Managing Business System Audits and Key System Compliance Issues Michael J. McGuinn Dentons US LLP Date: January 26, 2016 McKenna Government Contracts, continuing excellence at Dentons
Managing Business SystemAudits and Key SystemCompliance Issues
Michael J. McGuinn
Dentons US LLP
Date: January 26, 2016
McKenna Government Contracts,continuing excellence at Dentons
Agenda
• Overview of the DFARS Business Systems Rule
• Managing system audits
• Key system compliance issues
• Business system developments
2
Overview of the Rule
• Interim Rule published May 2011, Final Rule publishedFeb 2012
• Interim rule (76 Fed. Reg. 28,856 (May 11, 2011))
• Final rule (77 Fed. Reg. 11,355 (Feb. 24, 2012))
• Applicable through clauses in DFARS, CAS-covered contracts awardedafter May 2011
• Other agencies adopting/applying DFARS criteria
• DOD attempt to revise rule in 2015 to require self-review andindependent audit was unsuccessful
3
Overview of the Rule (cont.)
• Requires existence of 6 approved business systems
• Accounting (includes billing system)
• Purchasing
• Estimating
• Material Management and Accounting
• Earned Value Management
• Government Property
• DCMA tracking status of contractor business systems in ContractBusiness Analysis Repository
4
Overview of the Rule – Withholding
• Disapproved system results in withholding from:
• Progress payments
• Performance based payments
• Interim payments under cost, T&M, and labor-hour contracts
• Applies to any contract that contains DFARS § 252.242-7005 and theapplicable system clause(s), at CO discretion
• 5% for one disapproved system, up to 10% for two or more disapprovedsystems
• Reduced to 2% (prospectively only) upon submission of an acceptablecorrective action plan; possible reduction of existing withhold by 50 percent ifCO fails to render a determination within 90 days after contractor notification ofcompleted corrective action
• Potential for reduction based on partial implementation of CAP
5
Overview of the Rule – Opportunities and Risks
• Opportunities: approved systems protect/enhance competitivepositioning and cash flows
• Receipt of cost reimbursement contracts and progress payments(FAR 9.104-1(e); FAR 32.503-3; DFARS Subpt. 242.75;Sygnetics, 2011 CPD ¶ 164 (Aug 2011))
• Permit compliance with evaluation factors
• Limits bid protests
• May reduce number and scope of audits
• Precludes withholds under the Rule
• Risks: disapproved systems create mirror image competitive andfinancial disadvantages
6
Overview of the Rule – Process
• System review: DCMA/DCAA perform audit; exit conference
• Initial ACO determination: ACO provides written initial determinationdetailing any “significant deficiencies”
• Contractor response: Within 30 days of receipt of initial ACOdetermination, contractor responds in writing to ACO
• Final ACO determination: ACO evaluates contractor’s response andissues a final written determination 30 days after receipt
• Will begin withholding if significant deficiency exists
• Contractor corrective action: Within 45 days of receipt of finaldetermination, contractor must correct deficiencies or submit anacceptable corrective action plan
7
DOD-IG October 2015 Report likely to lead to faster system review process
System Assessments – Results
• System reviews with no significant deficiencies rare
• Multiple contractor systems (purchasing, accounting, estimating, EVMS)subject of ACO initial determination
• DCAA issued 164 business system deficiency reports between July 2012 toJune 2013
• Withholding can last for extended durations of more than a year
• Clients have had success responding to system issues beforewithholding
• Addressing issues during system reviews and/or exit conference
• Providing comprehensive and detailed response to initial determination
8
System Assessments – Audits
• Prepare for system audits
• Done periodically (e.g., triennial CPSRs), make use of time to prepare
• Address all prior system findings
• Avoid subsequently revising implemented corrective actions
• Push back on non-system audits (ICS, timekeeping, FPRP) resulting inbroader system findings
• Make sure auditors understand system, explain framework of policiesand procedures
• System POC is important
• Respond to factual misunderstandings immediately
9
System Assessments – Audits (cont.)
• Engage with system auditors during system reviews/exit conference
• Have documents for review readily available• Internal audit reports should be carefully considered
• Make sure auditors understand system, explain framework of policies andprocedures
• Respond to factual misunderstandings
• Documentation of issues from system reviews/exit conference oftencritical to understand basis for subsequent deficiency findings
• Log all auditor requests, questions and issues identified
• Document contractor responses and information provided
• Closely document entrance and exit conferences
10
System Assessments – Contractor Responses toInitial Determination
• Contractor responses to initial determination
• Refute facts supporting deficiency
• Challenge applicability of system requirement
• Explain why deficiency is not significant
• Describe corrective actions• Updates to policies and procedures
• Training
• Address all deficiencies and identified areas for improvement
• Best practice to have CAP in place and implemented immediately, ideally before response deadline
• Effort to respond to initial determination intensive
• Contractors conducting self-assessments pre-review have been in best positionto respond timely
• Failure to respond likely to be treated as agreement
11
System Assessments – Contractor Responses toInitial Determination (cont.)
• Challenge “significance” of identified system deficiencies
• Number of occurrences (e.g., bad statistical sample (J.F. Taylor) isolateddeviations)
• Amount involved
• Issue obsolescence (system changes, system control/correction)
• Inapplicability of requirements
• Government requirements on prime contractors (e.g., FAR 16.603requirements re: definitization of letter subcontracts)
• Request opportunity to discuss with CO
• Consider requesting review from CBS review panel
12
Supported contractor positions in combination withdetailed CAP have had significant success
Key Compliance Issues
• Electronic systems that have
• Strong internal controls
• Function with minimum errors
• Are integrated, reconcilable and auditable
• Clear distinction between electronic and paper systems
• Robust written policies and procedures that clearly describe the relevantsystems and compliance requirements
13
Key Compliance Issues (cont.)
