Jump to content
The Wifcon Forums and Blogs

Left Brain Professionals

Members
  • Content count

    26
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Left Brain Professionals

  • Rank
    Copper Member

Contact Methods

  • Website URL
    http://www.leftbrainpro.com

Profile Information

  • Gender
    Male
  • Location
    Columbus, OH
  1. Why Hire a CPA for Government Cybersecurity?

    Could your business recover from an abrupt loss of $82,000 to 256,000? That’s how much a single cybersecurity breach could cost a small business, according to an analysis by Tech Republic. For federal government contractors, the stakes are even higher. DFARS 252.204.7008 (Compliance Safeguarding and Covered Defense Information Controls), and 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires Department of Defense contractors to fully implement required controls on covered contractor information by December 31, 2017. Failure to comply could result in losing a contract or in having to stop work until you can demonstrate compliance with all 14 categories and 110 specific items of the NIST 800-171 R1 controls. For details about covered items and practical steps you can take to achieve compliance, see our earlier blog posts on the Answers Blog. With the deadline fast approaching, a wide variety of technology and consulting companies are pitching cybersecurity services to small business contractors. Some require you to make costly investments in their technology or offer a one-size-fits-all solution. Here are a few reasons to consider engaging a CPA with government contracting experience to advise on cybersecurity compliance. Humans are at the core of cybersecurity protection – and humans are fallible. Not long ago, most companies relegated anything “cyber” to the IT department. However, technology alone will not protect your company from phishing, hacking and other cybersecurity breaches. Your biggest vulnerability may not involve software or hardware, but the people operating your systems. Are they consistent and thorough in following cybersecurity best practices? Do they use and protect strong passwords? Do they avoid phishing emails? If not, the most sophisticated technology can and will fail to protect your company and its data. Today’s cybersecurity best practices touch on personnel practices, supply chain management, and operational decisions. Nearly all areas of your business require strict policies for managing, storing and transmitting information. These must be applied consistently for effective protection. Trusted Advisors and Compliance Experts. As discussed above, technology is only a part of cybersecurity. Best practices require evaluating risks, implementing procedures to mitigate the risks, training employees to follow policies and continually monitoring adherence to those policies. Most companies invest in control systems to ensure compliance with laws and regulations surrounding financial reporting, tax reporting, labor relations, environmental impacts and many other aspects of business. CPAs set up, manage and audit the majority of such systems. CPAs have earned a unique advisory role based on their understanding of business and adherence to core values of independence, objectivity and skepticism. To maintain their credentials, they must complete appropriate continuing education and comply with a strict code of ethics. Their work also is subject to rigorous external quality reviews. A CPA who understands cybersecurity as well as the needs of small businesses and government contractors is an ideal partner to help you comply with government regulations – including those governing cybersecurity. CPAs Offer Multidisciplinary Knowledge. In addition to core education in business and accounting, many CPAs have expertise in business continuity and disaster recovery. Some hold additional credentials specifically related to IT and security. These include Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA) and Certified Information Technology Professionals (CITP). Moreover, the American Institute of CPAs has established a Cybersecurity Risk Management Reporting Framework for companies to use in designing cybersecurity programs and reporting them to stakeholders – including boards of directors, senior managers, investors and government compliance officers. This framework also includes descriptive criteria, controls and an attestation guide to help CPAs report on cybersecurity. As more businesses implement the AICPA framework, it is becoming a common denominator in talking about cybersecurity in the business world. Preparing for Audit and Reporting Security Breaches For government contractors, compliance requires more than establishing a cybersecurity framework. You must be able to demonstrate compliance and have systems in place to report security breaches. Although no formal audit process has been established for compliance with the NIST 800-171 framework, it is wise to develop your systems with audits in mind. With extensive training and experience in both consultative and audit engagements, a CPA who understands cybersecurity and government contract compliance has an edge in helping you prepare. In addition to preparing for audit, you must have systems in place for reporting security breaches. FAR 52.204-21 has no reporting requirement, but other FAR clauses around Personally Identifiable Information and related items do have separate reporting requirements. Depending on where your business is located, you may have state reporting requirements in addition to any federal contract reporting requirements. Many companies don’t understand the need for solid cybersecurity controls until they have suffered a breach. For example, an attorney friend tells a story about a Human Resources professional who received an email from the president of her company requesting a list of all employees and their social security numbers. She prepared the list and responded to his email. A few minutes later, she bumped into the president and told him, “I just sent the list of information you requested.” He responded, “What information?” The HR professional immediately realized what had happened, but the damage was done. While this happened at a relative small company, its 115 employees resided in 32 states, requiring notification to each of the states. Since state laws are not synchronized, the company had to employ a national law firm. Chances are, if a CPA had been involved in developing the company’s cybersecurity policies, there would have been a clear prohibition against sending sensitive employee information via email – no matter who made the request. Questions about cybersecurity and government contracting? We’re here to help! Please call or email Robert E. Jones at (614) 556-4415 or robert@leftbrainpro.com. The post Why Hire a CPA for Government Cybersecurity? appeared first on Left Brain Professionals. leftbrainpro.com
  2. Months can expire between the conclusion of an audit and when the DCAA issues an audit report. Save yourselves needless speculation and angst! Make sure to hold an exit conference before auditors leave your premises. You may want to request that the auditor and the auditor’s supervisor both attend the meeting, Your designated point of contact and affected members of the management team should all attend. An exit conference gives you the opportunity to discuss audit findings before they become official. You can probe the accuracy of the findings and, if needed, clarify any items upon which there is disagreement. When required, follow up with documentation to support your position. Auditors should review their findings in order of priority. For high-priority findings, DCAA might not close the audit until you remediate the underlying issues. As a result, it is vital that you gain a thorough understanding of the finding as well as what the auditor will accept as remediation. Auditors might specify that lower-priority findings be fixed by the next audit. Again, you should obtain auditors view’ on what constitutes an acceptable solution to the issue. In some cases, auditors may say that your way of handling a procedure is acceptable, but they would prefer that you use a different approach. You must then evaluate the cost to your business of changing your approach versus the cost of having auditors challenge your business processes. The Preliminary Report After the exit interview, the auditor should prepare a preliminary report covering all of the findings resulting from the audit. This is often not completed until weeks or months after the audit. You should begin remediation of any findings addressed at the exit interview while awaiting the preliminary report. After receiving the report, you should review the findings and respond in writing to any areas of disagreement. Be prepared to back up your position with documentation. The Final Audit Report Some months after auditors have left your premises, the DCAA will satisfy its reporting requirements by issuing a final audit report. Typically, reports should include: A statement that identifies the scope and objectives of the audit, including the area, system, or proposal being audited. Objective audit findings. Adequate support for all conclusions. A description of any issues that adversely affected the audit. A summary of audit results, including the auditor’s findings, recommendations for contractor compliance with applicable regulations, and overall opinions. Review this report with your management team carefully and develop a plan to address remaining audit findings as required. If you successfully managed the audit process, you can breathe a sigh of relief and return to managing your business. What if I Disagree with the Audit Report? DCAA auditors are only human. They can make mistakes or issue findings with which you disagree. You do have rights of appeal under the Contract Disputes Act. Moreover, your contracting officer can reject DCAA recommendations, although this is increasingly rare. Litigation can be expensive, however. Unless their errors present a threat to your payments or continued operation as a government contractor, it may be to your advantage to change your systems to comply with their findings. This is a decision that you should make with competent legal counsel. If you have questions about DCAA or DCMA audits and your business, please call or email Robert E. Jones at (614) 556-4415 or robert@leftbrainpro.com. The post Surviving the DCAA Exit Conference and Audit Remediation appeared first on Left Brain Professionals. leftbrainpro.com
  3. Answers Blog

    Begin Planning Today for DCAA and DCMA Contract Reviews The minute you sign a contract with an agency of the federal government, one thing becomes certain: you will be audited. In fact, depending on your contract, you may undergo several types of contract, proposal, or business system reviews or audits. A wide body of continually changing federal regulations affect how the government ensures that contractors provide goods and services as promised. Some checks and balances fall under the guise of contract management, while others involve formal audits. Your ability to withstand contract review or audit has a direct bearing on your future as a government contractor. Pass, and your invoices are paid. Fail, and your invoices may be suspended or disallowed. You even could be barred from bidding on future contracts! With so much at stake, it is important that you begin preparing today to defend your costs, product quality, accounting systems and business practices during an audit. Preparation begins with understanding some of the agencies involved. Which Agencies Oversee Contracts? Individual awarding agencies, especially civilian agencies such as Health and Human Services, the Department of Energy and Department of Veterans Affairs, perform many of their own reviews and audits. Each agency follows its own protocols. For the Department of Defense, NASA and affiliated agencies, two federal agencies hold primary responsibility for ensuring the integrity of the purchasing process. The Defense Contract Management Agency administers contracts, while the Defense Contract Audit Agency provides financial and accounting services, including audits. The Defense Contract Management Agency provides a broad range of procurement and contract management services to the Department of Defense and other federal agencies. DCMA makes sure that DoD and affiliated federal agencies get the