System assessments vs. audits to earn points and contract awards

The National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) recently released the final solicitation for its Chief Information Officer-Solutions and Partners (CIO-SP4) Government Wide Acquisition Contract (GWAC) on which huge amount of companies bid. This solicitation includes language consistent with recent large solicitations for GWACs and other Indefinite Delivery Indefinite Quantity (IDIQ) contracts that allow for third party verifications or audits of certain criteria needed to demonstrate compliance with parts of the solicitation to gain points towards being qualified to stay within the competitive range. We expect this trend to continue and similar language is already seen in the draft solicitation of the upcoming Department of State Evolve procurement. It is imperative that federal contractors understand the status of each of their business systems so that they are ready for future opportunities that either prioritize or necessitate certain compliant systems.

Federal contractors must adequately monitor and maintain their business systems. The tools they can choose from include using outside consultants. Those consultants can either provide a gap assessment or they can provide a full audit. Assessments tend to have a shorter timeline to completion and therefore the costs are usually significantly less than a full system audit. If the terms of a solicitation allow for independent assessments or audits of specific business systems, contractors, particularly small businesses, that may be lacking government approval or audit of those specific business can then be more competitive.

Audits v. Assessments

One of the reasons that audits are so expensive is because of the requirements and regulations around an audit opinion, particularly when they are conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS).  To provide an audit opinion on a system, the auditor must look at the whole organization and must consider things other than the just the specific system. For example, an audit includes a full risk assessment that covers things like an understanding over the contractor’s internal control environment, general information technology controls, fraud risk, and overall risk profile.  Then fieldwork would commence where sampling and testing would cover a significant period of time and a significant number of transactions, which ultimately result in a full report with an audit opinion.

An assessment, on the other hand, does not have to follow the same requirements and regulations as an audit. In an assessment, the consultant is able target pain points within the specific system to determine if the system is in compliance with the applicable system criteria.  This often includes:

1. Reviewing policies and procedures
2. Interviewing personnel
3. Confirming that system training has occurred
4. Performing mock audits that target the specific transactions or information applicable to the system under assessment
5. Ensuring that a methodology is in place to for consistent processes
6. Reviewing internal audits or management reviews of the system and its components

Assessments can be tailored to the unique organizational needs of each contractor to include:

• Assisting with a full implementation
• A gap assessment with recommendations for improvement of a system that is already in operation but may not meet all of the criteria
• Strictly assessing and reporting on a fully operational system that is already designed to meet the specific system criteria

Assessment Authority

In determining the acceptability of an assessment over an audit, one can look to the Standard Form 1408 Pre-Award Survey of Prospective Contractor (Accounting System) as a benchmark. This form includes an evaluation checklist to determine if the accounting system meets certain specific criteria defined on the form. The last item on the form asks for a conclusion about whether or not the system is in full operation by selecting:

1. In operation
2. Set up, but not yet in operation
3. Anticipated
4. Nonexistent

Consultants can apply this same evaluation process to each business system by measuring it against its specific system criteria outlined in the Defense Federal Acquisition Regulation System (DFARS) and then making a determination about the status of the operation of the system, similar to that in the Standard Form 1408. While not all contractors are subject to the DFARS system criteria, these criteria are commonly considered the standard by which government systems should be measured.

What are the business systems?

Each of the above systems benefits the government by increasing the reliance and consistency of information and transactions with the government. This reduces a contractor’s risk in a number of different areas including defective pricing, false claims, and payment withholdings. They also provide contractors with tools to help ensure consistency, enable efficiency, and potentially improve efficacy.