System assessments vs. audits to earn points and contract awards
The National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) recently released the final solicitation for its Chief Information Officer-Solutions and Partners (CIO-SP4) Government Wide Acquisition Contract (GWAC) on which huge amount of companies bid. This solicitation includes language consistent with recent large solicitations for GWACs and other Indefinite Delivery Indefinite Quantity (IDIQ) contracts that allow for third party verifications or audits of certain criteria needed to demonstrate compliance with parts of the solicitation to gain points towards being qualified to stay within the competitive range. We expect this trend to continue and similar language is already seen in the draft solicitation of the upcoming Department of State Evolve procurement. It is imperative that federal contractors understand the status of each of their business systems so that they are ready for future opportunities that either prioritize or necessitate certain compliant systems.
Federal contractors must adequately monitor and maintain their business systems. The tools they can choose from include using outside consultants. Those consultants can either provide a gap assessment or they can provide a full audit. Assessments tend to have a shorter timeline to completion and therefore the costs are usually significantly less than a full system audit. If the terms of a solicitation allow for independent assessments or audits of specific business systems, contractors, particularly small businesses, that may be lacking government approval or audit of those specific business can then be more competitive.
Audits v. Assessments
One of the reasons that audits are so expensive is because of the requirements and regulations around an audit opinion, particularly when they are conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). To provide an audit opinion on a system, the auditor must look at the whole organization and must consider things other than the just the specific system. For example, an audit includes a full risk assessment that covers things like an understanding over the contractor’s internal control environment, general information technology controls, fraud risk, and overall risk profile. Then fieldwork would commence where sampling and testing would cover a significant period of time and a significant number of transactions, which ultimately result in a full report with an audit opinion.
An assessment, on the other hand, does not have to follow the same requirements and regulations as an audit. In an assessment, the consultant is able target pain points within the specific system to determine if the system is in compliance with the applicable system criteria. This often includes:
- Reviewing policies and procedures
- Interviewing personnel
- Confirming that system training has occurred
- Performing mock audits that target the specific transactions or information applicable to the system under assessment
- Ensuring that a methodology is in place to for consistent processes
- Reviewing internal audits or management reviews of the system and its components
Assessments can be tailored to the unique organizational needs of each contractor to include:
- Assisting with a full implementation
- A gap assessment with recommendations for improvement of a system that is already in operation but may not meet all of the criteria
- Strictly assessing and reporting on a fully operational system that is already designed to meet the specific system criteria
In determining the acceptability of an assessment over an audit, one can look to the Standard Form 1408 Pre-Award Survey of Prospective Contractor (Accounting System) as a benchmark. This form includes an evaluation checklist to determine if the accounting system meets certain specific criteria defined on the form. The last item on the form asks for a conclusion about whether or not the system is in full operation by selecting:
- In operation
- Set up, but not yet in operation
Consultants can apply this same evaluation process to each business system by measuring it against its specific system criteria outlined in the Defense Federal Acquisition Regulation System (DFARS) and then making a determination about the status of the operation of the system, similar to that in the Standard Form 1408. While not all contractors are subject to the DFARS system criteria, these criteria are commonly considered the standard by which government systems should be measured.
What are the business systems?
Each of the above systems benefits the government by increasing the reliance and consistency of information and transactions with the government. This reduces a contractor’s risk in a number of different areas including defective pricing, false claims, and payment withholdings. They also provide contractors with tools to help ensure consistency, enable efficiency, and potentially improve efficacy.As alluded to earlier, not all requests for proposals allow for assessments or audits of business systems from non-government entities in order to be eligible to bid or receive points for consideration. Therefore, it is essential for federal contractors to understand the various business system requirements within solicitations and how requirements will be evaluated by the government. It’s important to note that if a draft Request for Proposal (RFP) only allows for businesses to have government approved or audited accounting or other business systems, that federal contractors can submit feedback to the contracting officer regarding how this potentially restricts competition so there is a chance the RFP is amended accordingly when it goes final. No matter what, though, federal contractors of all sizes should consider the benefits of having practically designed, compliant business systems as they instill high levels of discipline and overall internal control within these critical operational areas.
Access Our Government Contracting Topic Page for Key Insights & Powerful Tools
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightInfrastructure Act awards: The benefits and potential pitfallsRich Meene, Chase ClarkThere are many benefits for manufacturing government contractors winning government grants via the Infrastructure Act awards; however, there are pitfalls too. Learn how to avoid the pitfalls and gain the benefits.
On-demandThe Service Contract Act - A basic primer for contract successThe Service Contract Act (SCA), also known as Service Contract Labor Standards (SCLS), can be an administrative and compliance burden for companies if they don’t understand the basics of SCA. Designed for GovCon executives, accounting and finance departments, human resources, and project managers.
InsightFive steps state and local governments should take to speed recovery this hurricane seasonAbby Rollins, Frank Banda, Amanda CampenBest practices to help state and local governments speed response and recovery efforts during hurricane season. Learn more.