highest quality goods and services, the best value for their dollar and on-time delivery. The agency employs more than 10,000 professionals around the globe who are involved in every aspect of making sure needed equipment makes it from raw material to finished product. DCMA employees witness testing and accept products on behalf of the government. The agency also staffs six pricing centers around the U.S. to help contracting officers with price analysis and commercial item determinations. DCMA provides assistance with technical review of proposals and maintains the Commercial Item Determination registry. It maintains a secure web-based system for electronic Invoicing, Receipt, Acceptance, and Property Transfer (iRAPT, formerly known as Wide Area Work Flow/WAWF). It also performs contractor surveillance and product inspections. Before contract award, DCMA provides advice and information to help construct effective solicitations, identify potential risks, select the most capable contractors, and write contracts that meet the needs of DoD, federal and allied government agencies. After contract award, DCMA monitors contractors’ performance and management systems to ensure that cost, product performance, and delivery schedules comply with the terms and conditions of the contracts. The Defense Contract Audit Agency performs most formal audits at the request of agency or DCMA contracting officers. The DCAA’s mission is to ensure that government agencies get what they need at fair and reasonable prices. Standards for allowable, reasonable and allocable prices are set forth in Part 31 of the Federal Acquisition Regulation. Established in 1965, the DCAA provides audit and financial advisory services to Department of Defense and other federal entities responsible for acquisition and contract administration. Other federal government agencies may hire commercial auditors. Pending language in H.R. 2511, introduced in May 2017, would allow the Defense Contract Management Agency or a military service contract officer to pick “a qualified private auditor to perform an incurred cost audit.” All audits must follow the DCAA Contract Audit Manual (DCAAM 7640.1), often abbreviated as the CAM. Chapter 10 of the CAM, which includes examples of different DCAA audit reports, can be particularly helpful for new contractors. What Types of Audits Does DCAA Perform? DCAA performs more than 50 specific audits to ensure that contractors have systems in place to support accurate and transparent pricing for the goods and services they provide to government agencies. Pre-award audits take place before you sign a contract. Common types of pre-award audits include accounting system surveys, proposal pricing and forward pricing rates. Post-award audits can occur at any time after you sign a contract. Per the DCAA contract audit manual (14-102), the objective of a post-award audit is to determine if the negotiated contract price increased by a significant amount because the contractor did not submit or disclose accurate, complete and current cost or pricing data. Common types of post-award audits include: · Accounting System Audit · Cost Accounting Standards (CAS) · Provisional Billing Rates · Incurred Costs/Annual Overhead Rates · Voucher/Progress Payment Reviews · Floor Checks · Material Existence · Contract Closing · Truth in Negotiation Act Compliance Contractor business system audits examine internal controls and processes. The FAR and Defense Federal Acquisition Regulation Supplement clauses incorporated into many government contracts list detailed criteria associated with business systems for: · Accounting · Estimating · Material management and accounting · Purchasing · Earned value management · Property As explained in CAM Chapter 5, federal contractors are responsible for establishing and maintaining adequate internal controls that support reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. During an audit, you must provide detailed walkthroughs and demonstrations of the processes that make up each system. Accounting System Audits Your accounting system is key to proving that your costs are reasonable, allowable and allocable to your contract. The Federal Acquisition Regulation 16.301(3) requires contractors to maintain an adequate accounting system.. Those with flexibly priced contracts must employ an accounting system that meets DCAA standards for tracking costs. In addition, federal contracts that exceed the $750,000 Truthful Cost or Pricing Data (formerly TINA) threshold require DCAA-compliant accounting systems and operations. Before awarding a contract, the Contracting Officer (CO) or Administrative Contracting Officer must determine if the contractor has an adequate accounting system. DCAA often serves as the technical advisor in making this decision. It performs a Pre-Award Accounting System Review or Post Award Review at the request of the CO or ACO. The Pre-Award Accounting System review requires the contractor to show that its accounting system meets requirements outlined in the Standard Form 1408, Pre-Award Survey of a Prospective Contractors Accounting System. The Post Award accounting system review also includes detailed testing of transactions through the contractor’s accounting system to ensure the system actually meets the SF 1408 requirements. What Types of Audits Does DCMA Perform? Whereas DCAA performs accounting and financial audits, DCMA audits government property systems, physical assets and shipments, including Item Unique Identification (IUID) methods and reporting obligations. Through IUID, DCMA auditors verify that every asset is uniquely identified, labeled, and tracked in accordance with two important standards: MIL-STD 129 (Shipment Identification) and MIL-STD 130 (Asset Identification). The IUID Registry is managed through iRAPT. Effective October 1, 2017, the Financial Improvement and Audit Readiness (FIAR) initiative dictates that all accountable assets must be audit ready. . Failure to comply can result in rejected payments, shipments that are rejected upon receipt, costly corrective actions and documentation of your deficiencies in an official government report. DCMA also performs Contractor Purchasing System Reviews, which are designed to evaluate the efficiency and effectiveness with which a contractor spends government funds and whether it complies with government policy when subcontracting. A CPSR is conducted when a contractor’s annual sales to the government are expected to exceed $50 million in a 12 month period. Begin Preparing Now to Save Time, Money and Headaches Later Preparing for audits at the start of your contract – or at least before you receive a notice of audit – is the best way to reduce costs and stress associated with the audit process. Designing your accounting systems and business operations to comply with contract requirements and audit standards from the beginning helps to prevent costly system redesigns, staff retraining, and the headaches associated with audit findings. One of the easiest ways to begin audit preparation is to assess your accounting systems using SF 1408. Knowing what a government representative is looking for will help to: · Improve your existing accounting system; · Identify and correct any defects in your system; · Be prepared for any pre-award review of your cost accounting system. Having effective internal controls, policies and procedures for your business will help you organize your business and prepare for a potential audit. At minimum, you should have a written policy and procedures manual that covers: · Accounting system (control environment) · Billing · Budget and Planning · Estimating · Information Technology · Labor, Compensation and Benefits · Material Management · Purchasing · Standards of Ethical Operation Setting up and maintaining the right records is another prudent step in preparing for audits. FAR Part 4.7 outlines records retention requirements for contractors. Remember, if you know how the DCAA and DCMA work and what to expect from them, you can expedite the audit visit and avoid spending more time with them than necessary. The converse is true for the unprepared. So, what should you do once the DCAA audit letter arrives? Check out our next blog post: Received a DCAA Audit Letter? Don’t Panic! Questions about DCAA and DCMA audits and your business? We’re here to help! Call or email Robert E. Jones at (614) 556-4415 or robert@leftbrainpro.com. The post Answers Blog appeared first on Left Brain Professionals. leftbrainpro.com
  4. Received a DCAA Audit Letter? Don’t Panic!

    For government contractors, auditing is a matter of when – not if. Yet many contractors still panic when they receive the inevitable audit request from the Defense Contract Audit Agency. If you have been preparing from the start of your contract, you should be in good shape to withstand an audit. Yet, even if you have been so busy running your business that all thought of audits fell to the back burner, there are steps you can take before and after the auditors arrive to manage the process successfully. The DCAA Audit Letter and Data Call To initiate an audit, DCAA auditors will send an audit letter that includes: A description of the type of audit they plan to perform. A list of systems and records they want to examine (known as a data call). A deadline for your response. Once again, take a deep breath. Then begin developing a plan of attack for dealing with the audit. Examine the audit letter to see what auditors are looking for and what the agency’s agenda might be. Pull the Contract Audit Manual for guidance. Appoint someone as the primary point of contact between your company and the auditors. Ideally, you should appoint someone who is familiar with your overall business operations and who has a thorough understanding of government contracts, federal regulations and the DCAA audit process. Establish a chain of command for responding to the audit. Ensure that any employees likely to be involved in the audit understand their roles and responsibilities. Begin gathering requested data. Small business contractors often lack the in-house expertise to prepare for audits and represent themselves through the audit process. An experienced CPA will be an invaluable asset to you during the audit process. Your expert can serve as a buffer between you and the auditors. Ideally, you should appoint a CPA with the knowledge and experience to expedite the audit process and to push back against overly aggressive auditors if needed. The Entrance Conference Once you’ve put a preliminary plan in place, schedule an entrance conference with the DCAA auditors. Goals of the conference include: Introduce the auditors to your point of contact. Clarify the purpose of the audit. Agree on the audit scope. Nail down specifics. Do not accept a broad scope such as, “an audit of the contractor’s facilities.” Specify the types of records and data the auditor intends to review. Remember, the DCAA auditors have the right to review any documentation that supports a cost charged and recovered on a federal contract, grant, or cooperative agreement. Set the auditor’s level of access to documents, information and personnel. During the Audit While auditors are at your business, your goal should be to assist them in completing their task as quickly as possible while protecting your company’s interests. Here are some tips for managing the audit process and avoiding needless disruption to your operations. Be courteous and professional. The auditors represent one of your biggest clients, the federal government. Make sure to treat them accordingly. Know your rights. By law, auditors are only entitled to access specific records required to assess costs. They must follow Generally Accepted Government Auditing Standards to determine which records are relevant. If possible, provide auditors with a designated office or work area. Bring any requested documents to them rather than allow them to roam throughout your company. For floor checks, have your designated point of contact or another company manager accompany the auditor during interviews with employees. Ask auditors to make data requests, in writing, to your designated point of contact. Although DCAA auditors are not required to make written requests, these are very helpful in evaluating, tracking and prioritizing their requests. Review and log all documents before providing them to auditors. Auditors will ask clarifying questions. Answer them – but make sure you are only answering their specific questions. Do not volunteer additional information. This is where an experienced government contracts CPA can be especially helpful. Hold interim conferences as needed to manage the audit process. These will allow you to address any perceived deficiencies or mistakes in your data. If the auditors discover something wrong, remedy the issue before they leave your site, if possible. In our next blog post, we’ll discuss The Exit Conference and Audit Remediation. Surviving the DCAA Exit Conference and Audit Remediation In the meantime, if you have questions about DCAA or DCMA audits and your business, please call or email Robert E. Jones at (614) 556-4415 or robert@leftbrainpro.com. The post Received a DCAA Audit Letter? Don’t Panic! appeared first on Left Brain Professionals. leftbrainpro.com
