​The Out of Control Contractor​

An US$18 million embezzlement raises questions about a federal contractor's internal controls and government oversight.

Comments Views

Government technology provider NCI Inc. has fired its controller, who allegedly embezzled approximately US$18 million over the last six years, Washington Technology reports. In a press release, the company said the stolen amounts were reflected as expenses in its unaudited financial statements for the first three quarters of 2016. NCI has launched an internal investigation to determine whether there were misstatements related to the embezzled funds in its financial statements during the period from 2013 to 2015. In addition, investigators are evaluating whether material weaknesses in the company's financial controls over financial reporting were exploited to carry out the embezzlement.

Lessons Learned

At one point in this story, the report says, "The company is also reviewing its internal controls over financial reporting. The company believes that material weaknesses existed in its internal controls during the periods that the embezzlement was occurring." This may turn out to be an understatement, given NCI's involvement with contracting with the U.S. federal government and the requirements imposed on companies, which are not commonly found in the commercial market. And, there may be just as large a problem with gaps in oversight, both within NCI and by government regulators.

  • Internal Controls. While NCI's statement focuses on internal controls over financial reporting, the company needs to take a much broader look at its internal controls. One example is those relating to accounting procedures. U.S. federal government contractors must adhere to an additional layer of regulations and accounting procedures. The federal procurement process is governed by the Federal Acquisition Regulation, and the classification and allocation of contractor expenses are governed by the Cost Accounting Standards. In addition, several labor laws may apply. Failure to comply with these rules could lead to debarment.

    There are three general types of government contracts: cost-reimbursable, time-and-materials, and fixed-price. Large companies are likely to be involved with all three types. While there are no unique accounting requirements imposed on contractors who sell commercial products or services to the government on a firm fixed-price basis, almost all other contractors must have an accounting system that the government deems acceptable. This includes contractors that are required to submit supporting cost data with their cost/price proposals as well as any contractor who is awarded a time-and-materials, cost-plus-fee, or fixed-price-incentive contract. Other than pure-play commercial product companies, most government contractors will sooner or later be required to have an acceptable accounting system, with the following attributes, supported by written documentation:​​
    1. Compliance with generally accepted accounting principles. 
    2. Appropriate segregation of direct costs from indirect costs. 
    3. Identification and accumulation of direct costs by contract. 
    4. A logical and consistent method for allocating indirect costs to intermediate and final cost objectives. 
    5. Accumulation of costs under general ledger control. 
    6. A timekeeping system that identifies employees' labor by intermediate or final cost objectives. 
    7. Interim (at least monthly) determination of costs charged to a contract through routine posting to books of account. 
    8. Exclusion of "unallowable" costs. 
    ​There are two points of note here. First, most commercial companies do not routinely perform these functions as part of their financial accounting. More significantly, many commercial companies — especially smaller ones — do not have the staff, knowledge, skills, and software necessary to perform these functions. Secondly, while it is not known how NCI's ex-controller perpetrated fraud over a multi-year period, its financial accounting systems may have been compromised. If it was, the company would need to review each contract of significance to determine whether there are errors and, where overbilling is found, potentially refund already billed amounts. ​​
  • Oversight. It is surprising that this story deals with the question of material misstatements within NCI's unaudited financial statements. Many companies that contract with the government are required to have their financial statements audited annually, and one would think that should have included NCI. Unaudited financial statements differ significantly from audited ones. Some procedures that external auditors are required to perform may have helped NCI, its board of directors, and its senior management detect its controller's alleged fraudulent activities at an earlier stage. Among the most pertinent review procedures are:
    • Procedures for recording and accumulating financial information.
    • Actions taken at owners' or directors' meetings.
    • Written representations from management regarding the accuracy of all information given to the auditor and for inclusion in financial statements. 
    • Management's responsibility for internal control.
    • Management's responsibility — and knowledge — to prevent and detect fraud.
    ​​There is also the question of the strength of oversight by government regulators. U.S. government contractors that work on defense-related contracts are audited by the Defense Contract Audit Agency (DCAA). The DCAA audits internal contractor systems — including accounting systems — for acceptability. The agency also audits the actual cost data produced by the accounting system. Surveys published by Grant Thornton indicate that the cost most frequently challenged by the DCAA is executive compensation, including the compensation of company controllers. Other costs the DCAA commonly challenges include consulting fees and indirect cost allocations. However, reports issued by the Government Accountability Office (GAO) have criticized the DCAA for being more committed to its "hours per audit" metrics than to audit quality, and say that it has become too "friendly" with contractors and government program managers. In response to the GAO reports, the DCAA has committed to being a thorough, independent guardian of taxpayer money.

    In NCI's case, it may be advisable for the federal government to put any future contract awards on hold until such time that the company can demonstrate that it has completed a thorough assessment and action plan to address serious weaknesses in its internal control.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • IIA-Canada-Conference-June-2021-Premium-1
  • AuditBoard-June-2021-Premium-2
  • GRC-June-2021-Premium-3



Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radarhttps://iaonline.theiia.org/blogs/chambers/2021/Pages/US-SEC-Environmental-Social-and-Governance-Risks-Better-Be-on-Your-Radar.aspxU.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020https://iaonline.theiia.org/blogs/Jim-Pelletier/2020/Pages/Six-Data-Privacy-Predictions-for-2020.aspxSix Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19https://iaonline.theiia.org/blogs/chambers/2020/Pages/Public-Servants-Are-Vital-to-Defeating-COVID-19.aspxPublic Servants Are Vital to Defeating COVID-19