• Robust practices for ensuring compliance
• Training
• Internal compliance reviews
• Internal controls (e.g., approval levels)
• Appropriate and timely resolution of deviations
• Specifically tailored corrective actions, policies updated to addressissues identified
14
Specific System Compliance Issues – AccountingSystems
• Comprehensive and easy-to-follow policies and procedures
• Conflicting guidance problematic
• Cost accounting
• CAS compliance for contract element cost allocations (among CLINs, sub-CLINS or units, etc.)
• Consistent and compliant indirect cost allocation
• Cost allowability• Professional and legal services costs, subcontract costs
• Contemporaneous documentation required
• Proper internal controls
• Appropriate approval authority for labor hours
• Error correction (timely and accurate)
• Robust internal audit, corrective action, follow-up
15
Specific System Compliance Issues – PurchasingSystems
• Comprehensive policies and procedures
• Potential Public Law violations
• TINA, CAS, Anti-Lobbying, Small Business Subcontracting Plans
• Subcontractor responsibility
• Current and complete reps and certs on file before award
• Timely and adequate cost and price analysis
• Particularly for non-competitive procurements
• Contemporaneous justification for lack of competition
• Proper flowdowns (procurement type, limited deviations)
• “Self-deleting” clauses
• Timely definitization of letter subcontracts
• Proper documentation of system policies and PO files
16
Specific System Compliance Issues – EstimatingSystems
• Comprehensive policies and procedures
• Records of all proposals submitted
• Calculation of estimated labor rates
• Appropriate grouping of labor categories
• Reasonable basis for rate escalations
• Reliance on historical experience
• Periodic internal reviews of estimates
• Monitoring and tracking estimates against actual costs
• Integration of purchasing and accounting system data with estimatingsystems
17
Specific System Compliance Issues – EVMS
• Comprehensive policies and procedures
• Proper delineation of authority
• System documentation alignment with established process
• Proper training of EVMS team
• Cost and schedule integration
• Automation and integration of accounting data
• Periodic and reliable updates to performance measurement baseline torecognize program changes
• Consistent and appropriate use of management reserves
18
Specific System Compliance Issues – MMAS
• Comprehensive policies and procedures
• Excess material issues
• Evidence of requirement planning issues
• Improper safety stock calculations
• Long lead material procurement triggers
• Timely disposition
• Physical reconciliation to recorded inventory
• Retained on floor material accuracy
• Adjustments for differences
• Periodic compliance tracking through metrics (BOM accuracy, MPSaccuracy)
19
Specific System Compliance Issues – GovernmentProperty Systems
• Comprehensive policies and procedures
• Designation, marking and traceability of GP
• Clear delineation of responsibility for GP
• Proper communication with government personnel re:GP issues
• Handling disposition of GP
• Subcontractor use of GP
20
Developments – Proposed Business SystemSelf-Assessment Requirements
• Proposed rule released July 15, 2014 (79 FR 41172)
• Intended to alleviate DCAA backlog
• Would apply to accounting, estimating, and MMAS systems
• Report for accounting and estimating systems would be made annually,beginning with first fiscal year after the effective date
• Report for MMAS would be required when government conducts MMAS review
• Contractors would be required to provide a report on system compliancewithin six months after the end of the contractor’s fiscal year
• Also requires independent CPA assessment
• Case closed without further action, potential to be reopened
21
Developments – DOE Business Systems Rule
• DOE adopted its own version of business systems rule (DOE Acq. Letter2013-11 (Aug. 2013), 79 FR 18416(April 1, 2014)
• Applies to contracts for capital asset projects or for non-capital asset projects
• Does not apply to M&O contracts, small business contracts, or certain servicecontracts
• Requires compliance with five of six DOD systems
• Within 60 days of award, DOE contractor required to provide CO withwritten documentation that business system meets the relevant systemcriteria
• DEAR update pending, M&O rule being considered
22
Developments – Counterfeit Parts
• DFARS Rule issued March 2014
• Contractors responsible to detect and avoid counterfeit electronic partsor suspect counterfeit electronic parts
• New contract clause - DFARS 252.246–7007, Contractor Counterfeit ElectronicPart Detection and Avoidance System
• Applies to contractors that supply electronic parts under CAS-coveredcontracts
• Including modified CAS
• Mandatory flowdown to all subcontractors (including small business, COTS)
23
Regulatory Developments – Counterfeit Parts (cont.)
• Training
• Inspection and testing
• Processes to abolish counterfeitpart proliferation
• Traceability
• Use and qualification of trustedsuppliers
• Reporting and quarantining
• Identification and investigation ofsuspect parts
• Design, operation and maintenanceof adequate systems
• Flowdown to subcontractors
• Keeping continually informed ofcurrent counterfeiting informationand trends
• Screening GIDEP
• Control of obsolete electronic parts
24
• 12 New Purchasing System Requirements
Significant deficiency results in system disapproval and withholds
Future Developments – Cybersecurity
• Cybersecurity significant focus of DOD
• Security safeguarding requirements being imposed throughout DOD, includingas part of CDI clause
• Additional requirements being developed for use throughout government
• Government likely seeking ways to enforce cybersecurity requirements insystem context
• GSA/DOD Joint Working Group Recommendations include increasinggovernment accountability
25