  5. The minute you sign a contract with an agency of the federal government, one thing becomes certain: you will be audited. In fact, depending on your contract, you may undergo several types of contract, proposal, or business system reviews or audits. A wide body of continually changing federal regulations affect how the government ensures that contractors provide goods and services as promised. Some checks and balances fall under the guise of contract management, while others involve formal audits. Your ability to withstand contract review or audit has a direct bearing on your future as a government contractor. Pass, and your invoices are paid. Fail, and your invoices may be suspended or disallowed. You even could be barred from bidding on future contracts! With so much at stake, it is important that you begin preparing today to defend your costs, product quality, accounting systems and business practices during an audit. Preparation begins with understanding some of the agencies involved. Which Agencies Oversee Contracts? Individual awarding agencies, especially civilian agencies such as Health and Human Services, the Department of Energy and Department of Veterans Affairs, perform many of their own reviews and audits. Each agency follows its own protocols. For the Department of Defense, NASA and affiliated agencies, two federal agencies hold primary responsibility for ensuring the integrity of the purchasing process. The Defense Contract Management Agency administers contracts, while the Defense Contract Audit Agency provides financial and accounting services, including audits. The Defense Contract Management Agency provides a broad range of procurement and contract management services to the Department of Defense and other federal agencies. DCMA makes sure that DoD and affiliated federal agencies get the highest quality goods and services, the best value for their dollar and on-time delivery. The agency employs more than 10,000 professionals around the globe who are involved in every aspect of making sure needed equipment makes it from raw material to finished product. DCMA employees witness testing and accept products on behalf of the government. The agency also staffs six pricing centers around the U.S. to help contracting officers with price analysis and commercial item determinations. DCMA provides assistance with technical review of proposals and maintains the Commercial Item Determination registry. It maintains a secure web-based system for electronic Invoicing, Receipt, Acceptance, and Property Transfer (iRAPT, formerly known as Wide Area Work Flow/WAWF). It also performs contractor surveillance and product inspections. Before contract award, DCMA provides advice and information to help construct effective solicitations, identify potential risks, select the most capable contractors, and write contracts that meet the needs of DoD, federal and allied government agencies. After contract award, DCMA monitors contractors’ performance and management systems to ensure that cost, product performance, and delivery schedules comply with the terms and conditions of the contracts. The Defense Contract Audit Agency performs most formal audits at the request of agency or DCMA contracting officers. The DCAA’s mission is to ensure that government agencies get what they need at fair and reasonable prices. Standards for allowable, reasonable and allocable prices are set forth in Part 31 of the Federal Acquisition Regulation. Established in 1965, the DCAA provides audit and financial advisory services to Department of Defense and other federal entities responsible for acquisition and contract administration. Other federal government agencies may hire commercial auditors. Pending language in H.R. 2511, introduced in May 2017, would allow the Defense Contract Management Agency or a military service contract officer to pick “a qualified private auditor to perform an incurred cost audit.” All audits must follow the DCAA Contract Audit Manual (DCAAM 7640.1), often abbreviated as the CAM. Chapter 10 of the CAM, which includes examples of different DCAA audit reports, can be particularly helpful for new contractors. What Types of Audits Does DCAA Perform? DCAA performs more than 50 specific audits to ensure that contractors have systems in place to support accurate and transparent pricing for the goods and services they provide to government agencies. Pre-award audits take place before you sign a contract. Common types of pre-award audits include accounting system surveys, proposal pricing and forward pricing rates. Post-award audits can occur at any time after you sign a contract. Per the DCAA contract audit manual (14-102), the objective of a post-award audit is to determine if the negotiated contract price increased by a significant amount because the contractor did not submit or disclose accurate, complete and current cost or pricing data. Common types of post-award audits include: Accounting System Audit Cost Accounting Standards (CAS) Provisional Billing Rates Incurred Costs/Annual Overhead Rates Voucher/Progress Payment Reviews Floor Checks Material Existence Contract Closing Truth in Negotiation Act Compliance Contractor business system audits examine internal controls and processes. The FAR and Defense Federal Acquisition Regulation Supplement clauses incorporated into many government contracts list detailed criteria associated with business systems for: Accounting Estimating Material management and accounting Purchasing Earned value management Property As explained in CAM Chapter 5, federal contractors are responsible for establishing and maintaining adequate internal controls that support reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. During an audit, you must provide detailed walkthroughs and demonstrations of the processes that make up each system. Accounting System Audits Your accounting system is key to proving that your costs are reasonable, allowable and allocable to your contract. The Federal Acquisition Regulation 16.301(3) requires contractors to maintain an adequate accounting system.. Those with flexibly priced contracts must employ an accounting system that meets DCAA standards for tracking costs. In addition, federal contracts that exceed the $750,000 Truthful Cost or Pricing Data (formerly TINA) threshold require DCAA-compliant accounting systems and operations. Before awarding a contract, the Contracting Officer (CO) or Administrative Contracting Officer must determine if the contractor has an adequate accounting system. DCAA often serves as the technical advisor in making this decision. It performs a Pre-Award Accounting System Review or Post Award Review at the request of the CO or ACO. The Pre-Award Accounting System review requires the contractor to show that its accounting system meets requirements outlined in the Standard Form 1408, Pre-Award Survey of a Prospective Contractors Accounting System. The Post Award accounting system review also includes detailed testing of transactions through the contractor’s accounting system to ensure the system actually meets the SF 1408 requirements. What Types of Audits Does DCMA Perform? Whereas DCAA performs accounting and financial audits, DCMA audits government property systems, physical assets and shipments, including Item Unique Identification (IUID) methods and reporting obligations. Through IUID, DCMA auditors verify that every asset is uniquely identified, labeled, and tracked in accordance with two important standards: MIL-STD 129 (Shipment Identification) and MIL-STD 130 (Asset Identification). The IUID Registry is managed through iRAPT. Effective October 1, 2017, the Financial Improvement and Audit Readiness (FIAR) initiative dictates that all accountable assets must be audit ready. . Failure to comply can result in rejected payments, shipments that are rejected upon receipt, costly corrective actions and documentation of your deficiencies in an official government report. DCMA also performs Contractor Purchasing System Reviews, which are designed to evaluate the efficiency and effectiveness with which a contractor spends government funds and whether it complies with government policy when subcontracting. A CPSR is conducted when a contractor’s annual sales to the government are expected to exceed $50 million in a 12 month period. Begin Preparing Now to Save Time, Money and Headaches Later Preparing for audits at the start of your contract – or at least before you receive a notice of audit – is the best way to reduce costs and stress associated with the audit process. Designing your accounting systems and business operations to comply with contract requirements and audit standards from the beginning helps to prevent costly system redesigns, staff retraining, and the headaches associated with audit findings. One of the easiest ways to begin audit preparation is to assess your accounting systems using SF 1408. Knowing what a government representative is looking for will help to: Improve your existing accounting system Identify and correct any defects in your system Be prepared for any pre-award review of your cost accounting system. Having effective internal controls, policies and procedures for your business will help you organize your business and prepare for a potential audit. At minimum, you should have a written policy and procedures manual that covers: Accounting system (control environment) Billing Budget and Planning Estimating Information Technology Labor, Compensation and Benefits Material Management Purchasing Standards of Ethical Operation Setting up and maintaining the right records is another prudent step in preparing for audits. FAR Part 4.7 outlines records retention requirements for contractors. Remember, if you know how the DCAA and DCMA work and what to expect from them, you can expedite the audit visit and avoid spending more time with them than necessary. The converse is true for the unprepared. So, what should you do once the DCAA audit letter arrives? Check out our next blog post: Received a DCAA Audit Letter? Don’t Panic! Questions about DCAA and DCMA audits and your business? We’re here to help! Call or email Robert E. Jones at (614) 556-4415 or robert@leftbrainpro.com. Received a DCAA Audit Letter? Don’t Panic! The post Begin Planning Today for DCAA and DCMA Contract Reviews appeared first on Left Brain Professionals. leftbrainpro.com
  6. Outsource Your Incurred Cost Proposal

