This article provides background with respect to recent GAO reports that are critical of the Defense Contract Audit Agency (“DCAA”), as well as several audit guidance memoranda that DCAA issued in the aftermath of these reports. As described below, the DCAA’s audit guidance memoranda impose rigorous new timelines for responding to auditor requests for records and access to contractor personnel. The guidance also provides that in audits of contractors’ internal control systems, an auditor may no longer find a contractor system inadequate “in part,” but must find the entire system inadequate and take action to suspend payment of invoices where a single control objective is not met. We offer some suggestions as to actions contractors may wish to take to mitigate the impact of the DCAA’s audit guidance.
The GAO Reports
A July 2008 Report from the Government Accountability Office (GAO) substantiated significant deviations from professional accounting standards by the Government’s principal auditing arm, the Defense Contract Audit Agency (DCAA). The DCAA and its then newly-appointed Director April G. Stephenson became the subject of intense scrutiny from Congress, private watchdog organizations and the Department of Defense Inspector General (DoD IG). The GAO followed up with a September 2008 report confirming its earlier allegations and promising a broader examination of DCAA. Perhaps under the pressure of the unrelenting inquiry, DCAA began a fundamental shift away from a practice of cooperating with government contractors to a posture where a single defect in a contractor’s internal control system renders that system inadequate and may result in contract payments being suspended or withheld. New DCAA guidance also established a procedure to quickly escalate pressure on contractors who fail to immediately comply with record requests or who deny auditors access to personnel (despite the fact that auditors have no discernable legal basis to demand access to personnel). Director Stephenson’s subsequent public comments have described a “brave new world” in which auditors exercise less discretion and demonstrate more “skepticism”. In her prepared statement and comments at a May 2009 hearing of the Commission on Wartime Contracting, Director Stephenson proposed a regulatory change that would mandate automatic partial withholding of contract funds whenever a contractor fails to meet any internal control system objective.
Allegations of DCAA Auditor Impropriety
The GAO reports found that DCAA auditors had an overly familiar relationship with contractors at three locations in California. The final report stated that the GAO had substantiated allegations related to each of 13 separate audits GAO reviewed involving seven different government contractors. The report included the following findings:
- DCAA’s workpapers did not support reported opinions.
- DCAA supervisors dropped findings and changed audit opinions without adequate audit evidence.
- There was insufficient audit work done to support audit opinions and conclusions.
- Contractor officials and DoD contract personnel improperly influenced the audit scope, conclusions and opinions.
- DCAA managers intimidated auditors and created a hostile work environment.
- DCAA did not comply with generally accepted government accounting standards (GAGAS).
DCAA Policy Changes
After enduring this criticism, DCAA made several changes in its approach to audits, especially with respect to audits of government contractors’ internal controls. Before the highly critical GAO Report was published, DCAA had released a memorandum concerning internal controls that provides guidance concerning the reporting of Significant Deficiencies and Material Weaknesses.
- That guidance describes a Significant Deficiency as “an internal control deficiency, or combination of deficiencies, that (1) adversely affects the contractor’s ability to initiate, authorize, record, process, or report Government contract costs in accordance with applicable Government contract laws and regulations, (2) results in at least a reasonable possibility that unallowable costs will be charged to the Government, and (3) the potential unallowable cost is not clearly immaterial.”
- The guidance describes a Material Weakness as “a significant deficiency (or combination of significant deficiencies) that results in or could result in material unallowable costs being charged to the Government.” (emphasis in original)
The guidance also concludes that because DCAA only audits systems that are material to the government, all internal control deficiencies should be reported as significant deficiencies constituting a material weakness “unless potential unallowable costs are clearly immaterial.” Where such a deficiency existed, the guidance concluded, the auditor must declare the system either inadequate or inadequate-in-part.
Three separate audit guidance memoranda—all of which were published on December 19, 2008 following the GAO’s reports—made the following “clarifications” to DCAA’s audit guidance:
- Failure to meet any internal control objective (even if unrelated to cost) constituted a significant deficiency/material weakness.
