Accounting System, Department of Defense News, Running Your Business

DFARS Cyber Security for Small Business Contractors

In 1998, I listened to an IT staff member from a large contractor proceed to chew out the contractor’s accounting staff for ‘losing’ a folder stored on the company’s servers containing all of the year-end closing work. He proceeds to call the staff “idiots” and ignorant while glossing over the fact that the IT department’s backup of the critical data had failed the night before.

He noticed my smile and could not decide if I was agreeing with him or laughing at him, so he asked me what the F**K I was smiling about. I replied,

“I want to thank you. For years people have criticized accountants as being unresponsive to the company’s needs, speaking a language no one else understands, and not really caring about the success of the company. People now say this about IT people instead”.

A few weeks later a software consultant, with full access to all of the IT systems, destroyed the company’s general ledger by using direct access to the database to create new balances in 146 general ledger accounts. The consultant then spent months trying to fix the error while hiding it from the company. Nine months later, one of the company’s employees printed out a general ledger report that showed a WIP balance of a little over two million dollars while the subsidiary ledger showed an amount several times larger.

What saved us was the trial balance that I had printed out the day before the consultant screwed up the general ledger. I took the printout with me as a resource for my work for them with DCAA.

As a result of this lesson, and too many others, I started asking myself twenty years ago about the relationship between accounting and IT.  Part of my thinking can be seen in the name I chose for my later technology company: “Accountable Technologies”. I would love to say that Edward Snowden was the final nail in the coffin, but there are thousands of accidental and deliberate Snowdens scattered across American businesses, large and small.

I personally believe that IT personnel should have episodic access to the accounting system; not at will. Perhaps you do not agree with this, fine.

But, you should take advantage of the new cyber security requirements adopted by the Department of Defense to think about the issue, to develop your own policies and procedures.

DARPA put up an excellent guide for small business with links to expanded materials. Take a look and think about it.

https://www.darpa.mil/work-with-us/for-small-businesses/cybersecurity

By, the way, if you were wondering what happened to the missing folder, an employee visiting from another location to document procedures, had moved the folder to her personal files for future reference thinking she had copied it. We discovered this a couple of hours later when she wandered in to the office.

More at www.dcaacompliance.com

Advertisements
Standard
Cost And Accounting, DCAA Relations, Incurred Cost Proposals

Thank You DCAA for New Adequacy Guidance.

I can take this one of two ways:

  1. DCAA now agrees that adequacy is defined by the regulation and should not be subject to individual auditor whims.
  2.   Doing the right thing means doing less work upfront as they probably will not audit anyway.

The following is from the New ICE Manual .

“The following Schedules and information are not required for submittal of an adequate proposal; however, the information will be required to complete the audit.  ICE contains Supplemental Schedules A-1, A-2, A-3, A-4, B, C, and O that can be utilized by the contractor to provide information as noted below:

SUPPLEMENTAL MODEL INCURRED COST PROPOSAL INFORMATION

  1. Comparative analysis of indirect expense pools detailed by account to prior fiscal year and budgetary data can be provided on the following schedules:
  2. Supplemental Schedule A-1 – Overhead
  3. Supplemental Schedule A-2 – G&A
  4. Supplemental Schedule A-3 – Intermediate Pool Costs
  5. Supplemental Schedule A-4 – Direct Costs

These schedules may be used for comparison of prior year actual costs; however comparative analysis of budgetary data will also be required by the auditor.

  1. Supplemental Schedule B – Compensation for Certain Contractor Employees per FAR 31.205-6(p).
  2. Supplemental Schedule C – Prime Contracts Under Which the Contractor Performs as a Subcontractor.
  3. Supplemental Schedule O – Contract Briefs.
  4. List of ACOs and PCOs for each flexibly priced contract.
  5. Identification of and information on prime contracts under which the contractor performs flexibly priced effort as a subcontractor.
  6. List of work sites and the number of employees assigned to each site.
  7. Description of accounting system.
  8. Procedures for identifying and handling unallowable costs.
  9. Certified financial statements or other financial data (e.g., trial balance, compilation, review, etc.).
  10. Management letter from outside CPAs concerning any internal control weaknesses.
  11. Actions that have been and/or will be implemented to correct the weaknesses described in number 11 above.
  12. List of internal audits or other types of audits or studies performed by other than DCAA in this fiscal year.
  13. Annual internal audit plan of scheduled in process but not issued audits in this FY.
  14. Federal and state income tax returns (Schedule R).
  15. SEC 10-K report.
  16. Minutes from Board of Directors meetings.
  17. Listing of Delay and Disruptions and Termination Claims submitted which contain costs relating to the subject fiscal year.
  18. Contract Briefings – (Schedule S) Contract briefings generally include a synopsis of all pertinent contract provisions, such as, contract type, contract amount, product or service(s) to be provided, applicable Cost Principles, contract performance period, rate ceilings, advance approval requirements, precontract cost allowability limitations, contract limitations, and billing limitations. A typical format for the briefings is shown on Schedule S.  A contractor need not use the example form if the information is already generated and available within its automated accounting or billing systems.”
Standard
DCAA Relations, Department of Defense News

The Good News — DCAA Gets A New External Peer Review Opinion. The Bad News — Qualified with Deficiencies (Again). DOD OIG identified 25 Deficiencies

DCAA receives it overdue external peer review from DOD OIG. Unfortunately, it is not the stellar report we hoped for.

https://media.defense.gov/2017/Nov/22/2001847672/-1/-1/1/DODIG-2018-028.PDF

 

DCAA Compliance Logo

www.dcaacompliance.com

 

Standard