    Congratulations! You Submitted Your Incurred Cost Proposal. But is it Adequate? If your company has flexibly priced or time-and-materials federal contracts that contain the Allowable Cost & Payment clause (FAR 52.216‐7), you are required to file an Incurred Cost Proposal (also known as an Incurred Cost Submission) within six months of the end of your fiscal year. For calendar year companies, the June 30th deadline just passed. If you submitted your ICP on time, congratulations! It is imperative to submit your ICP promptly unless you obtain a waiver. If you missed the deadline, time is of the essence! The Defense Contract Audit Agency will provide a single late notification letter when an Incurred Cost Proposal is 30 days late. If your ICP is still outstanding six months after the deadline, the DCAA will refer your contract to the Defense Contract Management Agency for audit. Keep in mind that timeliness alone will not protect you from increased scrutiny. If the DCAA deems your proposal inadequate, it also may refer your contract to the DCMA for audit. Many contractors prepare their ICPs in house. This may be a good option if your staff includes an experienced cost accountant and contracts compliance expert who stays on top of the complex and changing regulations that apply to ICP submissions. These may include annual changes to FAR regulations, the proposal adequacy checklist, the ICP format and the expectations of government auditors. In most cases, however, small and medium-sized businesses can’t justify the expense of keeping a contracts specialist on staff. Just as they hire experts to prepare their tax returns, they bring in an experienced contracts compliance accountant to prepare their ICPs. Here are just a few of the reasons to consult an ICP expert: An expert stays current with the latest Federal Acquisitions Regulations and all of the requirements for preparing adequate Incurred Cost Proposals. Hiring an expert may cost less than you would pay an inexperienced accountant to navigate the intricate requirements for developing and submitting an ICP. An expert knows which expenses are allowable and which are not, protecting your submission from rejection. An expert knows how to classify expenses, making it easier to prepare Incurred Cost Reports, saving time at the end of the year An expert knows how to classify labor costs in a way that the government recognizes, which can save staff time and protect against findings when your contract is audited. If you missed the deadline or have any doubts about the adequacy of your Incurred Cost Proposal, start working on a solution as soon as possible. You’ll find more detailed information about the ICP preparation process in our January blog post. Questions about the ICP and your federal contract? We’re here to help! Reach out to Robert@LeftBrainPro.com or call (614) 556-4415. With more than 14 years of Department of Defense contract and accounting experience for both Fortune 500 and small to mid-sized businesses, he has extensive experience classifying costs, creating reports, working with clients to prepare ICPs and navigating audits. The post Outsource Your Incurred Cost Proposal appeared first on Left Brain Professionals. leftbrainpro.com
  7. Part 1: New Rules Go Into Effect December 31. Federal government agencies rely upon external contractors to carry out a wide range of functions. Many contractors have access to sensitive data that could, if compromised, potentially reveal classified information, threaten national security or even put lives at risk. As a result, cybersecurity is a critical and growing concern for both federal agencies and contractors. The issue has gained greater urgency, as contractors of all sizes must demonstrate compliance with new federal government rules by December 31, 2017. Understandably, many small business contractors feel overwhelmed. If you don’t comply, your contracts – and, perhaps, your business – are at risk. Yet you may not know where to begin. Common obstacles to compliance include: Lack of knowledge of the rules, Not knowing how to meet the requirements spelled out in the rules, Lack of access to information security resources, and Lack of financial resources to implement required safeguards. Many small businesses do not employ a dedicated information technology employee or consultant. Often, an owner or key employee performs IT functions in addition to their regular duties. And even Fortune 500 companies with vast resources struggle with information security. No wonder small business owners feel overwhelmed! Still, when you submit an RFP or sign a contract containing one or more information security clauses, you are affirming your ability to comply with the contract. You need to employ as many best practices as possible to show that you have employed good faith due diligence to achieve compliance. As with any compliance program, you must be able to demonstrate that you are doing – or trying to do – the right thing. This series of blog posts is designed to help small business contractors prepare to meet the December 31 deadline. We’ll break down compliance into bite-size, manageable and affordable chunks that an average small business of a few to up to 50 employees can tackle. Let’s start with the rules. Federal Cybersecurity Rules FAR 52.204-21 DFARS 252.204-7008 DFARS 252.204-7012 DFARS 204.7300 NIST (SP) 800-171 FAR Case 2011-020 Federal Information Security Rules In June 2016, the US Department of Defense, General Services Administration, and National Aeronautics and Space Administration published a new rule entitled “Basic Safeguarding of Contractor Information Systems.” The new requirements supplement DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which imposes several more requirements on covered DoD contractors. Safeguarding requirements are based on security requirements published in the Department of Commerce National Institute of Standards and Technology’s Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” However, several other overlapping rules and regulations may apply (see box). These rules and regulations require contractors of all sizes to comply with two key information security requirements: Maintain Adequate Security Report any Incidents In the case of defense contracts, within 30 days of contract award, a contractor must notify the DoD Chief Information Officer of any security requirements not implemented at the time of contract award. The contractor can propose alternate, equally effective measures to DoD through the contracting officer. Where Must You Maintain Adequate Security? Security requirements affect any system for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including: Email Social media Cloud storage Online accounts Mobile devices Personal computers Software Corporate networks Storage devices Requirements under NIST (SP) 800-171 Nearly 80 pages in length, NIST Special Publication 800-171 includes 109 items broken into 14 categories. Under these guidelines, the purpose of computer security is to protect an organization’s valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. The document covers the NIST framework for Improving Critical Infrastructure, details on each of the 14 security requirements, mapping tables and a special section dedicated to acronyms. See below for an outline of each category, with tips for compliance. Access Control: Limit physical access to building and servers. Limit access to accounts and services through assigned users. Only those who need access should be granted access. Tip: Review active users on accounts at least annually (best practice involves quarterly or semi-annual review). Look for terminated employees and employees whose duties have changed (they no longer need access to a server, site, folder, file, or account). Revoke their access. Awareness and Training: Provide annual training to all employees on existing policies and procedures. Provide updated training as appropriate for changes in laws, regulations, etc. Tip: Document the training. Be able to prove due diligence in training your employees to do the right thing. Audit & Accountability: Perform internal and external audits. Have someone outside the company or department review policies against actual practices. Hire an outside firm. Have individual team, department, or project managers review user access to their sites, servers, folders, files, and accounts. Tip: Document the audit, as well as any remedial training, new policies, or other mitigation strategies that arise as a result of the audit. Configuration Management: Keep track of hardware and software. Know who has possession of equipment and what is installed on each machine. Ensure that users have limited ability to download and install software. Have a defined list of preapproved software. Have a formal process to request and vet new software. Tip: Perform audits of your system and software. See #3 above. Identification and Authentication: Identify and authenticate any user gaining access to your facility, servers, or accounts. Assign unique logins for each user; do not use shared logins. Use electronic key cards for physical access to facilities and rooms. Authenticate users through some other tool such as a password, PIN, one-time password, or biometrics. Access to server rooms may require a key card and PIN. Tip: Review access control on regular basis. See #1 above. Incident Response: Document an incident response process including roles and responsibilities. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements. Tip: Your response plan must specify how you are notified internally, who you need to notify and how (such as customers and government entities), response times, and public relations outreach. Maintenance: Keep all hardware, software, and firmware updated with the latest patches. Perform routine preventive maintenance such as backups and destruction of backups. Tip: Automate as much as possible. Have a calendar to track needed items. Document all updates. Media Protection: Physically limit access to the media. Limit or prohibit use of removable media or portable storage devices such as thumb drives. Protect backup media the same as live data. Tip: Enable system/network protocols that identify removable media or portable storage devices. Personnel Security: Screen personnel before providing access. This may be as simple as validating a need-to-know for basic access and as complex as performing background checks on individuals with advanced access or responsibilities. Tip: Ensure terminated employees are removed from all access and accounts. Physical Protection: Allow only authorized access to systems, equipment, and facilities. Maintain audit logs of physical access (may be automated with electronic key cards), monitor and escort visitors. Tip: Implement a visitor policy and process with logs and badges. Risk Assessment: Perform a risk analysis to identify vulnerabilities. If this happened, what would it mean to us, our business, our reputation. Compare analysis to existing policies and practices, and then remediate accordingly. Tip: Perform a risk assessment when acquiring another company, moving locations, adding new technology, or changing providers. Security Assessment: Assess effectiveness of existing controls. Are controls doing what they’re supposed to do? Can someone bypass a control? Tip: Perform spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file. System and Communications Protection: In comparison to protecting the storage of data, this is meant to protect the flow of data between systems. It also includes boundaries between systems such as between private and guest networks. Tip: Deny network communications by default. Permit authorized communication by exception. System and Information Integrity: Monitor activity to detect flaws, irregularities, and malicious code. Perform system and file scans for viruses and malware. Irregularities may include size, volume, and timing of network traffic. Tip: Install antivirus and malware protection. Perform routine system and file scans. From Understanding to Compliance After reading this summary, you should have a general understanding of what the new rules require. Although the topic may still seem overwhelming, our next post will help you get a handle on practical steps you can take to comply by the December 31 deadline. We’ll review information security requirements for individual systems, with a discussion of best practices and affordably priced tools suitable for small business use. The post Cybersecurity Best Practices for Small Business Contractors – Part 1 appeared first on Left Brain Professionals. leftbrainpro.com