- Any finding of a material weakness should result in a recommendation to disapprove the internal control system and suspend or withhold payments.
- Auditors were no longer permitted to declare a system inadequate-in-part; it either passed or failed.
- Auditors were no longer permitted to make suggestions for improvements.
- A separate targeted internal control system audit must be conducted (generally within 30 days) whenever control deficiencies are discovered in any audit.
- Records should be provided upon request and, at least for records used in a proposal, they should be provided the same day requested.
- Whenever a contractor fails to provide access to personnel or records in a “timely” manner—which may be as short as the same day and should not exceed one week, barring exceptional circumstances —a formal report of denial of records (DCAA Form 1) must be submitted.
Audits of Internal Control Systems
DCAA’s first of three guidance memos purported to clarify its earlier approach to audits of internal controls and to establish clear guidelines where any internal control objective was not met. First, it made clear that even where control objectives were not related to charging costs, a failure to meet any control objective constituted a significant deficiency and, therefore, a material weakness. To emphasize this point, the memo explained that the failure to meet a control objective related to ethics and integrity would create “an environment that could ultimately result in mischarging to Government contracts.” Thus, the memo provides that, even where no actual mischarging has been found, the internal control system must be deemed inadequate where any control objective is not met.
The memo also took away the auditors’ option of declaring a control system inadequate-in-part and the practice of making suggestions for contractors to improve their systems. It required that, wherever a control objective was not met, the audit report must identify the deficient portions of the system and recommend that the contracting officer disapprove the system (if applicable) and suspend or withhold payments.
Targeted Interim Audits of Internal Control Systems
A second guidance memorandum established a policy of publishing a flash report and initiating a targeted audit of internal controls whenever internal control deficiencies are identified in any audit other than an audit of internal controls. Thus, if a control deficiency was discovered during a forward pricing audit, the auditor would be obliged to issue a flash report even before she finishes the current audit (preferably within 30 days). Once the flash report is issued, the contractor has seven days to comment or the flash report will be published with a notation that the contractor failed to make a timely response. Additionally, a separate audit focused on the contractor’s activities related to the deficient control object must be initiated.
Timely Access to Records and Personnel
The third guidance memorandum attempts to clarify the requirement for “timely” access to records by establishing specific guidance regarding timing and procedures. It advises auditors to make a clear oral or written request for supporting documentation describing what is needed and when it is to be provided. Most records are to be readily accessible, and the guidance suggests such records should be provided on the same day requested. If the auditor’s requested due date is not met and a sufficient explanation is not provided, she must promptly (within 5 days) make a formal written request to a member of the contractor’s senior management, demanding that the documents be provided by a date certain. That due date must be within less than a week. When the auditor is convinced the contractor will not produce the records, she must begin a formal process and seek a subpoena for the records under DCAA’s or the DoD IG’s authority.
When a contractor fails to provide supporting documents, the auditor must find the related costs unallowable. Moreover, even if the contractor agrees that a cost is unallowable, failure to provide relevant documentation requires that the auditor investigate further to determine if the lack of documentation is the result of a lack of adequate internal controls. If it is, the auditor must publish a flash report and initiate a targeted audit of internal controls as described above.
The third memo goes on to state that “[s]upport includes access to personnel”. DCAA provides no authority for this contention and relevant statutes and regulations suggest there is no legal support for this proposition. FAR 52.215-2, 10 USC § 2313 and 41 USC § 254(d) provide for the examination of records. However, the definition of records provided there does not include interviews of personnel.
The recent DCAA audit guidance may place contractors in a difficult situation. DCAA’s new posture will demand more responsiveness from contractors, including greater and faster access to records and personnel. At the same time, auditors have been stripped of their discretion to declare a system inadequatein- part or to make suggestions for improvements; and targeted audits of internal controls are now mandatory where a control deficiency is found during another audit. Furthermore, Director Stephenson’s proposed automatic withholding of 10% or more whenever a control system is found inadequate might have a significant impact on a contractor’s operations.
