Risk Based Oversight: A Framework for Ensuring Compliance with the FAR Cost Principles

Each State Department of Transportation (State DOT) maintains a set of procedures that dictates how it conducts business covering the various functions and responsibilities of that agency. The audit function within the State DOT is one component of many within that set of procedures. Recent events have increased the expectations for written procedures pertaining to the audit function, especially those that relate to oversight of Architectural and Engineering (A/E) consultant professional service agreements.

The Federal Highway Administration (FHWA) recognizes that State DOT audit groups must employ a “risk-based oversight” approach to effectively ensure compliance with the Federal Acquisition Regulation (FAR) cost principles among the population of A/E firms performing consultant services, especially given the resources at their disposal. 23 CFR 172.9(a) implicitly requires this “risk-based oversight framework” be written and submitted to FHWA for review and approval as part of a comprehensive set of written procedures related to procurement and administration of consultant engineering service contracts.

For many State DOTs, it will not be feasible to perform audits orcognizant CPA work paper reviews for all A/E firms that perform work and are located in their home states; however, the onus remains on State DOTs to obtain reasonable assurance that the rates submitted by A/E firms are FAR compliant. Accordingly, to accept rates without performing an audit or cognizantwork paper review, the State DOTs must perform a risk analysis.

The primary objective in providing oversight related to A/E firms’ indirect cost ratesis to ensure such rates are annually developed in compliance with the FAR cost principles. In providing that assurance, a risk-based framework in conjunction with an appropriate internal control structure may be employed that includes a mix of tools and risk criteria. This risk-based oversight model consists of regular, periodic assessments of risk by firm within each State, and a suite of audit and analytical tools and techniques for mitigating identified risks. From this analysis the State will be able to make reasonable assignments of resources to various A/E firms and contracts as determined necessary.

As noted when the 2010 version of the AASHTO Uniform Audit and Accounting Guide was issued, all A/E firms doing business with State DOTs should complete the Internal Control Questionnaire as found in Appendix B of the Audit Guide. Thisprovides a framework for assessing A/E firms’ internal control structures. As part of the risk analysis process, additional steps may also be required, including a site visit, further analytical proceduresincluding correlation analysis using data from prior years, or making additional inquiries of management and/or the provider of the indirect cost rate computation (a CPA or in-house accountant).

Risk factors to be considered should include, if applicable:

  • The dollar volume of contracts with the State DOT and Local Public Agencies (LPAs), when funded with Federal-Aid highway program (FAHP) monies. (Most State DOTs establish thresholds for determining when a CPA audit is required vs. using in-house compilations. This may be based on contract size, or the previous or current year contracts/billings)
  • The A/E firm’s overall experience in working with State DOT/LPA contracts.
  • The history and professional reputation of the A/E firm.
  • The number of States in which the firm operates.
  • The date of the last audit.
  • The type and complexity of the accounting system used by the A/E firm.
  • The size (number of employees and annual revenues) of the A/E firm.
  • The relevant professional experience of the CPA who audited the overhead rate.
  • Changes in the A/E firm’s organizational structure.
  • Percentage of Government vs. Private work

With all State DOTs using this risk based framework, States will increasingly be willing to rely on work performed by other State DOTs. A key factor in the success of such reliance will be growing trust in the depth and quality of work performed, as well as consistency with which procedures are performed. Training on use of the AASHTO Audit Guide will result in increased consistency and quality, and assist in mitigation of risk.

Other areas of risk for State DOTs to consider include timeliness of audits. Some State DOTs tend to run years behind in performing overhead reviews or final audits. State DOTs should be aware of the strain that a failure to have punctual audits/reviews places on a firm and the State DOT. While the use of this risk assessment framework should help assist in the reduction of backlogs, State DOTsshould also implement additional risk controls to stay current in the audit process.

As previously mentioned, most State DOTs establish thresholds for determining when a CPA audit is required. We caution State DOTs to be attentive when establishing these thresholds so they are not so low that a required CPA audit may cost more than the actual profit a firm may receive from FAHPcontracts during the fiscal year.

Under FWHA’s Test and Evaluation (TE045) Initiative,a “safe harbor rate” is being piloted by 10 States for use in contracting with A/E firms who have not established an overhead rate for themselves. This rate is currently set at 110% and would eliminate the need for State DOT auditors to perform indirect cost rate reviews on these firms. It would also save the firm money by eliminating the need for an audit or perhaps expensive software. This would not eliminate the firm from establishing a job cost system however.

It should be noted, State DOTs are responsible for ensuring these same risk procedures are performed forA/E firms working for LPAswhen funded with FAHP monies.

The attached checklists provide a guide for State DOT auditors to perform the risk analysis based on a CPA audit or an in-house computation.