  8. Part 3: Essential Information Security Policies Now that you have an understanding of the rules, what systems must be covered and security tools you can use to comply, it’s time to consider policies. Keep in mind that your investment in security tools can be rendered useless without appropriate policies and training in place to require that employees use them. Policy Manual (NIST Category 2) A good policy manual should address all 14 categories. You need to provide written policies and formal training. This includes training for new employees (based on role) with annual refresher training on key items for all employees. Review and update policies at least annually. Review and update training at least annually. Roll out training on new topics or revised policies as appropriate. Review Access Control (NIST Category 9) Review access control requests when received and at least annually. Does the person have a valid need-to-know or need-to-access requirement? Perform background checks as appropriate for positions with advanced level of access or responsibility. Tips: Review access membership lists at least annually for continued need-to-know. Have terminated employees been removed or had their accounts deactivated? Physical security (NIST Category 1, 5, 8, 10) Limit access to facilities, servers, and systems. Have separate locks on server rooms. Have a visitor policy with sign-in, sign-out, and unique badges. Password Management (NIST Category 5) Password management is so important that it falls into both tools and policies. Tips: Force system password changes every 30-90 days. For very secure or sensitive information, require more frequent password changes. Require multi-factor authentication for new devices or sensitive systems. Set system requirements for secure passwords (upper, lower, number, and symbol) and do not all reuse of passwords or creation of sequential passwords. Multi-factor Authentication (NIST Category 5) As discussed above, MFA helps prevent unauthorized access by requiring multiple types of identification. In addition to a username and password, it requires a third piece of information such as a text code (to your phone or mobile device), digital certificate, CAC or “smart” card, one-time password (from a fob), or biometric such as figure print or retina scan. Tip: Have a policy requiring MFA use on specific accounts/services and recommend its use on all possible accounts/services. Enable MFA on every account possible. Audit, Risk, Configuration Management and Security Audit, risk, configuration management, and security may be a combined effort. Guidelines are outlined in NIST Special Publication 800-53 (Rev. 4): Security Controls and Assessment Procedures for Federal Information Systems and Organizations. Audit and Accountability (NIST Category 3) You audit and accountability policy should address purpose, scope, roles and responsibilities, and compliance. In addition, it should contain guidance for implementation of the audit and accountability policy and associated management controls. Tip: Include provisions for internal and external audits. Risk Assessment (NIST Category 11) Your policy should outline requirements for risk assessments, including the likelihood and magnitude of potential harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits. Tip: Update the risk assessment procedures whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security of the system. This should be done at least annually. Configuration Management (NIST Category 4) Configuration Management is a discipline designed to ensure that the configuration of an item (and its components) is known and documented, and that all subsequent changes to it are controlled and tracked. Your policy must outline procedures for keeping track of hardware and software, including who has responsibility for tracking, how they will track possession of equipment and the software installed on each machine, and how they will ensure that users have limited ability to download and install software. It must include a defined list of preapproved software as well as a formal process for requesting and vetting new software. Tip: Document, document, document. Then spot check to make sure everything is being documented. Security Assessment (NIST Category 12) Your security assessment policy should document your existing controls and outline procedures for testing their effectiveness. Tip: Include a requirement for spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file. Incident Response (NIST Category 6) Your policy should document an incident response process that outlines roles, responsibilities and procedures. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements. Tip: Your response plan must specify how you are notified internally, who you need to notify exterrnally and how (such as customers and government entities), response times, and public relations outreach. For government contractors, one of the first calls should go to the contracting agency. Openness and transparency are the best policy. In Conclusion: One Step at a Time We’ve covered a lot of ground in the past three blog posts, including: Federal information security requirements What hardware, software and online resources must be secured Available security tools Essential policies and procedures That’s a lot for any small business owner to take in! With the December 31 deadline looming, however, inaction or delay are no longer options. My recommendation is to divide your compliance efforts into manageable steps. Begin with an assessment of where you stand as far as meeting each of the NIST requirements, then develop a plan for compliance in each area. Assign responsibilities and deadlines, and call in help as you need it. As always, if you have questions about information security or any other aspect of government contract compliance, you can reach me at robert@leftbrainpro.com or by callng (614) 556-4415. The post Cybersecurity Best Practices for Small Business Contractors – Part 3 appeared first on Left Brain Professionals. leftbrainpro.com
  9. Part 2: Covered Systems and Security Tools In the 21st century, broadband networks and information technology have become powerful tools for small businesses. They help business reach new markets and increase sales and productivity. However, the same technology that powers business improvement is vulnerable to attack. Businesses must implement the best tools and tactics to protect themselves, their customers, and their data. As discussed in Part 1, federal contractors face a December 31 deadline for compliance with new rules for safeguarding contractor information systems. In Part 2, we’ll discuss the devices and systems that must be secured, including suggestions for best practices and affordably priced tools that small businesses can use to comply. Note that in many cases vendors offer multiple tools. These are listed by category rather than by vendor. What Must Be Secured? All contractor information systems, which are defined as systems owned or operated by contractors that “process, store, or transmit federal contract information” must be secured. Let’s take a look at each category and applicable security tips and tools. Hardware (NIST Category 7): Firewalls, Routers, Servers, PCs, Laptops, Tablets, Mobile Phones, IP phones, Network Printers. All hardware that stores or transmits data requires protection from unauthorized access and malware such as viruses and spyware. This generally involves the use anti-virus software, firewalls and Virtual Private Networks, which are discussed in more detail below. Tips: Ensure that all firmware is updated, devices are encrypted (where available/appropriate) and that devices have passcodes or PINs. Make sure mobile devices (including laptops) can be remotely wiped in case of theft or loss. Network Access Taking steps to prevent unauthorized network access is important for a wide number of reasons, including preventing others from installing malware or stealing or deleting important files. Tips: Unauthorized persons should never have access to your business network! Make sure both home and office networks have secure passwords. Create a separate guest network for sharing with family, friends, and visitors. Your network should be protected with a Firewall (hardware and/or software) and/or Virtual Private Network. A firewall is a network security system that uses rules to control incoming and outgoing network traffic. A firewall acts as a barrier between a trusted network and an untrusted network. Firewalls come in two varieties: hardware and software. You can purchase a physical firewall device or run a firewall application. Many routers have firewall software built into them. A greater level of security can be provided through a Virtual Private Network, which is a method employing encryption to provide secure access to a remote computer over the Internet. VPN tools for small businesses to consider included Avast SecureLine VPN and PureVPN. Mobile Devices (phones and tablets) The ease of doing business anytime, anywhere comes with a price. Mobile device security threats are on the rise. According to IT Web, the number of new malware programs detected each day has reached over 230,000–many of which target mobile devices. Tips: Use mobile antivirus and security tools such as Avast Mobile, Avira and Lookout to secure mobile devices. Avast and Avira offer both free and more robust paid plans for devices running on Android and iOS. Lookout’s mobile security suite includes mobile endpoint security, app security, personal device security and threat intelligence Wi-Fi and Bluetooth Wi-Fi and Bluetooth are protocols allowing computers, smartphones, or other devices to connect to the Internet or communicate with one another wirelessly within a particular area. Tips: Keep them off until needed. They are doors through which hackers can access your device or network. In addition, they drain batteries on mobile devices. Do not use free public Wi-Fi. Ever. Many people have access, and the network is unsecured. It’s laughably easy to hack other users on the same network. Use your phone’s hotspot, a mobile hotspot, or trusted network (such as that of a client or vendor). If and when you use public Wi-Fi, use a Virtual Private Network to access your network or the internet in general. Software (NIST Category 7) Commercially available software represents one of the biggest vulnerabilities in information security. Don’t let hackers exploit holes in your software to access your information! Tips: Ensure that all updates and patches are installed. Developers release security patches on a regular basis. Consider auto updates to plug any holes. Outdated software, even with updates or patches, is vulnerable because developers eventually stop supporting old software. If your software is more than 4 years old, check to see if you are still receiving updates and patches. Hackers know that companies run old software, and developers stop supporting it, so they look for ways to break in. Online Services and Accounts Email (NIST Category 8, 14) After the recent presidential race, it’s hard to believe that anyone is unaware of the importance of safeguarding email communications. Email accounts are easily hacked. Take steps to protect them. Tips: Keep separate accounts for business and personal email. Do not cross contaminate them. Keep business in business and personal in personal. Use a professional domain for your business. If you are a small business, buy a domain, secure it, and use it. Do not send business email from Yahoo, Hotmail, AOL, Gmail, etc. Even if you designate one of these as a business account, it comes from a public domain, which reflects poorly upon your business and opens you up to hacking and other issues. Keep in mind that if you keep multiple email accounts on a single device (as we all do), a hack from one account can easily bleed to the other accounts, causing release of information or unpleasant emails sent on your behalf. To be clear, if you’re using Google’s G Suite (formerly Google Apps) for work, the security features are different than a personal Gmail account. That said, in our humble opinion, Gmail has one of the most secure personal email platforms, with multi-factor authentication (discussed below) and SPAM filtering. Cloud Storage Like email, keep separate accounts/services for work and personal. We recommend separate services, so it’s clear that one is business and one is personal. Do not cross contaminate. Do not store business documents on your personal service and vice-versa. Cloud storage services to consider include: Dropbox Google Drive Box iCloud Carbonite Office 365 Social Media It’s too common to see hacking of LinkedIn, Facebook, Instagram, Twitter and other accounts. If hackers make disparaging posts or comments, it can affect your brand and reputation. Tips: Use strong passwords and the highest privacy settings on all social media accounts. Change passwords frequently. Create a social media usage policy for your company. Never forget that anything shared on social media can ultimately be viewed by anyone, anywhere the world. Be careful about what you post, even on private accounts. Ask your employees to do the same, and make sure they don’t comment on company business from unauthorized accounts. Quite apart from embarrassment, you could open yourself up to blackmail or legal consequences. Online Accounts Online