- As always, contractors should endeavor to cooperate with DCAA and satisfy their contractual, legal and regulatory obligations. Nonetheless, when DCAA makes unreasonable requests for records or demands access to personnel, contractors need to know their rights and be willing to exercise them to avoid the expense and distraction of auditors engaged in inappropriate activities.
- For every DCAA audit, contractors should consider identifying a single point of contact to the DCAA for all requests for records, information, and access to employees. The point of contact should have direct access to senior management so that issues and problems relating to audits can be quickly escalated, prior to DCAA issuing any notice or taking adverse action.
- Consider performing an external audit or assessment of internal controls prior to any DCAA audit. This should enable a contractor to address any potential weaknesses in advance of the DCAA audit and, hopefully, avoid having to address any DCAA-identified inadequacies in internal controls in the context of an adverse audit report.
There are many benefits to maintaining internal controls. They provide visibility over critical contract metrics and allow businesses to manage workload and costs. At the same time, companies must consider the increased risk and costs posed by the new audit guidance and make informed decisions about the business tools they invest in and the types of contracts they choose to compete for. There will certainly be challenges to DCAA’s new approach, and contractors should consult with colleagues and professionals to keep up with changes as the new guidance is implemented. Additionally, contractors should consider seeking assistance in conducting their own audits, to ensure their control systems will withstand DCAA’s heightened scrutiny.
Weapons Systems Acquisition Reform Act of 2009
On May 22, 2009 President Obama signed into law Senate 454, “A bill to improve the organization and procedures of the Department of Defense for the acquisition of major weapon systems, and for other purposes.” This legislation endeavors to reduce waste in large defense procurements. To that end, it reorganized the DoD acquisition leadership, adding a new Senate-confirmed position titled the Director of Cost Assessment and Program Evaluation with two deputies, the Deputy Director for Cost Assessment and Deputy Director for Program Evaluation. The new Director is charged with: (1) ensuring that DoD cost estimates and analysis are accurate and realistic; (2) ensuring analyses and estimates are performed for all major defense acquisition programs and major automated information system programs; (3) disclosing the confidence level of cost estimates for major procurements; and (4) reporting results regularly within DoD and to cognizant Congressional committees. It also creates two other positions reporting to the Secretary of Defense, a Director of Developmental Test and Evaluation and a Director of Systems Engineering.
Also noteworthy is the Act’s requirement to revise the Defense Supplemental to the FAR (DFARS) to provide guidance and tighten existing requirements concerning organizational conflicts of interest by contractors in major defense acquisition programs.
Fraud Enforcement Recovery Act: Amendments to the Civil False Claims Act
President Obama, on May 20, 2009 signed the Fraud Enforcement Recovery Act of 2009 (FERA) which included the first major amendments to the Civil False Claims Act (FCA) since 1986. The FCA allows the government to seek treble damages and penalties against government contractors, grantees, health care providers and others who knowingly present false claims to the government or knowingly makes false claims or statements in order to receive government funds. It also allows qui tam plaintiffs to act as private prosecutors with the possibility of sharing in any funds recovered.
The most noteworthy amendments relate to threshold jurisdictional questions and the use of certain investigative tools.
- In last year’s Allison Engine case, the Supreme Court held that FCA liability did not attach to a subcontractor’s request for payment to a prime contractor unless it could be proven that the subcontractor made a false statement with the intent to get a false claim paid by the government. The FCA, as now amended, lowers that threshold to provide jurisdiction where such a subcontractor’s false statement is simply “material” to a claim for payment. Thus, the subcontractor statement need only be capable of influencing the government to make payment.
- Additionally, under FERA, the Attorney General may now delegate authority to issue Civil Investigative Demands (CIDs)—requests for documents, information and testimony. The AG may also now share the results of those requests with qui tam plaintiffs if it is determined necessary. The delegation of this authority, combined with the ability to share investigative information with private litigants, creates a significant risk that the costs of litigation will rise and complicate matters, especially since cooperation in government investigations is mandated by the recent FAR Mandatory Disclosure Rule (FAR Supbart 3.10 (eff. Dec. 12, 2008).