What Is DCAA Compliance — and What Does It Cost a GovCon Company to Get It Wrong?

DCAA — the Defense Contract Audit Agency — is the U.S. government's independent auditor for defense and civilian agency contractors. It audits contractor accounting systems, indirect costs, and contract proposals to ensure the government is paying fair and reasonable prices. For a GovCon company, DCAA compliance is not optional on cost-reimbursable work. It is a contractual requirement. What most founders don't fully internalize is that DCAA compliance is also a transaction variable — and getting it wrong doesn't just create regulatory risk. It creates dollar-for-dollar reductions in enterprise value.

What DCAA compliance actually covers

DCAA compliance spans several distinct requirements that often get collapsed into a single term. Understanding the distinctions matters — both operationally and in a transaction context.

Accounting system adequacy is the foundational requirement. A DCAA-adequate accounting system must segregate direct, indirect, and unallowable costs at the transaction level, use a cost allocation methodology that is consistent and defensible, and be capable of producing the supporting documentation DCAA requires in an audit. The SF1408 pre-award survey is the formal mechanism DCAA uses to evaluate adequacy before award of a cost-reimbursable contract. A system that fails an SF1408 review cannot receive cost-reimbursable work until the deficiencies are remediated.

Indirect rate structure is where compliance most directly touches enterprise value. Indirect rates — fringe, overhead, and G&A — determine how a company allocates its non-direct costs across contract work. DCAA requires that these pools be structured consistently, that the allocation bases be defensible, and that unallowable costs under FAR 31.205 be systematically excluded. A rate structure that has evolved informally over years of growth, without documented pool definitions or formal allocation methodology, will not survive quality of earnings (QoE) scrutiny.

Timekeeping is the single most-audited element in GovCon compliance. DCAA's timekeeping requirements are specific: all employees must enter time daily (not batch entry), charges must be to the correct project, task, and CLIN, supervisor approval must be documented, and the system must maintain a complete audit trail with reason codes for corrections. Timekeeping failures are the most common source of False Claims Act exposure in GovCon transactions — and FCA exposure is one of the few things that can terminate a deal entirely rather than just re-trade the price.

Incurred Cost Submissions (ICS) are the annual final cost reports that cost-reimbursable contractors must file with DCAA within six months of fiscal year end. ICS submissions report actual indirect rates and reconcile them against the provisional rates billed during the year. Outstanding ICS filings — any year that hasn't been submitted, resolved, and settled — create an open liability that survives a change of ownership. In a transaction, each outstanding year represents a potential escrow holdback. In the worst cases, open audits from multiple years can represent a liability that exceeds the deal economics.

The transaction math

Most GovCon founders understand that DCAA issues are expensive to fix operationally. Fewer have worked through what they cost in a transaction specifically.

At a company transacting at a 9x multiple, the calculation runs directly:

The specific impact mechanisms are:

ICS escrow holdbacks. Each outstanding ICS year creates a potential liability that buyers will escrow against. The typical escrow for an open ICS year is 1-2% of total contract revenue for that year — which on a $50M revenue company can represent $500K to $1M per year, multiplied by the number of outstanding years.

Rate structure EBITDA adjustments. If the indirect rate structure is undocumented or inconsistently applied, the QoE team will model the exposure as an EBITDA risk rather than accepting the seller's normalized EBITDA at face value. A $1M EBITDA adjustment at 9x costs $9M in enterprise value.

Accounting system remediation escrow. If the accounting system cannot pass an SF1408 review, the buyer faces the cost of remediation post-close — which gets priced into the deal as either a price reduction or an escrow. Platform migrations from non-compliant systems (QuickBooks, standard Sage) to compliant platforms (Costpoint, Unanet) typically run $200K to $500K in implementation costs and 6 to 12 months in timeline.

FCA exposure indemnification. Timekeeping failures that could constitute False Claims Act violations — certifying invoices based on inaccurate time records — expand the indemnification scope significantly. Buyers will require representations that cover FCA exposure for several years post-close, and will structure holdbacks or escrows to cover any identified risk period.

What good looks like

A company that has invested in DCAA compliance infrastructure has a demonstrably different transaction profile than one that hasn't. The markers of a well-prepared company:

The accounting system runs on Costpoint, Unanet, or JAMIS — configured for GovCon, not modified from a commercial template. The system has been formally evaluated against SF1408 criteria, either through an actual pre-award survey or a readiness assessment conducted by someone who knows the standard. Direct, indirect, and unallowable costs are segregated at the transaction level, not as a period-end reclassification.

Indirect rate pools are documented with written pool definitions, allocation base rationale, and FAR 31.205 unallowable cost schedules. Provisional rates are set at the beginning of each year based on a budget model, and actual-to-provisional reconciliations are completed quarterly. The rate structure has not changed materially without documentation of the rationale.

ICS filings are current — every applicable year has been filed, audited (if selected), and settled. If audits are open, there is a documented status on each and a path to closure. Questioned costs from prior years are resolved or reserved against. There are no DCAA audit findings that have not been formally closed.

Timekeeping is daily, electronic, project-and-CLIN-level, with supervisor approval workflows and a complete correction audit trail. The system has been tested against DCAA's timekeeping criteria — not just assumed to be compliant because there haven't been findings yet.

How to close the gaps

The sequencing of compliance remediation matters. Not every gap can be fixed in parallel, and not every gap has equal transaction impact.

Start with the accounting system. If the platform is non-compliant, everything else is built on a weak foundation. Platform migration is the longest timeline item — begin at least 18 months before a planned transaction. If the platform is compliant but not properly configured, configuration remediation is faster — typically 3 to 6 months.

File outstanding ICS submissions. Each open year is a discrete liability. Filing resolves the submission risk, even if DCAA subsequently selects the year for audit. The filing itself demonstrates control — the open liability is the unfiled year, not the audit.

Document the indirect rate structure. This is a writing exercise more than a financial engineering exercise. The pools are probably being applied correctly; they just aren't documented in a way that a QoE team can evaluate without building the documentation themselves under time pressure.

Test timekeeping. Run the company's timekeeping practices against DCAA's ICR 3.100 and 3.300 criteria. Identify batch entry patterns, missing CLIN-level charging, supervisory approval gaps, and correction audit trail deficiencies. Fix them before they're found in diligence.

The GovCon CFO Readiness Diagnostic scores each of these areas in 15 minutes and tells you where the exposure is. If the gaps are material, a GovCon fractional CFO is the right deployment model for remediation — someone who has done this before and knows the difference between what looks compliant and what actually is. Reach Steve Radanovic directly if you want to start the conversation.