banking, utilities, customer/vendor portals, shopping, shipping, tax reporting/payment sites can all be vulnerable to hacking. Tips: Use a different, strong password on each account, and change passwords frequently. Use multi-factor identification if available. Check all billing statements on a regular basis for unauthorized charges. Website & Portals You may not think your website has anything worthy of hacking. However, even the most mundane websites are compromised all the time. Most hacks are not to steal data, although this is always a concern. However, hackers may be trying to use your server as an email relay for spam, or to set up a temporary web server to serve files of an illegal nature. Websites that use the standard HTTP protocol transmit and receive data in an unsecured manner. This means it is possible for someone to eavesdrop on the data being transferred between the user and the web server. Tips: Invest in a secure website that encrypts the messages between the visitor and the site using SSL (secure socket layer) to ensure that no hacker or eavesdropper can intercept the information. Never transmit personal or financial information via an unsecured site. If the web address begins with https://, instead of just http://, you are accessing a secure website. Most browsers will also display a lock icon somewhere along the edge of the window to indicate a website is secure. SSL tools are discussed below in the tools section. Security Tools to Consider According to a recent Verizon Data Breach Investigations Report, 60 percent of cyber-attacks target small and medium-sized businesses, primarily because they are easier targets. Using the tools below will help take the target off your back as well as provide compliance with federal regulations. Password Management Managing passwords can be a pain. However, a strong password is your first line of defense against intruders and imposters. Tips: You should pick passwords that are difficult to guess. Don’t use names, dates or common words as passwords. Here are some examples of passwords of increasing strength: Poor passwords: Password, Sally1, Columbus, etc. Fair passwords: pAssWorD2017,sAllY12 Good passwords: PaSsWoRd2017!!, SaLLy12$ Better passwords: P@$$w0rd2017#, S@lly12#! Best passwords: l#Svr!25Nw^q, h*J47(sB2#xR Use an encrypted database to store passwords. We still see clients with Word or Excel documents for their list of passwords. Even with a password-protected file, be careful. We’ve seen clients leave the file open on their desktop throughout the day. The tools listed below can be auto-locked after use or after elapsed time. These tools also work across browsers and devices, making the passwords readily available to you and aid in entering the information in websites. More importantly, they have password generators that create strong passwords. The tools require you to remember only one strong password – the tool remembers everything else. You can also force multi-factor authentication access to the tool (user ID, password, and one-time code generated by a separate device). Several of the tools below have free, premium and enterprise versions to adjust to the size, security needs and budget of your company: KeePass LastPass Onelogin ManageEngine Virus & Malware Protection (NIST Category 7, 13, 14) According to CNN, more than 317 million new pieces of malware — computer viruses or other malicious software — were created last year. That means nearly one million new threats were released each day. Tips: Invest in a paid antivirus subscription, then keep the software and virus definitions updated daily (automated). Make sure virus protection is installed on all applicable devices such as servers, PCs, laptops, and mobile phones. Some of antivirus tools you might want to consider are listed below. Several of these vendors offer additional security software and services: Avast McAfee AVG Eset Kaspersky Norton MalwareBytes Multi-factor Authentication (NIST Category 5) Multifactor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. The use of multiple authentication factors to prove one’s identity is based on the premise that an unauthorized user is unlikely to be able to supply the factors required for access. Tips: Set authentication factors that are not likely accessible via public records. For example, a user’s mother’s maiden name is less secure than asking a personal question such as the name of the user’s favorite pet. Send randomly-generated codes to verified mobile phones or email addresses. Choose a service and use it across every account possible (banks, email, servers, etc.) Some options include: Authenticator for Windows Google Authenticator IdenTrust RSA SecurID Encryption (NIST Category 8, 13) A key information security tool, encryption converts information or data into a code to prevent unauthorized access. This protects the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Tips: Encrypt mobile devices and tablets with a passcode or PIN. Encrypt laptops with software. Encrypt your website and servers with SSL certificates as described above. When shopping on the internet, look for https in websites. Only use secure sites to enter your personally identifiable information such as Social Security Number, Federal Employer ID Number, Dun & Bradstreet report number, credit card and bank account numbers, etc. Encryption tools to consider include: SertintyOne GlobalSign DigiSign VeriSign Next Step: Essential Policies for Compliance In Parts 1 and 2 of this blog series, we reviewed new cybersecurity requirements for federal contractors, the systems covered by the rules, and affordable tools small businesses can use in their compliance programs. In Part 3, we’ll wrap up the series with a look at policies you need to put in place to ensure and track compliance. The post Cybersecurity Best Practices for Small Business Contractors – Part 2 appeared first on Left Brain Professionals. leftbrainpro.com
  10. For more than 20 years, government contractors and their employees that operate an agency’s system of records have been subject to the same criminal penalties as government employees for violations of the federal Privacy Act (PA). These penalties have taken on new importance because a recent FAR amendment makes PA training required for certain federal contracts. Moreover, the training must include information on the criminal penalties a government contractor and its employees face for violating the PA. Specifically, violations are a misdemeanor punishable by a fine of up to $5,000; there is, however, no possibility of imprisonment. Because the language Congress used to describe this criminal violation is so carefully drafted, it’s important to get into the law’s wording and details. The criminal penalty provision of the PA punishes any contractor or its employees who “knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it.” Unfortunately, it’s not easy to describe what these words mean because there are not a lot of reported court decisions interpreting them. According to U.S. Department of Justice, there are at least two reported decisions on this criminal law. Realistically, however, only one of them really helps to describe how anyone, including a government contractor, can violate the PA’s criminal provision. That decision, actually a defeat for the government, involved a list of patients and their addresses prepared by Richard Trabert, the administrator of an Army hospital that was closing. A doctor at the closing hospital who would be seeing patients at a nearby private clinic asked Trabert to prepare the list which Trabert prepared from data in his computer. Trabert prepared the list and gave it to the administrator of the private clinic. The information on Trabert’s list was protected by the PA. The government charged Trabert with violating the criminal provision of the PA but a judge concluded that the government had not proven that Trabert violated the PA beyond a reasonable doubt. The government had failed to prove that there was both a “knowing disclosure” and a “willful disclosure.” Knowing disclosure. The government could prove a “knowing disclosure” from circumstantial evidence such as the fact that the employee had taken PA training. In Trabert’s case, however, there was no evidence he had received PA training and Trabert testified that he did not remember getting any PA training. In addition, senior personnel at the hospital knew Trabert was compiling the list but no one had told him it was illegal. Moreover, other lists had been prepared by others for the benefit of other clinics. Another way the government could prove a “knowing disclosure” would be “a specific admonition provided as to the general application of the Privacy Act” which in Trabert’s case was a computer screen banner warning of the PA’s applicability to information in the computer every time the computer was turned on. Significantly, the government did not have to prove that Trabert had been told specifically that the PA applied to the list he gave the clinic’s administrator. But here, there was no “knowing disclosure” for several reasons including the fact that similar lists had been prepared on other occasions by other employees without any one being charged with a crime. Willful disclosure. The government had also failed to prove a “willful disclosure:” that Trabert voluntarily and purposely disclosed the information in violation of the Act. Here, Trabert was guilty at most of gross negligence. According to the judge, it was not clear to Trabert that the disclosure of the list was inappropriate. Trabert was not aware of any improper motive in providing the list to the clinic and he knew that the clinic could not produce the useful list itself. He did not know that the doctor requesting the list wanted it for expanding his practice at the new clinic. Nor did Trabert benefit financially for disclosing the list like getting a job at the new clinic; the government did not prove that he even wanted a job there. Conclusion. Trying to distinguish an unfortunate “gross negligence” disclosure from a criminal “knowing and willful disclosure” is difficult. Trabert was wrong to prepare the list and give it to the private clinic. But he did not do it with the intention of violating someone’s privacy rights protected by the PA. United States v. Trabert, 978 F.Supp. 1368 (D.Colo. 1997). A good example of conduct that goes beyond “gross negligence” comes from civil (not criminal) lawsuits against an agency (and not its employee like Trabert) that violated the employees PA rights. Department of Energy employees filled out personnel security questionnaires after being told that the information would be used only for security clearances purposes. But the information was then sent to the Department of Justice for purpose of criminal prosecution. DOE had not told the employees that questionnaire information could be used for law enforcement purposes. Covert et al. v. Harrington, Secretary, Department of Energy, 876 F.2d 751 (9th Cir. 1989). Perhaps a good summary of what it takes to violate the PA is this: the violation “must be so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.” While Trabert’s conduct was wrong, you cannot say that his actions met this test. Terrence O’Connor is a Partner and Director of Government Contracts at Berenzweig Leonard LLP, McLean, VA. He can be reached at toconnor@BerenzweigLaw.com. The post Federal Privacy Act Criminal Penalties Apply to Government Contractors appeared first on Left Brain Professionals. leftbrainpro.com
