June 06, 2013

Disclosing Internal Review Results to DCMA During a CPSR

In the first post of this series I mentioned that only formal audit results must be provided to DCMA during the CPSR data call period. The definition of "formal audit" is actually up for some interpretation. For example, a fairly rigid definition of "formal audit" could still exclude routine internal review tools like peer reviews from disclosure. Taken to a logical extreme of legal interpretation, a series of reviews by an “interested” internal party that are not consolidated into a formal summary report with metrics and findings could fair to meet the definition of "formal audit" set by many a counsel. Along with that exclusion, external audits that are not formalized (i.e. left in "Draft" format) are also excluded from many counsels’ definition of "formal audit.” 

In fact, you can compliantly organize your system so that DCMA never actually sees the results of internal reviews. As Director of Compliance for a pretty big ($750-900M/yr) government contractor I stood up an internal review system that performed pre-award reviews of all files with a total anticipated value exceeding $100K and spot review (1 in 10) of files between $3K-$100K. This audit approach was not only reviewed and approved by DCMA, it was one of the biggest factors leading to that purchasing system's initial approval. But because of how the system was set up in relation to the company's definition "formal audit" and the information provided proactively to DCMA via detailed quarterly reports, DCMA not only never saw an internal review they never asked for one. 

So why bother disclosing audit results to DCMA at all? Actually, there are two big reasons that could be key to your purchasing system’s approval during a CPSR:  

  1. Internal audits are required for purchasing system approval in accordance with DFARS 252.242-7001(c)(18). A lack of significant findings is often presumed evidence of an adequate internal review process. But if your purchasing system has significant findings, and DCMA is not presented with evidence that these findings are being addressed, you’ve failed to present adequate evidence of an effective internal review process. 
  2. If the main purpose of providing internal review results is establishing evidence of an effective review process then a fantastic side effect of disclosure is its potentially huge influence on how DCMA conducts your CPSR. One of the things I tell clients over and over: If you know you have a problem area, disclose and discuss during your CPSR before DCMA finds it. Disclosure and discussion (especially on the first day during in-briefing and the First File Walkthrough) can quickly turn a significant finding into a minor one as the problem, exploration of the causes, and the solutions being implemented are discussed real-time with the review team. Also, a lack of disclosure can appear as ignorance. And the only thing worse than a system malfunction is ignorance of that malfunction by those maintaining the system. From a reviewer’s perspective a lack of sufficient institutional system controls is one of the core findings that can guarantee CPSR failure. 

In the end, the only truly “bad” internal review finding is one that’s ignored. Contractors have no reason to fear disclosures resulting from internal reviews if the underlying review process is working effectively and efficiently. Bad things happen to good systems; it’s how the “bad” is processed that really counts during a CPSR.