Your Government Contract Is Only as Secure as Your Cost Accounting
By TED ROSE, ROSE FINANCIAL SOLUTIONS
I've seen this play out more times than I'd like to count.
A government contractor wins a meaningful contract. The team delivered and won its largest contract to-date. And then DCAA shows up to perform a pre-award accounting survey, and within days the company is in a full-scale scramble: pulling timesheets, reconstructing cost allocations, trying to produce documentation that should have been attached to transactions the day they were recorded.
Sometimes the scramble works. Other times, it doesn't or it produces a qualified result that leaves the contractor wounded in the eyes of their contracting officer. The proposal was good. The compliance infrastructure wasn't.
That's the part of DCAA risk that doesn't get discussed enough. Most audit problems in the GovCon space aren't about intent. They're about systems. The chart of accounts wasn't built for cost pool accounting. Timekeeping runs on policy rather than enforcement. Indirect rates are modeled once a year instead of tracked monthly. Unallowable costs are excluded at year-end rather than segregated at the point of entry.
None of those are fraud. All of them are audit exposure.
DCAA readiness is not a documentation project you start when the audit notice arrives. It's a financial infrastructure posture you build before the contract. The distinction matters more than most GovCon companies realize until they're sitting across from an auditor.
The Scramble Is Not a Strategy
The default DCAA response is recognizable: gather the team, pull the files, reconstruct the story, and hope the records are clean enough to defend.
It works occasionally. The problem is that it only works if the underlying infrastructure already exists. You can locate timesheets for a period. You cannot recreate timesheets that were never completed correctly in the first place. You can organize existing documentation. You cannot retroactively attach it to transactions that were recorded without it. You can explain how your indirect rates were developed. You cannot defend rates that were never properly modeled. The audit doesn't create the compliance record. It examines the one you've been building all year.
This is why DCAA compliance is fundamentally an infrastructure problem. Not a documentation problem, not a staffing problem, not a policy problem. When the infrastructure is right, audits become confirmations. When it isn't, audits become crises.
The best GovCon finance leaders I know don't dread DCAA audits. They know exactly what their systems produce, they trust that the documentation exists and is organized, and they understand their indirect rate position in real time. DCAA showing up is an inconvenience for them, not a threat.
That's compliance confidence. It comes from infrastructure, not from annual fire drills.
What DCAA Is Actually Evaluating
Most GovCon executives know timekeeping is critical. Fewer understand that DCAA evaluates the entire accounting system, not just whether employees are recording hours. Here's what a prepared contractor has operating correctly, every day:
A chart of accounts configured for cost pool accounting. Direct labor, fringe benefit pools, overhead pools, unallowables costs, and G&A costs each need to flow through account structures designed specifically for this environment. A commercial chart of accounts with a few new GL codes added for government work is not a GovCon chart of accounts. The cost pool logic has to be built in, not bolted on. Retrofitting it later is costly, disruptive, and produces a period of unreliable data during the transition.
Timekeeping that is system-enforced and auditable. DCAA's standard is specific: employees must record time accurately and currently, in a system that produces a full audit trail. Corrections require supervisor authorization and a documented reason. Backdating needs to be flagged or prevented at the system level. A written policy about timekeeping accuracy is not a substitute for a timekeeping system that enforces it. DCAA will ask to see the system configuration, not just the output.
Indirect rates that are modeled and monitored monthly. Every contractor operating on cost-type contracts submits provisional billing rates. The actual rates, documented in the annual incurred cost submission, need to align reasonably with those provisional rates. If your actuals are running significantly over or under provisional, you're either overbilling the government or leaving recoverable costs on the table. Both are problems. The answer is a rate model you're watching every month, not a spreadsheet that gets opened when the ICS is due in June.
Unallowable costs segregated at entry, not at year-end. FAR Part 31 defines the costs that cannot be billed to the government: certain entertainment, alcohol, lobbying, executive compensation above the statutory cap, and others. Those costs need to be tracked in segregated accounts from the moment they're incurred. Year-end cleanup is unreliable and raises questions about the accuracy of everything in between. The accounting configuration should make proper segregation automatic.
Documentation attached to transactions, not stored somewhere else. Supporting documentation needs to travel with the cost it supports. Vendor invoices, subcontractor agreements, travel authorizations, payroll records: these need to be organized, accessible, and connected to the transaction they document. An auditor who asks for backup on a cost and receives a shrug is not writing a clean report.
This is not a checklist. It's a description of how GovCon finance infrastructure needs to operate as a standard. Not in audit season. All year.