  11. Government agencies use the Request for Proposal process to find the best available solution to their needs at the most competitive price. In competitive bidding, an agency has a duty to reject proposals that are non-responsive or that fail to comply with the invitation to bid in a material way. This promotes objectivity and fairness in the bidding process and ensures that vendors are competing on an equal footing. In too many cases, contractors expend considerable time and effort developing a proposal that the contracting agency ultimately rejects as non-compliant or non-responsive. Part 1 outlines the standard format of RFPs. Part 2 outlines steps you can take to avoid such costly errors and increase your chances of winning. As you write your proposal, keep these grading factors top of mind. The agency is telling you what is important to them. Believe them! Preparing Your Proposal As you write your proposal, make sure to: Sign and acknowledge all amendments to the original RFP. Submit questions to clarify any ambiguities created in the original Q&A or by amendments. If you are assuming something, ask the question! Clarifying questions rarely expose your strategy. Ask one question per ambiguity – the government will likely only answer one of them. Make sure to phrase questions to elicit clear answers Watch out for RFPs that include provisions for full and open as well as set-aside awards. Clarify any proposal requirements not clearly designated as applying to one group or both, and clarify the applicability of contract clauses to each group. Prime contractors need to conduct a cost or price analysis and include results of the analysis in your proposal. You may need to submit subcontractor certified cost or pricing data as part of a prime proposal. If you are a subcontractor, you may need to submit pricing faster and assist in the analysis process. Primes should request information from subcontractors, including: System adequacy letters. Disclosure of proposed profit. In Federal Financial Participation (FFP) contracts, disclose labor hours and categories. Subcontractor disclosures Although it is okay for primes to request full disclosure, it is equally okay for subs to insist on sealed packages. The prime should be clear about what is required in sanitized and sealed packages. Do not assume the sub has read the RFP requirements! Subs should always read the full RFP, even if the prime sends a summary RFP. If the government does not provide a method for subcontractors to submit directly to them, request that subcontractors provide sealed packages. Best Practices for Responsive Proposals Read the RFP. Then read it again, and again. Read it all the way through at least once. You may focus on key areas the first time, but consider reading out of order in subsequent reviews to reduce fatigue when reaching Schedules L and M. Keep an eye out for RFP amendments, and read those as well. Craft a proposal that directly and efficiently addresses the agency’s needs. Stop focusing on telling your story and start focusing on telling the story the RFP is requesting of you. Remember, a great conversationalist is someone who listens. The best consultants and sales people do not talk about their product or service. They talk about you and solving your problems. Prepare a compliance matrix. Your matrix should document general requirements such as format and due date as well as requirements for each volume. Update the compliance matrix to stay current with amendments. Hold a proposal kick-off meeting. Invite your teammates, and identify critical milestones and due dates. Delegate responsibilities as needed, and provide templates if available. Designate one or more people to be responsible for regularly checking for amendments. Avoid math errors or other inconsistencies. Use rounding formulas in all calculations. Ensure that someone other than the person who prepared the price proposal prints out and manually checks all figures on a calculator. Ensure your proposal arrives on time! In most cases, agencies will reject late proposals out of hand, so don’t wait until the last minute to finish your proposal. If your proposal must be hand-carried, prepare a delivery receipt and obtain a signature, date, and time of delivery from the person accepting your proposal package. For online submissions, ensure that your firm is registered and able to post its proposal on the web site. If permitted, do a test submission to make sure you are able to submit documents successfully. Submit your proposal 24 hours before the due date, and no later than 5pm the day before to comply with FAR 15.208(b). After your submission, print out a copy of the web site delivery notification or receipt. When submitting by email, use read receipt in your email program. Ask the contracting officer if there is a file size limit for submitting via email. If your proposal exceeds that limit, you may need to break it into multiple parts. Conduct a final review. Have independent parties to the proposal process perform a final check for compliance. Questions for Your Proposal Before submitting your proposal, ask yourself these questions: Is it formatted correctly? Is your bid organized and easy to follow? Is your solution plausible? Have you demonstrated your ability to perform? Have you presented an acceptable delivery schedule? Are you proposing a reasonable price? Have you had someone spell check, grammar check and error check? Have you printed or produced the required number of proposals? Crafting responsive proposals is both a science and an art. There’s much more to the process than we can cover in a single blog post. If you have questions about responsive proposals or any other aspect of the RFP process, call (614) 556-4415 or email robert@leftbrainpro.com. The post Best Practices for Preparing Responsive Proposals – Part 2 appeared first on Left Brain Professionals. leftbrainpro.com
  12. Government agencies use the Request for Proposal process to find the best available solution to their needs at the most competitive price. In competitive bidding, an agency has a duty to reject proposals that are non-responsive or that fail to comply with the invitation to bid in a material way. This promotes objectivity and fairness in the bidding process and ensures that vendors are competing on an equal footing. In too many cases, contractors expend considerable time and effort developing a proposal that the contracting agency ultimately rejects as non-compliant or non-responsive. Part 1 outlines the format of standard RFPs. Governing Regulations and Forms The Federal Acquisition Regulations system sets uniform policies and procedures for acquisition by all executive agencies. FAR 15.203 establishes rules for RFPs, including the government’s requirements, anticipated terms and conditions, information required in the offeror’s proposal, and selection criteria. Agencies employ several standard forms in issuing RFPs, including: SF 33 Services and Commodities SF 1442 Construction SF 1449 Commercial Items In this blog post, we will focus on the FAR 15 requirements and SF 33. Read the RFP and Understand the Agency’s Problem or Request First things first. Read the entire RFP, including all attachments and referenced clauses or documents! Read it section by section. Never assume that all RFPs are equal. Not all agencies and offices structure RFPs the same way. Not all of them do it correctly. You may find important information in a different section or document than you were expecting to find it. After you have read the RFP, go back and read it again, paying particular attention to the underlying problem the agency needs to solve and the request for goods or services that it specifies. As you are writing the proposal, you will want to keep these needs top of mind. Schedule A – General Information Schedule A often consists of a single-page solicitation form (e.g. Form 33). It provides basic information such as: The Solicitation Number The Type of Contract Where and When to Submit Your Bid Contact Information for the Contracting Officer Schedule B: Supplies or Services and Prices Often the bulk of the RFP in terms of pages, Schedule B provides a summary description of the contract requirements. It lists all requirements as Contract Line Items (CLINS) or Sub-line Items (SLINS). This section also includes other billable items such as travel and other direct costs (ODCs). Schedule C: Description/Specs/Statement of Work Since it outlines the agency’s needs, Schedule C forms the heart of the RFP. In writing your proposal, describe how you will fulfill the contract – and be certain that your solution meets all specifications. This section may include specific labor category requirements. For service contracts with defined labor categories, make sure your resources line up with the appropriate education, experience, and certification requirements. Schedule D: Packaging and Marking This section contains packaging, packing, preservation, and marking instructions. In some cases, products may require Unique Identification Marking (UID) labels. Many shipments require Military Specification (MIL-SPEC) packaging that resists water or sand. Some agencies require use of specific transportation, early notification of shipments, or specific forms and labels. Make sure your proposal addresses all RFP requirements. Schedule E: Inspection & Acceptance Schedule E details the inspection process and conditions that you must meet for the work to be accepted by the government. Inspection may occur during manufacturing, before shipment, or after delivery. Some contracts allow for self-inspection, while others require government employees to carry out the inspection. Keep in mind that inspection by an external party may delay shipment, so plan accordingly. Acceptance may occur only after delivery and testing, which can affect when you will be paid. Plan accordingly. Schedule F: Deliveries or Performance This schedule sets requirements for “where” and “how” you must deliver products. A single contract may require shipping to multiple locations, in different quantities, or by different methods. Make sure to price your product to conform to delivery instructions and that your products arrive by the required delivery date using the preferred shipping method. Keep in mind that agencies are free to reject shipments that do not arrive on time. Schedule G: Contract Administration Data This section sets standards for the ways in which you and agency personnel will interact during the contract. It may include: Status reporting Accounting and appropriation data Contact information for key agency personnel Some tasks or functions may be delegated. Schedule H: Special Contract Requirements This schedule can be a dumping ground for clauses and other important information. Schedule I: Contract Clauses Read the clauses carefully, as you will be bound by all clauses in the contract. Clauses can include: Clauses that will be included in any resulting contract Clauses in full text Clauses incorporated by reference FAR, agency supplements, and local clauses Make sure you are compliant with all clauses, and price your proposal accordingly. Some clauses may increase your cost of compliance. Clarify or reject any clauses that are not applicable or are inappropriate. These will become part of the awarded contract, so if you have questions on any that should or should not apply, ask at the RFP stage. In many cases, you may want to have an attorney review the clauses and your responses. Schedule J: List of Attachments RFPs and contracts are not single documents. They may include: Drawings Specifications Statements of Work Carefully review all attachments and clarify any conflicting information among the documents. Schedule K: Representations, Certifications, & Other Statements Sometimes called “Reps & Certs,” this section requires you to demonstrate eligibility by providing business entity information and certifying that you comply with all of the acquisition’s applicable laws and regulations. For example, an agency can only award a contract set aside for woman-owned, small businesses to a company that represents and certifies that it is a woman-owned, small business. You must complete this section even if your System for Award Management (SAM) registration is current. Schedule L: Proposal Preparation Instructions While the content of your proposal (products, services, and prices) are critical to your ability to win, delivering a compliant proposal may be what keeps you in the competitive range. Make sure you adhere to all proposal preparation requirements, including: Format items: Font Margins Page length Organization: Volumes (Technical, Cost, Management) Indexes Proposal Adequacy Checklist Proposals and elimination from the competitive range are the source of many protests. Failure to follow the instructions is not a valid basis for a protest, and it will likely be dismissed. Schedule M: Evaluation Factors for Award This section outlines how the agency will grade proposals – including yours! It includes main factors for consideration and the importance of each factor. It may include: Lowest-price, technically acceptable (LPTA) Tradeoff Best value Crafting responsive proposals is both a science and an art. There’s much more to the process than we can cover in a single blog post. Be sure to read Part 2 for specific tips. If you have questions about responsive proposals or any other aspect of the RFP process, call (614) 556-4415 or email robert@leftbrainpro.com. The post Best Practices for Preparing Responsive Proposals – Part 1 appeared first on Left Brain Professionals. leftbrainpro.com
