Audit – noun; An official inspection or examination of an organization’s or individual’s accounts or financial situation, typically by an independent body
Audit – verb; To conduct an official examination of an individual’s or an organization’s accounts
Whether you are looking up the noun or the verb, the word “Audit” heightens anxiety levels in even the staunchest of GovCon owners. We’d like to help settle your nerves when it comes to audits. Let’s focus on three of the most common types of Audits experienced by GovCons: Financial Statement Audits and DCAA Accounting Business System and Indirect Rate Audits. We’ll discuss what they are, why they happen, and what you can do to prepare…other than fleeing the country…
Financial Statement Audits: These audits roll around annually and seem just to have ended as the next one starts! A Financial Statement Audit is focused on the financial results of the business for a specific period of time. Financial Audits give comfort that the reporting you’ve received from your system and finance team is complete and accurate. Many banks and customers request audit reports to support their assessments of a company’s financial stability for lending and contract awards. Audits are performed by registered CPA firms. Audit “testing” consists of reviewing, recalculating, corroborating, and otherwise validating the results of your operations and the balances of assets, liabilities, and equity at the end of a fiscal year. There’s more to it, but you get the gist. As the auditors ask for schedules, receipts, statements, and other documentation they’ll do one other thing…review your company’s system of internal controls over financial reporting. What is that, you ask? It’s the documented policies, processes, and procedures you follow to gather, process, and report on financial data. Ever wonder why you are asked to approve an invoice, submit a detailed receipt, or sign a PO? You were following and documenting your GovCon’s internal controls. Armed with your Financial Statement audit report, you are ready to bid on work, apply for a line of credit, or just feel good that your GovCon’s books are in good shape!
DCAA/DCMA Audits: These audits are usually of either one of the six business systems described in FAR Part 252.242-7005 Contractor Business Systems (the only nerdy reference we’ll provide) or of contract costs (direct contract costs or of your GovCon’s indirect cost rates). DCAA and Audit in the same sentence can send shock waves through the back office. Let’s see if we can make them a little less scary, starting first with the most common business system audit.
Accounting Business System Audits (otherwise known as pre- and post-award audits): Take a look at your accounting system (software, policies and procedures followed, and the expertise of your staff). The pre-award audit (a.k.a. SF1408 Audit) is exactly what it sounds like – it takes place as you win your first Cost-type contract, and the audit is requested by your Govt customer. The Post-Award Audit is again pretty much what it sounds like – it includes a review of costs incurred as well as the system in place used to authorize, record, and report those costs. The good news (if there can be any good news about these audits) is they usually roll around every three years (not every year)! If you set everything up with the expectation that it will someday be subject to audit, you’re on the right path. These audit reports demonstrate that your business is capable of handling cost-type contracts. Here are the three critical components:
- Software – Select a reputable application that can handle cost accounting without much tweaking. Luckily, there are several good choices out there. Your GovCon needs to be able to track direct costs by project, indirect costs by pool, calculate and apply indirect cost rates to projects base incurred, and track billings against contracts. Trust me – you don’t want to have to go back and try to recreate records.
- Policies & Procedures – There are rules to follow. Learn them, document them, and follow them and you’ll be just fine. Circumvent them, apply them inconsistently or not at all and we’ll hope not to read about you in The Post!
- Staff – Hire qualified personnel to handle your accounting, contracting, and personnel and you’ll have no trouble passing an audit. Unqualified\inexperienced people may do or say the wrong thing at the wrong moment, and you’ll find yourself responding to internal control findings or without the audit report you need to go after CPFF work. You may not need the expertise on a daily basis but be sure you have it available to ensure your books and records are always “clean”.
Indirect Cost Audits (contract close out or incurred cost submission): Start with reviewing those same policies and procedures you have in place for the accounting system audit. Next, they will want to see documentation of those costs (i.e. timesheets) and of compliance with the internal controls (i.e. timesheet signatures w/date & time stamps) over those costs to determine that you not only have good controls in place but that you are following them. DCAA won’t do a 100% review of costs – unless you can’t provide documentation of cost or compliance. Nothing worse than a DCAA auditor with a case of the “Cold Pricklies” instead of “Warm Fuzzies” after reviewing your internal controls! Remember that undocumented costs = questioned costs. That is a fancy DCAA term for costs you aren’t going to be able to recover under your contracts – and may even have to repay. The conclusion of these audits should result in reports that support your claimed costs.
Audit Reporting: The conclusion of any audit should result in the issuance of an audit report. If there were bumps along the way (i.e. missing documentation, the auditors identified holes in your systems where things could have gone sideways, or, in the worst case, the errors did occur) you may have also received internal control findings. Spoiler Alert: government agencies get to see these reports. It’s like airing your dirty laundry until you put a corrective action plan in place and the auditors are satisfied that you adequately mitigated any findings. Good compliance helps ensure that any internal finding an auditor identifies is so minor that no reporting ensues.
As a GovCon, your finances are holistically intertwined with compliance. Compliance is reviewed and confirmed via audit. Audit readiness is just another form of business readiness. Don’t fear the audit, fear not having prepared your GovCon to pass the audit. This understanding can bring a whole new level of “audit Zen” to your GovCon. It will also bring your anxiety level back to normal as you easily survive auditor scrutiny – regardless of the type of audit or who is performing it. Stay calm, stay put, and stay compliant!
About The Author, Aimee Hollenhorst
Aimee Hollenhorst is a CPA with over 30 years of experience providing auditing, consulting and compliance support to Government Contractors. She is a BOOST CFO consultant who before joining BOOST, helped navigate three separate successful acquisition transactions.