Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Going Beyond Business Systems
1.
2. Government Contract
Controls: Going Beyond
Business Systems
Breakout Session A03
Sajeev Malaveetil, Partner, Ernst & Young LLP
Andy Artz, Senior Manager, Ernst & Young LLP
Karl Fultz, Manager, Ernst & Young LLP
December 12, 2016
Time: 1:00 p.m.-2:15 p.m.
3. Contact Information
Sajeev Malaveetil
Partner
+1 703 747 1248
sajeev.malaveetil@ey.com
Andy Artz
Senior Manager
+1 703 747 1480
andrew.artz@ey.com
Karl Fultz
Manager
+1 469 865 4168
karl.fultz@ey.com
4. Agenda
• Defense Federal Acquisition Regulation Supplement
(DFARS) Business Systems Background
• DFARS Business Systems and Common Controls
• Integrating DFARS and Beyond
4
6. Internal Control Requirements
• FAR 52.203-13 requires:
• Contractors to establish an internal control system, which
provides for:
• Assignment of responsibility
• Compliance with code of ethics and conflict of interest restrictions
• Periodic review of company practices
• Internal reporting mechanisms
• Disciplinary actions for improper conduct
• Full cooperation with the government on audits, investigations or corrective
actions
• Timely disclosure of violations of federal criminal law involving fraud, conflict
of interest, bribery, gratuity violations or the False Claims Act
• Disclosures are a key component of any control environment.
• DFARS business systems are only one component of a sound
internal control environment.
6
7. DFARS Business Systems
Rule Background
• The Department of Defense (DoD) issued an interim rule
effective May 18, 2011, which mandated withholding a
percentage of payments when a contractor’s business
system has one or more significant deficiencies.
• The final rule was released with minimal changes effective
February 24, 2012.
• A “significant deficiency” is defined as “a shortcoming in
the system that materially affects the ability of officials of
the DoD to rely upon information produced by the system
that is needed for management purposes.”*
7
* DFARS 252.242-7005 Contractor Business Systems
8. DFARS Business Systems
Rule Background
• Business systems
• Accounting
• Estimating
• Purchasing
• Earned Value Management
• Material Management and Accounting
• Property Management
• When does the business systems rule apply?
• Applies to DoD CAS covered contracts, which contain the 252.242-
7005 clause, along with a system specific clause
8
9. Audit Activity
• DCAA’s focus on incurred cost had delayed system audits.
• On September 30, 2016, DCAA MRD 16-PPD-008(R)
announced DCAA had met requirements of the 2016
National Defense Authorization Act of an incurred cost
backlog of less than 18 months.
• System audits are expected to increase as incurred cost
audits are completed.
• Inspector General reports on DCMA’s compliance with
DFARS criteria are expected to increase oversight of
business systems.
9
10. Business System Withhold Trends*
System Tracked Disapproved
Percent
Disapproved
Withhold
Amounts
($M)
DCAA FY 17
Audits**
Accounting 3,500 36 1.4% $0 8
Estimating 688 24 3.5% $256 31
Purchasing 826 25 3.0% $0 N/A
Earned Value 310 16 5.2% $87 N/A
Material
Management
337 3 0.9% $3 13
Property 2,200 8 0.4% $0 N/A
*Source: Vince Perez, Deputy Director of the DCMA Cost and Pricing Center, NDIA industry presentation
**Source: DCAA FOIA Case I-17-011-H
10
11. Self-Audit
DFARS Case 2012-D042
• The proposed rule would have required contractors
to have their business systems audited by a CPA
firm.
• The rule was initially proposed due to an increased
backlog of system audits.
• Contractors are still faced with the dilemma of
unaudited systems and are proactively assessing
their own systems.
11
12. Disclosures
• Disclosures are a key component of internal control design.
• Controls should identify and provide for notification to the
government.
• The rule was initially proposed due to an increased backlog
of system audits.
• Contractors are still faced with the dilemma of unaudited
systems and are proactively assessing their own systems.
12
13. Contractor Dilemmas
• Preparing for new wave of system audit activity
• Identifying potential system weaknesses prior to
government reviews
• Minimizing disruption of government audits
• Cost-effectively monitoring, remediating and improving
controls without sacrificing operational efficiencies
13
15. DFARS Systems vs. Common Controls
• Both DFARS and “normal” financial controls attempt to
achieve a strong control environment with active controls
and monitoring in place.
• Many risks and controls from the DFARS business systems
have overlapping traits and objectives with existing control
frameworks.
• Compliance and operations can coexist effectively with
careful planning and execution.
15
16. 16
Business System Common Financial Control Area
Estimating Bids, estimates, proposals, audits of estimates
Earned Value Management Revenue recognition
Material Management Inventory control and year-end counts
Accounting Financial reporting and audits
Indirect and Other Direct Costs Depreciation, allocations
Compensation Pay authorizations, HR compensation
assessments
Billing Cash
Labor Payroll, timekeeping, employee verification
Information Technology SOX IT controls
Purchasing Reviews of payables, accruals, vendor master
files, authorizations
Property Asset control and physical verifications
17. Example – Procurement/Purchasing
DFARS — Purchasing
• Policies and procedures
meet regulatory
requirements and are
followed in practice.
• Purchases are all approved
per company policy.
• Due diligence of suppliers is
completed (e.g., reps and
certs).
Procurement controls
• Policies and procedures
exist to define procurement
authority thresholds.
• System limits purchase
orders to approved
vendors.
17
18. Example – Labor/Timekeeping
• DFARS labor controls and existing payroll/timekeeping
controls both require:
• Employees to timely and accurately use timekeeping systems with
supervisor approval on regular basis
• Reconciliations between timekeeping, labor, and general ledger
• Timely removal of access for terminated employees
• Ethics/violation hotlines available and employees aware
• Training for timekeeping and other essential job skills provided
18
19. Example – Estimating System and Bid
and Proposals Controls
• DFARS Estimating System and existing bid/proposal controls
both require:
• Adequate review and approval of all offers to potential
customers for scope, terms and conditions, etc.
• Adequate policies and procedures exist to provide complete,
accurate and consistent offers
• Accurate, updated and communicated delegations of
authority
19
22. Advantages
• Reduction of duplicate efforts
• Policies and procedures
• Internal control documentation
• Control design and operating effectiveness
• Substantive testing and remediation
• Preparation for external reviews
• Decreases internal audit and consulting costs
• Increased internal audit efficiencies
• Provides baseline for external consultants
• Can perform self-assessments
• Allows government to rely on internally developed reviews
22
23. Self-Assessments
• Contractors having increased success with
self-assessments
• Allows government to rely on internally developed
reviews
• Decreases internal audit and consulting costs
• Increased internal audit efficiencies
• Provides baseline for external consultants
23
24. Other Areas of Control Integration
• Other areas outside DFARS and common financial
controls can also be integrated:
24
• Estimates-at-completion • Labor qualifications
• Export controls • GSA Schedule price reductions
• Service Contract Act/Davis-Bacon Act • EEOC and labor laws
• Cybersecurity • Small-business subcontracting
25. Traits of a Successful Integration
• Clear ownership of compliance requirements
• Embedding government requirements into internal control framework
• Comprehensive enterprise risk management
• Coordinated audit planning
• Inter-organizational knowledge sharing
• Singular internal control repository
• Clear and functioning governance and oversight structure (e.g., policies,
procedures, training, internal audit, reporting)
25