  13. The Proposal Adequacy Checklist

    Is your proposal in response to a federal Request for Proposal thorough, accurate and complete? If not, chances are high that you will be eliminated from competition – which represents a waste of time and opportunity for you and a corresponding waste of time for the contracting agency. Contracting agencies use the RFP process to identify the best supplier based on a combination of qualifications, history of achievement, timeliness, responsiveness, and cost. To have a chance at winning a contract, it is vitally important that you submit the information requested, in the level of detail requested or required by law, in the format requested. To reduce the number of nonresponsive contracts, several federal contracting authorities have developed proposal adequacy checklists. These walk contractors through format, cost elements, subcontracts, and exceptions to certified cost or pricing data. Checklists require prospective contractors to provide the location of requested items, or an explanation of why the requested information is not provided. Checklists apply only to the cost proposal, and not to the entire proposal submission. Agencies that rely on proposal adequacy checklists include: Department of Defense/Defense Acquisition Regulations System (36 items) Defense Contract Audit Agency (uses DFARS checklist) Defense Contract Management Agency (35 items) National Aeronautics and Space Administration (34 items) Certain RFPs, including those that require certified cost or pricing data, should require a proposal adequacy checklist to be submitted as part of the proposal (DFARS 215.408 (5)). In addition, any contracting officer has the authority to require inclusion of a checklist in response to an RFP. In any event, completing the appropriate checklist is a valuable tool to validate the adequacy of your proposal. To learn more about proposal adequacy checklists, you can view Proposal Adequacy Checklist—The New Normal, a presentation that Robert Jones and Suzanne Camden gave for the National Contract Management Association’s World Congress in July 2014. Our next blog post will delve into more detail about creating responsive proposals. In the meantime, if you have questions about proposal adequacy checklists or any other aspect of the RFP process, we’re here to help! Email robert@leftbrainpro.com or call (614) 556-4415. The post The Proposal Adequacy Checklist appeared first on Left Brain Professionals. leftbrainpro.com
  14. There is a lot of talk these days that the only proposal for which we are likely to see bipartisan support is President Trump’s promise to rebuild the nation’s infrastructure. According to Trump’s website (www.donaldjtrump.com), “Infrastructure investment strengthens our economic platform, makes America more competitive, creates millions of jobs, increases wages for American workers, and reduces the costs of goods and services for American consumers.” What’s not to like? Spending that benefits everyone – new airports, bridges, freeways, clean water, less traffic – plus new jobs and increased wages? Hold on a sec – not so fast. It’s wages where we are going to see a test of Trump’s loyalty: to the American worker who put him in office or to fiscally conservative Republicans who now hold sway in Congress. In the crosshairs lies the Davis-Bacon Act. Since 1935, the Davis-Bacon Act has required that workers on all federally funded or federally aided construction projects be paid at least the “prevailing wage” in the area where the project is located. The Department of Labor determines the prevailing wages on the basis of the wages and benefits earned by at least 50 percent of the workers in a particular type of job or on the basis of the average wages and benefits paid to workers for that type of job. Ironically, the Act was passed with the specific intent of preventing non-unionized black and immigrant laborers from competing with unionized white workers for scarce jobs during the Depression. The week after Trump took office, U.S. Senator Jeff Flake (R-Ariz.) introduced the Transportation Investment Recalibration to Equality (TIRE) Act, which proposes a repeal of the Davis-Bacon Act and would eliminate the prevailing wage requirement on federal infrastructure and construction projects. And on January 30, 2017, Congressman Steve King (R-Iowa) re-introduced the Davis-Bacon Repeal Act in the House with Senator Mike Lee (R-Utah), who introduced the companion bill in the Senate. According to the Congressional Budget Office, if this policy change is implemented, the federal government would spend less on construction, saving an estimated $13 billion from 2018 through 2026. There would be only nominal administration cost savings – the rest of the savings would come directly from workers’ paychecks. Those in favor of the repeal argue that, since the 1930s, other policies (including a federal minimum wage) have been put in place that ensure minimum wages for workers employed in federal construction. Additionally, when prevailing wages are higher than the wages that would be paid absent the Act, the construction market is distorted. In that situation, projects are likely to use more capital and less labor than they otherwise would. Additional arguments for repealing the Davis-Bacon Act are that the paperwork associated with the Act effectively discriminates against small firms and that the Act is difficult for the federal government to administer effectively. One argument against repealing the Davis-Bacon Act is that doing so would lower the earnings of some construction workers. In addition to wages, the Act requires a certain amount per hour be designated as fringe benefits that typically fund medical and retirement plans. If not required, employers would be incentivized to curtail their benefit spending to have more competitive bids. Another argument against such a change is that it might jeopardize the quality of projects. Lower wages might attract workers who are less skilled and do lower-quality work. Also, if one of the objectives of Trump’s infrastructure proposal is to increase earnings for the local population, repealing the Davis-Bacon Act might undermine that aim. The Act prevents out-of-town firms from coming into a locality, using lower-paid workers from other areas of the country to compete with local contractors for federal work, and then leaving the area upon completion of the work. With Republicans poised to gleefully slash spending the next two years, the repeal will most likely have a lot of support. Were it to end up on the President’s desk, the decision to repeal or leave intact the Davis Bacon Act will be the litmus test that will prove whether President Trump is serious about his promised commitment to the American worker and their wages. Questions about the Davis-Bacon Act and your federal contract? We’re here to help! Contact Bryan Uecker at (877) 982-8348 or Email Bryan@Benquest.com. Contact Robert Jones at (614) 556-4415 or Email Robert@LeftBrainPro.com. The post Davis-Bacon Act vs. Trump’s Looming Litmus Test appeared first on Left Brain Professionals. leftbrainpro.com
  15. Unique compensation requirements apply to federal contractors. In the construction sector, the Davis Bacon Act (DBA) requires covered contractors and subcontractors to pay a specific prevailing wage and fringe dollars for each hour an employee works on a covered job site. The regulations are difficult to understand for the non-initiated. Luckily, Lind Sawyer of Capital Strategies can make the confusing understandable. Here’s my conversation with Lind who was educating me on the finer points of the regulations. This could be illuminating for you too! Anne-Lise Gere, SPHR – What are the risks of not complying with prevailing wage and fringe benefits for DBA contractors? Lind Sawyer – The Department of Labor (DOL) is hot on the compliance trail. It recently announced a strategy called, “Plan, Prevent, Protect” to ensure these regulations are met. The DOL has teams of auditors who target federal contractors of all sizes. An audit from the DOL can be overwhelming, and the fines for noncompliance are expensive. The scary part is there is no formula for the fines. Fines are at the DOL auditor’s discretion. I have seen an auditor shut down a worksite where the contractor and subcontractors were not in compliance. It puts small businesses at risk of losing everything. So this is a big deal. When audited, federal contractors must be prepared to prove compliance and show that all regulations have been followed. This means being able to prove that the prevailing wage was paid for every hour, for every pay period and the fringe benefit dollars are properly allocated to eligible benefits. Anne-Lise – Why is compliance so tricky for federal contractors? Lind Sawyer – The DBA wages and fringe are often higher than what’s paid to the employees on a private sector job. Some contractors are working simultaneous federal contracts and private sector jobs with individuals shifting between job sites frequently. It’s hard to keep track of which hours are on a DBA contracts and which are not. Anne-Lise – How do DBA contractors operate in this context? Lind Sawyer – Because many contractors don’t have a system in place to track and allocate the benefit dollars, they end up paying the higher federal wages and the fringe benefit to employees in cash. Anne-Lise – What’s the problem of paying benefit dollars in cash? Lind Sawyer – Paying fringe benefits dollars in cash creates a multitude of problems. Most business owners are acutely aware of the added financial burden of paying cash instead of providing benefits. It can increase their overall labor costs by up to 30%. Every cash wage also raises the FICA, FUTA, SUTA, General Liability and Workman’s Compensation cost. Fringe dollars are meant to provide additional benefits to workers on federal contracts. The DOL encourages fringe benefits to be used for insurance benefits (medical, dental, disability) and paid time off. Unfortunately, most federal contractors are UNAWARE of the option of paying fringe dollars in benefits although it is in the DOL Regulations. With the advent of paid sick leave for federal contractors on January 1, 2017, it will be in the employer’s best interest to use those fringe dollars to fund the sick leave requirements. Anne-Lise – So what’s a DBA employer to do? Lind Sawyer – DBA employers should have a system in place tracking DBA hours, allocating prevailing wages and fringe benefits dollars in accordance to the regulations. Unfortunately, most payroll systems do not provide these functionalities. At Capital Strategies we have developed proprietary software called Fringe Tracker. It integrates with the existing benefits and payroll companies. So it doesn’t disrupt the existing relationship with payroll provider and benefit administrator. It calculates the amounts to be allocated. Allocating fringe dollars to indirect compensation has a significant and meaningful impact on employers’ bottom line. Anne-Lise – What are the most common fringe benefits funded by those federal dollars? In a few words, put in place an additional system to track and allocate fringe dollars. At Capital Strategies, our software not only allocates the fringe dollars to different benefit categories, it also adds the wage differential between private sector pay and federal contract wages to fund the benefits in the most efficient manner possible. By reducing the wage differential between federal and private sector jobs, we also reduce the temptation for inaccurate timekeeping by employees. Our system automates compliance, applying the math calculations and recordkeeping according to the DOL Regulations, and generates profit by optimization of the fringe benefit payout. If you have questions about this article or HR compliance, please contact: Anne-Lise Gere at (757) 240-4402 or email annelise@gereconsulting.com, or Lind Sawyer at (757) 421-0411 or email kmgstrategies@msn.com, or Robert Jones at (614) 556-4415 or email robert@leftbrainpro.com. The post Federal Contractors’ Obligations With Prevailing Wage and Fringe Benefits appeared first on Left Brain Professionals. leftbrainpro.com
×