1.1.  On January 25, 2002, GAO issued Government Auditing Standard No. 3, "Independence," requiring the DCAA auditor and any technical specialist  providing support to an audit to be free both in fact and appearance from personal and external impairments to independence. The standard can be accessed at  http://www.gao.gov/ under Other Publications, click on The Yellow Book. This standard, effective January 1, 2003, requires the auditor seeking technical support to obtain representations from the technical specialist that he/she is independent from the activity or program under audit. A sample  DCAA request for technical assistance containing the requirements of the new standard and their request for a signed statement is provided as  Attachment 1. The technical specialist signs and returns the statement as an attachment to the technical report.
    1.2.  Complete reviews of a supplier's MMAS are performed only when the ACO has determined that there is significant risk to the Government and that the supplier has not implemented effective actions to remedy system deficiencies that are causing the risk to exist.

2.  RISK PLANNING

    2.1.  The ACO applies a risk management approach to ascertain and ensure the adequacy of suppliers' material management accounting systems for suppliers under their cognizance that meet the MMAS DFARS requirements. The probability and consequence of MMAS process failure is determined in accordance with key processes that are part of the Supplier’s MMAS.

       2.1.1. In performing risk planning, the ACO reviews all new contracts as part of the Contract Receipt and Review process to determine if any contracts contain the DFARS 252.242-7004 clause, and annually reviews available contract reports to determine whether a Supplier has exceeded the MMAS reporting threshold. If MMAS disclosure is required, the ACO is to request disclosure within 60 days (DFARS 252.242-7004). Suppliers making an initial MMAS disclosure also provides a written description of their system processes, internal control process, and identify applicable MMAS procedures used to ensure systems compliance. Supplier internal control documentation should contain the results of any self-assessment of their MMAS compliance with the standards, including an identification of known deficiencies.

    2.2.  The ACO may, after receipt of the supplier’s MMAS documentation and in consultation with the CMO team, and DCAA auditor, require the Supplier to provide MMAS transaction data as a means to further validate compliance following changes to a prior disclosed system. The supplier is required to disclose any significant changes in its MMAS within 30 days of their implementation. In those cases where there is a disagreement between the supplier and ACO that a change has actually occurred, the ACO should allow the Supplier 30 days to respond with a disclosure, rationale why the changes are not significant or a statement that there have, in fact, been no changes.

Key Processes and DCMA functional group and associated DLAD 5000.4 chapters normally associated with MMAS include:

3.  RISK ASSESSMENT

    3.1.  The ACO’s risk assessment should utilize an IPT approach comprised of CMO specialists and DCAA.  The ACO assigns a risk rating, with supporting rationale, for each key process supporting the supplier's MMAS.  One element of risk assessment is risk analysis. Risk analysis considers the probability and consequence of failure to meet requirements. The outcome of the risk analysis is a risk rating of high, moderate, or low for each key process being considered. This should then result in a prioritized risk list.
    3.2.  In cases where high risks exist, the ACO determines if a MMAS Review is required or if the factors causing the risk associated with the key processes can be identified using other information. Once it has been determined that a full review is required, the ACO should appoint a Government review team leader and form a team with members from both the CMO and DCAA to review the supplier’s system considering the description disclosure, subsequent disclosure revisions, and results from any other necessary system compliance reviews (see the table above). The team determines the intensity level and frequency of their activity in reviewing processes and data transactions.

4.  RISK HANDLING

    4.1. The risk-handling plan is developed and executed using the CMO and DCAA IPT and the supplier. The handling plan is developed considering the three levels of risk.
    4.2.  High Risks requires immediate and intensive risk handling - supplier corrective action and evaluation through process audits, data transaction verification, and analyses until the risk is mitigated to an acceptable level.
    4.3.  Moderate risks require the establishment of scheduled process evaluation audits, analysis, and data transaction sampling, until risk of impact to the program/contract is reduced. The ACO may elect to exercise any of the following risk handling methods for both high and moderate risk:

• Requiring Corrective Action Plans (CAPs) - execution of the supplier's risk handling/corrective action plan is by definition the primary method of risk handling
• Progress payment billing withholds
• Suspension of questionable costs in cost vouchers
• Cost disallowance(s), if appropriate
• Notification to buying activities
• Reduction of billing withholds as risk is mitigated
• Ensuring all contract pricing technical and special analyses contain a recommendation relating to any cost or pricing data adjustments necessary to protect the Government’s interests

    4.4.  Low Risks may involve periodic process reviews, and data sampling to ensure process risk has not increased and the process capability remains stable.

5.  RISK MONITORING

    5.1. The ACO and the MMAS team leader monitors the impact of the supplier’s corrective actions, if any are needed. If the supplier fails to make adequate progress with respect to implementing measures in the corrective action plan, the ACO is to take further action. Further actions that the ACO may consider are listed in DFARS 242.7205(b)(5). Those include:

• Elevating the issue to higher management
• Further reducing or suspending progress payments and cost vouchers
• Notifying the buying activities of the inadequacy of the supplier’s estimating system and/or cost accounting system
• Issuing cautions to buying activities regarding the award of future contracts

    5.2.  The ACO revises the risk handling plan accordingly, if the corrective action plan actions are not favorably impacting the risk rating.

6.  RISK DOCUMENTATION

    6.1. The ACO and the assigned Team Leader records and maintains documentation on risk planning, risk assessments, risk handling, and risk monitoring results and updates as applicable.
    6.2. The ACO maintains a log of Supplier MMAS reviews and annually reviews the log to identify Suppliers meeting MMAS reporting requirements, and assess the Supplier’s past performance and current vulnerability.