System assessments vs. audits to earn points and contract awards
The National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) recently released the final solicitation for its Chief Information Officer-Solutions and Partners (CIO-SP4) Government Wide Acquisition Contract (GWAC) on which huge amount of companies bid. This solicitation includes language consistent with recent large solicitations for GWACs and other Indefinite Delivery Indefinite Quantity (IDIQ) contracts that allow for third party verifications or audits of certain criteria needed to demonstrate compliance with parts of the solicitation to gain points towards being qualified to stay within the competitive range. We expect this trend to continue and similar language is already seen in the draft solicitation of the upcoming Department of State Evolve procurement. It is imperative that federal contractors understand the status of each of their business systems so that they are ready for future opportunities that either prioritize or necessitate certain compliant systems.
Federal contractors must adequately monitor and maintain their business systems. The tools they can choose from include using outside consultants. Those consultants can either provide a gap assessment or they can provide a full audit. Assessments tend to have a shorter timeline to completion and therefore the costs are usually significantly less than a full system audit. If the terms of a solicitation allow for independent assessments or audits of specific business systems, contractors, particularly small businesses, that may be lacking government approval or audit of those specific business can then be more competitive.
Audits v. Assessments
One of the reasons that audits are so expensive is because of the requirements and regulations around an audit opinion, particularly when they are conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). To provide an audit opinion on a system, the auditor must look at the whole organization and must consider things other than the just the specific system. For example, an audit includes a full risk assessment that covers things like an understanding over the contractor’s internal control environment, general information technology controls, fraud risk, and overall risk profile. Then fieldwork would commence where sampling and testing would cover a significant period of time and a significant number of transactions, which ultimately result in a full report with an audit opinion.
An assessment, on the other hand, does not have to follow the same requirements and regulations as an audit. In an assessment, the consultant is able target pain points within the specific system to determine if the system is in compliance with the applicable system criteria. This often includes:
- Reviewing policies and procedures
- Interviewing personnel
- Confirming that system training has occurred
- Performing mock audits that target the specific transactions or information applicable to the system under assessment
- Ensuring that a methodology is in place to for consistent processes
- Reviewing internal audits or management reviews of the system and its components
Assessments can be tailored to the unique organizational needs of each contractor to include:
- Assisting with a full implementation
- A gap assessment with recommendations for improvement of a system that is already in operation but may not meet all of the criteria
- Strictly assessing and reporting on a fully operational system that is already designed to meet the specific system criteria
In determining the acceptability of an assessment over an audit, one can look to the Standard Form 1408 Pre-Award Survey of Prospective Contractor (Accounting System) as a benchmark. This form includes an evaluation checklist to determine if the accounting system meets certain specific criteria defined on the form. The last item on the form asks for a conclusion about whether or not the system is in full operation by selecting:
- In operation
- Set up, but not yet in operation
Consultants can apply this same evaluation process to each business system by measuring it against its specific system criteria outlined in the Defense Federal Acquisition Regulation System (DFARS) and then making a determination about the status of the operation of the system, similar to that in the Standard Form 1408. While not all contractors are subject to the DFARS system criteria, these criteria are commonly considered the standard by which government systems should be measured.
What are the business systems?
Each of the above systems benefits the government by increasing the reliance and consistency of information and transactions with the government. This reduces a contractor’s risk in a number of different areas including defective pricing, false claims, and payment withholdings. They also provide contractors with tools to help ensure consistency, enable efficiency, and potentially improve efficacy.As alluded to earlier, not all requests for proposals allow for assessments or audits of business systems from non-government entities in order to be eligible to bid or receive points for consideration. Therefore, it is essential for federal contractors to understand the various business system requirements within solicitations and how requirements will be evaluated by the government. It’s important to note that if a draft Request for Proposal (RFP) only allows for businesses to have government approved or audited accounting or other business systems, that federal contractors can submit feedback to the contracting officer regarding how this potentially restricts competition so there is a chance the RFP is amended accordingly when it goes final. No matter what, though, federal contractors of all sizes should consider the benefits of having practically designed, compliant business systems as they instill high levels of discipline and overall internal control within these critical operational areas.
Access Our Government Contracting Topic Page for Key Insights & Powerful Tools
On-demandOn-Demand Webinar: Using bid protests as a business strategyWith higher infrastructure spending anticipated in fiscal year 2022, government contractors should expect protest activity levels to remain steady, if not increase. As a result, organizations should think through protests, not as a forgone conclusion of losing a competition or as a lost cause, but as a deeper strategic choice that weighs the cost to the organization, the relationship with the customer, the investment in the proposal, and the potential upside of award as important elements of the decision on whether or not to protest.
InsightGovernment Contracting Accounting System Assessment ToolLearn about your company's state of readiness, gain access to additional helpful resources, and talk with our professionals to see how we can help you.
InsightEvolve IDIQ RFP requires a compliant Earned Value Management SystemWith the Evolve IDIQ draft RFP, GovCons are now required to have an Earned Value Management System (EVMS) in place. Learn more.
InsightExecutive Order 14042: Impacts to GovConsChristine Williamson, Sara Bridwell, Katy BarkerGovCons serving government customers could be subject to Executive Order 14042 and will need to ensure COVID safety protocols are in place. Learn more.