On July 15, 2014, the U.S. Department of Defense (“DOD”) issued a proposed rule that imposes new requirements for third-party audits of three contractor business systems, as well as a requirement for contractors to self-report deficiencies uncovered in these audits or in internal reviews of these business systems. The three business systems at issue are a contractor’s accounting system, its estimating system, and its material management and accounting systems (“MMAS”). The impetus for the proposed rule appears to be the serious backlog in audits waiting to be performed by the Defense Contract Management Agency (“DCMA”) and the Defense Contract Audit Agency (“DCAA”). According to a recent GAO reports, both agencies suffer from high workloads that prevent them from meeting their auditing obligations in the business systems area.
Outsourcing Requirements: DOD’s proposed solution to this backlog is to outsource some of the auditing responsibilities to third-party certified public accountants (“CPA”) and require contractors to self-report any deficiencies. Although this approach could reduce DCAA’s and DCMA’s auditing backlog and address industry concerns that these two agencies are too quick to find significant deficiencies in contractor business systems, such a “solution” is not without risks and costs to contractors. We provided a more detailed analysis of the proposed rule in the attached Law360 Article entitled Inside_The_Proposed_DFARS_Business_Systems_Rule.
Although the contractor — together with its CPA — would be responsible for assessing and auditing these three business systems, DOD still would perform its own review on top of the contractor’s review. If the contracting officer (“CO”)determined that there were one or more significant deficiencies or that the contractor had not complied with the applicable reporting and audit requirements, the CO would have 30 days to respond in writing to the initial determination, after which the contracting officer would make his/her “final determination” of whether there were any remaining deficiencies or noncompliance. The CO also would have discretion to withhold payments to the contractor upon a final determination of significant deficiencies or noncompliance with applicable reporting and audit requirements. However, the withholding of payments does not limit the other remedies that the CO may seek against a contractor because of harm caused by a deficient business system. The proposed rule would not impact DCMA’s existing role in reviewing and auditing contractors’ purchasing, government property and management, and earned value management systems. It bears noting, however, that payments may be withheld for significant deficiencies under any of the six contractor business systems pursuant to the existing procedures under DFARS 252.242-7005, even though the proposed rule reaches only estimating, MMAS, and accounting systems.
Impact of the Rule: The proposed rule does not address the ambiguities and risks inherent in the current rules governing business systems compliance, but it does create a new dynamic among contractors, their private auditors, and the government. The proposed rule may allow the government to approve a contractor’s systems more quickly, which would be welcome news for the contractor community. The backlog of government audits has been an issue for some time, and some contractors may embrace the use of third party auditors if they are waiting for government resolution on a number of fronts. It is not clear, however, whether this new proposed framework will realize meaningful time efficiencies. Government auditors who review third-party CPA audits may not be inclined to rubber stamp those findings. Moreover, the required disclosure of deficiencies is troublesome. Should an audit uncover information that puts a company at legal risk, the audit will not have been conducted under a privileged review. Thus, the disclosure requirement in the proposed rule may be at odds with a contractor’s desire to more fully investigate any issues raised by an audit and could force a quicker resolution to the matter than would be required otherwise under the FAR mandatory disclosure requirement.
DOD has solicited written comments in response to the proposed rule, which must be submitted by Sept. 15, 2014.