agency (DCAA)) would then perform “overviews” of the results of contractor self-evaluations and CPA audits. The proposed rule does not cover contractor purchasing systems or earned value management systems, two other business systems covered by DFARS 252.242-7005. The proposed rule would impose several new requirements on covered DOD contractors, discussed below.
The proposed rule is in response to a Government Accountability Office (GAO) report finding that DCAA’s inability to complete audits of contractor business systems was a key external risk to the ability of the Defense Contract Management Agency (DCMA) to effectively carry out its responsibility to determine the adequacy of DOD contractor business systems. Defense Contract Management Agency: Amid Ongoing Efforts to Rebuild Capacity, Several Factors Present Challenges in Meeting Its Mission, Report No. GAO-12-83 (Nov. 3, 2011). GAO also found that DCMA maintained its position regarding the adequacy of contractor business systems even if those systems had not been audited for several years and even if the contractor had grown significantly in size.
In general, estimating systems are covered if the contractor has prime contracts or subcontracts of at least $50 million (M) for which certified cost or pricing data were required or contracts totaling $10M for which certified cost or pricing data were required at the discretion of the Contracting Officer (CO); MMAS are subject to the new requirements if the contractor has over $50M in qualifying Government sales and the CO believes a review is necessary; and accounting system reviews are required if the contractor has contracts covered by the Cost Accounting Standards. Small businesses are not covered.
Notable provisions of the proposed rule that would apply to covered contractors include:
- Annual Reports. Covered contractors must conduct annual internal assessments of covered business systems and report the results to the CO and auditor/DCAA. Annual reports are required to be submitted within six months after the end of the contractor’s fiscal year and must be signed by an officer at a level no lower than vice president or chief financial officer of the reporting business segment. DCAA will then review the annual assessments and provide its views to the CO.
- Contractor reports must, among other things, (i) include a statement that the contractor evaluated the system against the applicable DFARS criteria; (ii) state whether the system complies with the system criteria; (iii) disclose any significant system deficiencies; and (iv) identify any corrective actions to address any significant deficiencies.
- Triennial CPA Audits. In the first year in which a covered contractor is required to provide an annual report and every three years thereafter, a triennial CPA report must be submitted to the auditor/DCAA for its review and assessment. In addition, covered contractors must submit an audit plan comprised of an audit strategy, risk assessment, and plan that is submitted to the CO and auditor/DCAA for their review and comment. The CO is to inform the contractor of any issues with the plan identified by DCAA, but the CO’s review does not constitute approval of the plan. CPAs retained by contractors to perform these audits must have certain qualifications, and contractors must reasonably ensure that their CPAs are and remain independent.
- Submission of audit plans for estimating systems are required if the contractor received DOD prime contracts or subcontracts totaling $100M or more for which certified cost or pricing data were required during the fiscal year to which the contractor’s CPA audit report applies. For accounting systems, plan submission is required if the contractor has more than $100M in costs incurred on cost-reimbursement and incentive type contracts, and amounts billed on time-and-material and labor hour contracts during the contractor’s fiscal year to which the CPA audit report applies. For MMAS, the plan must be provided if the contractor has more than $100M in qualifying sales to the Government during the fiscal year to which the CPA audit report applies. For each system, a plan must also be submitted upon CO request.
- The CO, in consultation with the auditor/DCAA, also may require contractors subject to the triennial CPA audit requirement to provide an “out-of-cycle” CPA audit report based on a risk assessment of the contractor’s past experience and “current vulnerability.”
- Document Retention and Production. Contractors must maintain and make available to the Government certain documentation, including CPA work papers and documentation of the independence of the CPA.
- Withholdings. A failure to comply with these report and audit requirements is an additional ground for withholding of payments.
Understandably, DOD sought an alternative path to address the inability to obtain timely DCAA audits of contractor business systems. For contractors, the ability to potentially accelerate approval of their business systems may be attractive. Nonetheless, the proposed rule imposes significant new mandatory requirements on covered contractors to report their annual business system assessments, engage independent CPAs to provide audit plans and perform audits, and produce documentation regarding audits and assessments. Since these contractor and CPA reports are subject to DCAA review, it remains to be seen how long DCAA takes to review the reports and whether DCAA will accept CPA audits or review them so critically that the anticipated efficiencies are lost.
DOD is holding a public meeting on the proposed rule on August 18, 2014, and comments on the proposed rule are due September 15, 2014. Wiley Rein represents contractors with respect to compliance with DFARS business system requirements and in connection with DCAA reviews of their business systems and continues to monitor this proposed rule for issues that will affect covered contractors.