The Pre-Award Survey Problem
There's a version of this situation that's worse than an ongoing audit: the pre-award accounting system survey. Before awarding a cost-type contract, a government agency may direct DCAA to conduct an accounting system survey. The question they're answering is straightforward: is the contractor's financial system capable of properly accounting for this contract?
If the answer is no, the contract doesn't get awarded. I've had new clients come to ROSE while in the most significant business development moment of their history, a contract that would change their trajectory, only to discover that their accounting system wasn't configured to handle it. That's difficult to fix in 30 days. An accounting system that isn't set up for GovCon cost accounting, a timekeeping system that isn't DCAA-compliant, indirect rates that have never been formally modeled: these aren't documentation gaps. They're structural failures.
The right time to build GovCon-ready financial infrastructure is before the first major proposal is submitted. Well before. Because when the pre-award survey arrives, you either have the infrastructure or you don't.
Where the Infrastructure Breaks Down
When we work through the FSRR with GovCon clients, our 80-indicator financial system readiness review, the compliance exposures tend to cluster around three areas.
The first is Structural Foundation: governance and compliance posture. This is where chart of accounts configuration, cost pool structure, and unallowable cost accounting live. It's also where we find the most variance. Some contractors have this right from day one. Others have been billing on cost-type contracts for years with a chart of accounts that can't support an incurred cost submission cleanly.
The second is Systems Architecture: whether the ERP and timekeeping systems are configured for GovCon requirements, or whether the team is working around their limitations with spreadsheets and manual corrections. An accounting system that technically produces the required reports but requires significant manual intervention to get there, may not be a DCAA-compliant accounting system. It's potentially a future liability.
The third is Operational Discipline: timekeeping enforcement, documentation practices, close-process integrity, and whether the month-end close produces numbers that are clean enough to defend. A finance team that closes the books in 15 days with complete documentation has a fundamentally different audit posture than one closing in 30 days with gaps that get filled in retrospectively.
Most DCAA problems trace back to one or more of these three areas. Not to intent. Not to work quality. To infrastructure maturity, which is exactly what the FSRR is designed to measure before DCAA finds it first.
Compliance Confidence Is a Business Development Advantage
This reframe is worth making explicitly: DCAA readiness is not just a risk management posture. It's a competitive one.
Contractors with compliant accounting systems, clean indirect rates, and documented timekeeping processes move faster through the procurement cycle. They qualify for cost-type contracts that competitors can't access because the competitors haven't built the required infrastructure. Many of these companies show up to re-competes with a financial record that supports the bid rather than complicating it. They don't lose weeks to audit response when they could be developing new business. The unfortunate truth is that I've talked to dozens and dozens of companies that don't even try to compete for cost-type contracts as they know their systems are not ready. They boxed themselves out of the biggest opportunities.
There's also a rate management advantage that rarely gets discussed. Contractors who track their indirect rates monthly — against their provisional, against their prior year, against their budget, can make mid-year adjustments that optimize their cost recovery. The ones who find out their rates are off in December, or when the ICS is due, can't do anything about it. The costs are already recorded.
The contractors who treat DCAA compliance as a box to check before an audit will spend their careers anxious about audits. The ones who build it into how they operate will barely notice when DCAA shows up.
What to Do Right Now
If your company is operating in the GovCon space, a few candid questions are worth asking: Was your chart of accounts built for GovCon cost pool accounting, or adapted from a commercial structure? Is your timekeeping system enforced by software, approvals, correction documentation, backdating controls, or does compliance depend on people following policy? Are your indirect rates tracked monthly against provisional, or modeled once at year-end? Are unallowable costs segregated at the point of entry, or cleaned up during year-end close? Have you ever been through a pre-award accounting system survey, and do you know what the result would be if one came tomorrow?
None of these gaps are permanent. But they all require infrastructure fixes, not documentation cleanup. If you want to see how your current financial system would hold up under DCAA scrutiny, the FSRA is a good starting point. It takes about 15 minutes and produces a readiness profile across the five pillars that matter most.
Because when DCAA shows up, the question isn't whether you did the work correctly. The question is whether your systems can prove it.
Ted Rose
In 1994 Ted Rose founded Rose Financial Solutions (ROSE), the Premier U.S. Based Finance and Accounting Outsourcing Firm. In 2010, the Blackbook of Outsourcing named ROSE the #1 FAO firm in the world based on client satisfaction. As the president and CEO of ROSE, he provides executives with financial clarity. Ted has also acted as the CFO for a number of growth companies and assisted with various rounds of financing and M&A transactions.
Share this article:
Visit Us On:
